HUMAN Data Security and Privacy FAQ

How does HUMAN protect my privacy?

HUMAN takes commercially reasonable and appropriate measures to protect information against unauthorized access, alteration, disclosure or destruction of data. HUMAN regularly consults with experts and legal counsel to ensure we understand and comply with our compliance obligations and the latest regulations.

HUMAN Security publishes and strictly adheres to a privacy policy to protect all parties utilizing our services. The Privacy Policy details the information we may collect and how it is utilized.

Does HUMAN comply with GDPR?

Yes. HUMAN Security internal standards meet or exceed GDPR requirements as it relates to general data security. 

HUMAN Security has always been committed to data privacy and integrity. For any GDPR-related inquiries, please see our Privacy Policy or reach out to privacy@humansecurity.com.

What customer information does HUMAN store?

Beyond information that is securely kept for billing purposes, and user passwords to allow access to the management console, HUMAN stores the following customer data:

• IP Address
• Connection metadata (such as request headers, browser identification strings, TLS information)
• Mouse interaction events

In addition, Account Defender and Credential Intelligence may store user identifiers. 

Upon request, stored customer data is deleted or rendered unattributable after the services agreement is terminated.

Does HUMAN share my information?

HUMAN does not resell or transmit user data, other than as required to perform our services as described in our agreements with customers and as described with our subprocessors. The HUMAN Security privacy policy outlines the conditions under which we will share your information, such as in response to a valid law enforcement request.

Does HUMAN incorporate privacy by design principles?

HUMAN Security follows the 7 principles of Privacy by Design in our service offerings.

1. We comply with laws, rules, and regulations around data privacy, and including honoring data removal requests.
2. Our leaders communicate clear values to the team, as well as endorse privacy controls in policies and standards that all employees must accept.
3. Privacy is on by default at HUMAN Security – we minimize the collection of identifying information.
4. Our solution offerings incorporate privacy options, such as dedicated infrastructure for Mediaguard.
5. Our business model is built on capturing network effects – we offer a positive-sum solution that succeeds through the maintenance of our customers’ privacy.
6. We integrate security throughout our solution life cycle.
7. We are clear about our privacy commitments, and we participate in external attestation frameworks to demonstrate our commitment.

Where may I direct privacy-related inquiries?

Privacy-related inquiries may be sent to privacy@humansecurity.com.

Does HUMAN have a Code of Conduct policy?

Yes. The HUMAN Code of Conduct strives to foster inclusive, collaborative and safe working conditions for all HUMAN Workforce. As such, HUMAN is committed to providing a friendly, safe and welcoming environment for all Workforce, regardless of gender, sexual orientation, ability, ethnicity, socioeconomic status, and religion (or lack thereof).

Does HUMAN maintain adequate insurance?

Yes, HUMAN maintains insurance to cover numerous types of risk including commercial general liability.

What standards does HUMAN comply with?

HUMAN is certified to be SOC 2 Type 2 and ISO 27001 compliant. HUMAN’s SOC 3 report is available here. Customers may request a copy of the current SOC2 Type 2 report and ISO 27001 certificate through their account manager. HUMAN is also compliant with PCI standards.

Any customer data stored by HUMAN is done in accordance with its Data Retention Policy and is located in data centers secured by AWS, GCP and Equinix. These servers are housed separately from HUMAN’s corporate offices and not interconnected.

Is HUMAN PCI compliant?

Yes. HUMAN Security’s Code Defender product is PCI DSS 4 compliant and is used by large and small companies and organizations worldwide to meet requirements 6.4.3 and 11.6.1 of the PCI DSS 4 standard, as part of our customers’ PCI DSS compliance programs. HUMAN’s Enterprise Sensor (used in Bot Defender, Account Defender, and Code Defender) is also PCI DSS 4 compliant and is suitable for inclusion in payments processes. We can provide an Attestation of Compliance (AoC) from a Qualified Security Assessor (QSA) as well as a Shared Responsibility Matrix. Contact your sales or customer success team for more information. HUMAN Security is committed to its customers’ security and supports customer compliance processes pursuant to PCI DSS requirements.

How does HUMAN keep my data secure?

HUMAN implements a multi-layered approach to protecting customer information, including but not limited to, the use of technical safeguards, dedicated staff and use of cryptographic methods. HUMAN has a dedicated product security team responsible for the identification of potential vulnerabilities and assists engineering with shipping secure code.

HUMANs information security program includes measures such as:

• Documented policies, standards, and procedures
• Full-time cybersecurity management and staff and a 24×7 SOC
• Dedicated incident response team and a best of breed security tools including EDR, SIEM, SOAR technologies
• Cyber-security training for our employees, including staff and engineers
• Encryption for data at rest using strong cryptography
• Encryption for data in transit across trust boundaries using TLS
• Restricting access to employee and customer-facing systems according to the principle of least privilege
• Monitoring cyber security controls and operations across our portfolio and responding to cyber-security alerts
• Cyber-security controls integrated throughout the system development life cycle (SDLC) for our online systems
• Annual penetration tests, and additional penetration tests when we make major changes to our systems (including when we change security controls)
• Bug-bounty programs and accept vulnerability reports from external parties

Does HUMAN use sub-processors?

HUMAN uses subprocessors, including cloud providers as well as services providers to conduct our business. We maintain written data privacy agreements with our sub-processors and require and review SOC2 compliance attestation reports annually.

Who is responsible for cyber-security at HUMAN?

The Chief Information Security Officer, Gavin Reid, is responsible for cyber-security at HUMAN. Gavin reports to the CEO, and maintains a dedicated Information Security team as well as a cross-functional Security Committee comprising the Information Security team along with executives from other functional areas.

Does HUMAN support Single Sign On (SSO)?

HUMAN supports SAML integration (e.g., Okta, AzureAD, or other) on our customer interfaces.

Does HUMAN implement MFA?

Customers may implement MFA by integrating an SSO provider that provides MFA. Internally we implement MFA for privileged access as well as many core internal systems, such as email.

Does HUMAN offer dedicated tenants or dedicated infrastructure?

Certain assets, such as data collectors may use dedicated infrastructure, however overall we do not currently offer dedicated infrastructure for our customers; data isolation is provided logically.

How can I report a vulnerability to HUMAN?

All security related inquiries regarding vulnerabilities or incidents can be reported to csirt@humansecurity.com.