Product security

Last updated 23rd October 2020

Permissions and Roles

We enable permission levels within the Service to be set for your users either by adjusting permissions on the default roles or by creating your own roles for more granular control. Permissions can be set for access to personal data, both which fields and which users, as well as for the various aspects of organization management.

Network and application security

Data Hosting and Storage

Huma services and data are hosted in Amazon Web Services (AWS), Neo4j Aura and MongoDB Atlas facilities, all in the EU.

Back Ups and Monitoring

On an application level, we produce audit logs for all activity, ship logs to New Relic for analysis and use S3 for archival purposes.

Permissions and Authentication

Access to customer data is limited to authorized employees who require it for their job. Huma is served 100% over https. Huma runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Humaโ€™s network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on all cloud services used to deliver Huma, to ensure access is protected.


All communication with our API and application endpoints are TLS/SSL encrypted in transit. We also encrypt data at rest.

Pentests and Vulnerability Scanning

Huma uses third party security tools to regularly scan for vulnerabilities. Our dedicated security team responds to issues raised. We engage third-party security experts to perform penetration tests on the Huma application and infrastructure, with multiple tests for specific functionality and one detailed full-service test annually. 

Incident Response

Huma implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Additional Security features


All employees complete Security and Awareness training annually.


Huma has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.


All employee contracts include a confidentiality agreement.

PCI Obligations

All payments made to Huma go through our partner, Recurly. Details about their security setup and PCI compliance can be found at Recurlyโ€™s security page.

Security questions?

If you think you may have found a security vulnerability, please get in touch with our security team at

Learn more about Huma by reading our Terms of Service and Privacy Policy.