Effective Date: May 25, 2018
1.1 This document applies to the website www.herogami.com (A)(the “Site”) and the Herogami On-Demand Service on the Site (B)(“Service”) (A and B collectively defined as “Herogami”) and describes how Herogami implements a dedicated security policy while operating the Service.
1.2 This Security Policy applies to Herogami website and On-Demand Services. It also applies to other interactions (e.g. customer support inquiries, webinars, user conferences, feedback sharing, etc.) you may have with Herogami. The scope of the security measures will differ for the mentioned services and interactions, but this document covers the most comprehensive examples.
1.3. Herogami takes security of data very seriously and works hard to protect Information you provide from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the Information we collect, process and store, and the current state of technology and aim at providing “appropriate security and confidentiality” with particular regard to the compliance with European Union's Regulation 2016/679 ("GDPR") recital notes R74-78, R81, R83, R90, A5, A24-25, A28, A32, A35.
1.2 This Security Policy is meant to help you understand what measures and practices we implement and provide to protect your data and and the Service from security attacks. Your right to be informed about how we implement and manage the security of the Service is important to us. If you have any questions, please feel free to contact us at: support@herogami.com
2.1 The list of major security measures adopted when providing the Services follow:
a. Network transport encryption of in and out transit data through the HTTP/S protocols based on SSL certificates issued by a reliable Certification Authority providing SSL/TLS capacity. As of the date this policy went into effect the SSL Certification Authority issuing the SSL certificates for Herogami is:
Let's Encrypt - a free, automated, and open certificate authority managed by the nonprofit Internet Security Research Group (ISRG).
Internet Security Research Group (ISRG)
548 Market St, PMB 57274, San Francisco
CA 94104-5401, USA
https://letsencrypt.org
b. Database-level encryption of critical Personal Data such as passwords through a technology known as Transparent Data Encryption which includes secret key management.
c. Database IP whitelisting limiting access to the production and staging databases to the servers that host the Service.
c. Firewalls shielding access to the production and staging servers of Herogami from unknown third parties. Firewall configuration is periodically updated with a weekly schedule to block potentially offending IP addresses by carefully inspecting servers log files to detect intrusions attempts via “blacklisting”.
d. Daily backups of the production databases and servers and log files. Daily backups are saved for 1 month and are saved and encrypted on storage services off-site. Sensitive data like passwords are never logged.
e. Redundant protection against data loss through state-of-the-art RAID data storage, systematically tested for integrity.
f. Periodic (weekly) auditing of the databases, log files and network traffic.
g. The server infrastructure hosting the Service is maintained up-to-date by applying upgrades and patches for security and peak performance with regularly scheduled updates by Herogami and our hosting provider.
h. DDoS (Distributed Denial of Service) monitoring, via automated tools acquired from third-parties as well as developed by Herogami that analyze server traffic and monitor access and servers log files to identify traffic spikes from unexpected sources.
i. Complete reset of any previous session cookie at every login and logout together with short session expiring time-frames (unless explicitly requested by You by checking the “remember me” feature at login) by are used prevent session fixation via static cookies. You can learn more on session fixation at https://en.wikipedia.org/wiki/Session_fixation.
l. Anti-CSFR (cross site request forgery) practices are used throughout the service to prevent a malicious user to spoof legitimate requests to the Service, masquerading as an authenticated user.
m. Automated notifications of potential intrusion and data breach in the form of failed attempts to login submitting credentials such as e-mail address and password. In the event such attempts are repeated over a short period of time by the same IP address, our technical staff is promptly notified and inspection is carried out which may result in blacklisting the offending IP address on our firewalls. In the event the e-mail address matches an address belonging to a registered active end-user, the Service notifies the end-user by sending an e-mail to the end-user reporting the number and date of any failed login attempt using your credentials, with instructions to update his/her access credentials.
n. System-wide secure password management practices that fully protect the privacy of your password. Your password is encrypted at database level and is never disclosed to any end-user that may control the Customer Account your account relate to or even to our staff. Your password is never reported in any HTML page, WebAPI request or e-mail that may result from activities led by You or other users on the Service, including our staff. A secure change password feature of the Service prevents any user, including You, from seeing your current password even during password changes.
o. With regard to highly sensitive Personal Data such as credit card numbers or other payment methods, the Service does not handle directly such information and has no access to it during the execution of an on-line payment transaction and subsequent automated recurring payments executed during the course of a paid subscription. On-line payments and any subsequent recurring transaction on the payment method entered by Customer are handled through a secure widget (“a fragment of HTML code and Javascript embedded an HTML page”) provided by our payments sub-processor. Please refer to our "Terms of Service" for the list of subprocessors.
2.2. In addition to the list of security measures above, additional security practices are adopted by the Service and our staff to manage our code base, regulate access to production and staging infrastructure, secure off-line backups and more. You are welcome to request additional information about our security practices and SSL certificates via e-mail at support@herogami.com. Given the nature of communications and information processing technologies, Herogami cannot guarantee that Information, during transmission through the Internet or while stored on our systems and services, will be absolutely safe from any intrusion by others.
3.1. Herogami may update or modify this Security Policy from time to time, including any referenced policies and other documents. Herogami will use reasonable efforts to notify you for example, by sending an email to the billing or technical contact you designate in your Customer Account Area or, alternatively,by posting on the Herogami blog or through notifications and popups issued on the Site and Service.