Security Policy

Data security is of utmost importance for us. We combine multiple security features to ensure customer, employee and business data is always protected so our customers can rest easy knowing their data is safe, their communication is secure, and their businesses are protected.

Infrastructure Security

Infrastructure security involves protecting the underlying hardware, software, and network components that support an organization’s information technology (IT) operations. This encompasses everything from data centers and servers to network connections and endpoint devices. Effective infrastructure security aims to prevent unauthorized access, misuse, and disruptions, ensuring the integrity, confidentiality, and availability of IT systems.

Key Components of Infrastructure Security

  • Encryption Key Access Restricted
    Policy: Access to encryption keys is limited to authorized users with a business need.
    Implementation: This ensures that only individuals with proper clearance can decrypt sensitive information, minimizing the risk of data breaches.
  • Unique Account Authentication Enforced
    Policy: Systems and applications require unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.
    Implementation: This reduces the risk of unauthorized access by ensuring that each user has a distinct identity for authentication.
  • Production Application Access Restricted
    Policy: Access to production applications is limited to authorized personnel only.
    Implementation: This measure prevents unauthorized users from tampering with critical applications that run the business.
  • Access Control Procedures Established
    Policy: Documented requirements for adding, modifying, and removing user access.
    Implementation: Clear procedures ensure that access rights are managed systematically and securely.
  • Production Database Access Restricted
    Policy: Privileged access to databases is limited to authorized users with a business need.
    Implementation: This protects sensitive data stored in databases from unauthorized access or alterations.
  • Firewall Access Restricted
    Policy: Privileged access to the firewall is limited to authorized users with a business need.
    Implementation: Firewalls are critical for network security, and restricted access ensures their configuration cannot be compromised.
  • Production OS Access Restricted
    Policy: Privileged access to the operating system is limited to authorized users with a business need.
    Implementation: This secures the OS layer from unauthorized changes that could affect system stability and security.
  • Production Network Access Restricted
    Policy: Privileged access to the production network is limited to authorized users with a business need.
    Implementation: Ensures that only authorized personnel can access the network, reducing the risk of internal threats.
  • Access Revoked Upon Termination
    Policy: Access is revoked for terminated employees within Service Level Agreements (SLAs).
    Implementation: This prevents former employees from accessing company systems post-termination.
  • Unique Network System Authentication Enforced
    Policy: Requires unique usernames and passwords or authorized SSH keys for network access.
    Implementation: Enhances security by ensuring that network access is traceable to individual users.
  • Remote Access Encrypted Enforced
    Policy: Remote access to production systems is only allowed via approved encrypted connections.
    Implementation: Protects data transmitted over remote connections from being intercepted.
  • Intrusion Detection System Utilized
    Policy: Continuous monitoring of the network for early detection of security breaches.
    Implementation: An IDS provides real-time alerts, enabling rapid response to potential threats.
  • Infrastructure Performance Monitored
    Policy: Utilization of monitoring tools to track system performance and generate alerts when thresholds are met.
    Implementation: Ensures the infrastructure remains robust and any issues are promptly addressed.
  • Network Segmentation Implemented
    Policy: Segmentation of the network to prevent unauthorized access to customer data.
    Implementation: Limits the spread of breaches by isolating different parts of the network.
  • Network Firewalls Reviewed
    Policy: Annual review of firewall rulesets with tracked changes.
    Implementation: Keeps firewall configurations up-to-date and aligned with current security standards.
  • Network Firewalls Utilized
    Policy: Firewalls configured to prevent unauthorized access.
    Implementation: Acts as a first line of defense against external threats.
  • Network and System Hardening Standards Maintained
    Policy: Documented standards based on industry best practices, reviewed annually.
    Implementation: Ensures that systems are configured securely to resist attacks.

Data center security

We ensure the confidentiality and integrity of your data with industry best practices. FlowHunt servers are hosted at Tier IV or III+, PCI DSS, SSAE-16, or ISO 27001 compliant facilities. Our Security Team constantly pushes security updates and actively responds to security alerts and events.

Physical security

FacilitiesServer environment
FlowHunt servers are hosted at Tier III+ or IV or PCI DSS, SSAE-16, or ISO 27001 compliant facilities. Data center facilities are powered by redundant power, each with UPS and backup generators. 
On-site SecuritySecurity zones
Our data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multifactor identification with biometric access control, physical locks, and security breach alarms.
MonitoringServer & Device monitoring
All Production Network systems, networked devices, and circuits are constantly monitored and logically administered by FlowHunt administrators. Physical security, power, and internet connectivity beyond co-location cage doors or Amazon/Linode services are monitored by the facilities providers.
LocationDatacenter in Europe
Public FlowHunt service hosts data primary in European Union (Frankfurt Data Centers).
Private clouds can be built based on your preference or geographical location in the United States, Europe, and Asia. Customers can choose to locate their Service Data in the US-only or Europe-only.

Network security

Our network is protected by redundant firewalls, best-in-class router technology, secure HTTPS transport over public networks, and network Intrusion Detection and/or Prevention technologies (IDS/IPS) which monitor and/or block malicious traffic and network attacks.

ArchitectureSecurity zones in our architecture
Our network security architecture consists of multiple security zones. More sensitive systems, like application servers and database servers, are protected in our most trusted zones. Other systems like loadbalancers are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. 
3rd-party Penetration TestsThird-Party Security Research
In addition to our extensive internal scanning and testing program, FlowHunt also works with third-party security experts and researchers to perform security checks and broad penetration tests.
Network Vulnerability Scanning
Vulnerability scanning
Network security scanning gives us deep insights for quick identification of out-of-compliance or potentially vulnerable systems.
DDoS MitigationDDoS Mitigation
Industry-leading infrastructure is in place to protect against and mitigate the impact of denial of service attacks.
EncryptionCommunication Encryption
Communications between you and FlowHunt servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks.

Organizational Security

Ensuring the security and confidentiality of sensitive information is paramount for FlowHunt organization. QualityUnit (developers of FlowHunt service) follows procedures for asset disposal and the destruction of electronic media, adhering to best practices to prevent unauthorized access to confidential data.

Procedures for Asset Disposal

Secure Disposal of Electronic Devices

  • Inventory Assessment: Identify and catalog all devices scheduled for disposal.
  • Data Backup: Securely back up necessary data before proceeding with disposal.
  • Data Purging: Use certified tools to wipe all data from devices following industry standards.
  • Physical Destruction: For devices that cannot be purged, physical destruction methods such as shredding or degaussing are employed.
  • Environmental Compliance: All disposal methods comply with environmental regulations.

Certification and Compliance

Asset Disposal and Destruction Certification

  • Documentation: Maintain detailed records of all disposed assets, including serial numbers, disposal methods, and dates.
  • Third-Party Verification: Engage certified third-party vendors to verify and document the disposal process.

Employee and Contractor Compliance

  • Background Checks: New employees undergo thorough background checks before joining the company.
  • Code of Conduct: Both employees and contractors must acknowledge and adhere to the company’s code of conduct, with disciplinary policies in place for violations.
  • Confidentiality Agreements: Confidentiality agreements are mandated for all employees during onboarding and contractors at the time of engagement.

Visitor and Security Protocols

  • Visitor Procedures: Visitors must sign in, wear a visitor badge, and be escorted by an authorized employee when accessing secure areas.
  • Security Awareness Training: Employees complete security awareness training within thirty days of hire and annually thereafter to stay informed about best practices and emerging threats.

Product security

data encryption is a critical component for safeguarding sensitive information stored in company datastores. Encryption transforms readable data (plaintext) into an unreadable format (ciphertext), ensuring that only authorized personnel can access it.

Data Encryption

All FlowHunt databases and database backups with sensitive customer data are encrypted. Encryption of billing and payments data are handled by our payment processors (Stripe).

Column-Level Encryption

Column-level encryption encrypts specific columns within a database, providing a more targeted approach to data protection. This method is useful for securing sensitive fields like API keys.

Encryption Protocols for Company Databases

Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

SSL and TLS protocols are used to encrypt data transmissions over networks, ensuring that data transferred between servers and clients remains confidential and secure.

Advanced Encryption Standard (AES)

AES (symmetric encryption algorithms) is used for data stored in company databases (e.g. Column based encryption). It is efficient and widely adopted due to its strong encryption capabilities. Encryption/decryption keys are never stored together with encrypted data.

Control Self-Assessments

The company conducts annual control self-assessments to ensure that encryption controls are effectively implemented and operational. Corrective actions are taken promptly based on assessment findings.

Penetration Testing

Regular penetration testing is performed to identify vulnerabilities in the encryption systems. A remediation plan is developed to address these vulnerabilities in accordance with service level agreements (SLAs).

Bug bounty program is in place to motivate external penetration testers report security bugs.

Vulnerability and System Monitoring

Comprehensive policies are in place for vulnerability management and system monitoring. These procedures ensure that any potential threats to the encryption systems are identified and mitigated promptly.

Disaster recovery, backup & redundancy

We operate a multi-level backup and disaster recovery strategy. Backups and near real-time snapshots are taken at various intervals and multiple copies are securely stored on different servers / data centers. Our disaster recovery program ensures that our services remain available or are easily recoverable in the case of a disaster.

Our redundant and autoscaling architecture eliminates a single point of failure. Combined with comprehensive backups, we ensure customer data is replicated and available across production systems.

Data Privacy

FlowHunt is fully compliant with the GDPR directive that became enforceable on May 25th, 2018. A team of security experts and developers was working on strengthening our security policies and raising awareness about data protection and what is required of our employees to comply with rules that GDPR puts in place. We also made sure that our customers were informed about the recent development in a timely manner.

OAuth

OAuth providers

Users are able authenticate to FlowHunt using external OAuth providers. Currently are supported Google OAuth and Github OAuth methods.

What information do we collect? 
We collect Email address of user as it is used as username in the system.

How do we use the information?
Email address is used to validate ownership of the account. No marketing emails are sent unless user opt in to mail campaign.

How do we share the information?
We don’t share the information with any 3rd parties.

Use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Our website uses cookies. By continuing we assume your permission to deploy cookies as detailed in our privacy and cookies policy.