Product security
Last updated 23rd October 2020
Permissions and Roles
We enable permission levels within the Service to be set for your users either by adjusting permissions on the default roles or by creating your own roles for more granular control. Permissions can be set for access to personal data, both which fields and which users, as well as for the various aspects of organization management.
Network and application security
Data Hosting and Storage
Huma services and data are hosted in Amazon Web Services (AWS), Neo4j Aura and MongoDB Atlas facilities, all in the EU.
Back Ups and Monitoring
On an application level, we produce audit logs for all activity, ship logs to New Relic for analysis and use S3 for archival purposes.
Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. Huma is served 100% over https. Huma runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Humaโs network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on all cloud services used to deliver Huma, to ensure access is protected.
Encryption
All communication with our API and application endpoints are TLS/SSL encrypted in transit. We also encrypt data at rest.
Pentests and Vulnerability Scanning
Huma uses third party security tools to regularly scan for vulnerabilities. Our dedicated security team responds to issues raised. We engage third-party security experts to perform penetration tests on the Huma application and infrastructure, with multiple tests for specific functionality and one detailed full-service test annually.
Incident Response
Huma implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Additional Security features
Training
All employees complete Security and Awareness training annually.
Policies
Huma has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Confidentiality
All employee contracts include a confidentiality agreement.
PCI Obligations
All payments made to Huma go through our partner, Recurly. Details about their security setup and PCI compliance can be found at Recurlyโs security page.
Security questions?
If you think you may have found a security vulnerability, please get in touch with our security team at security@hu.ma.
Learn more about Huma by reading our Terms of Service and Privacy Policy.