Compliance

We store client information in Siloed containers within our OpenSearch cluster. Each client is assigned their own AES256 encryption phrase which includes a random 128 bit random salt.

All data connections are done over a VPN using AES256 encryption with a 256bit key and a 128bit random salt. For standard web connections, all connections are held over TLSv1.3, although we will degrade that to TLSv1.2 for organisations unable to handle the newer TLS.

As a customer, you maintain ownership of the personal data we may come across duing auditing, testing or monitoring. We do not access or use your personal data for any purpose other than what is agreed upon with you in advance, except in each case as necessary to comply with the applicable laws or a binding order of a governmental body.

As a customer, you control your data. We offer industry standard security features to protect and encrypt your data in transit and at rest which are appropriate to the risks presented by the processing of your data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of your data, the nature of the data as well as the risk and severity for the rights and freedoms of natural persons. If we hold any personal data you wish removing, this can be done by raising a SOC ticket.

Data is stored in one of our two Data Centres, either in Spain or in the UK depending on the juristictional preferences of your data.

Our highest priority is securing our customers’ data, and we implement rigorous contractual, technical, and organisational measures to protect the confidentiality, integrity, and availability of the information regardless of the region where the customer is located and the origin of the data.

We have an Information Security Policy which describes all the security programs maintained across the organisation. The information security policy shall be reviewed by the CISO on an annual basis and is audited annually as part of our ISO27001 certification audits. Hedgehog Security has adopted the NIST Cybersecurity Framework (CSF) as our official cybersecurity framework.

Hedgehog has clearly defined roles and responsibilities related to cybersecurity and privacy. The information security policies shall be communicated to all associates on an annual basis as part of mandatory annual training.

All users shall participate in annual information security, privacy, compliance, and awareness training and complete such training by the deadline established by the CISO. Specialised training for developers is offered annually to developers.

We have implemented controls to comply with the following compliance programs: Payment Card Industry (PCI) Data Security Standard (DSS), Sarbanes Oxley Act (SOX), ISO 27001:2022, ISO9001, ISO22301 and NIS2.

You can read more in the articles below.

All the assets are scanned for vulnerabilities weekly. Vulnerabilities are remediated based on internal and industry standards, remediation is performed every Wednesday morning.

Our SOC365 service monitors our own systems and networks, providing high quality assessments of weaknesses in our internal and internet-facing systems. Using our own service against ourselves allows us to be rapidly informed whenever new vulnerabilities are released.