IT Security Policy

Purpose and Scope

The Information Security Policy (the "Policy") is the guideline describing how we stand about security issues and what we do for data protection.

The Policy applies to all Hawk customers, maintainers, and everyone who uses Hawk.

Objectives

First of all, security is one of the Hawk's most prioritized things as well as we're committing to securing the data you're sending us. Along with the commitment to maximizing continuity of access.

We are using the most modern industry-standard technologies of security for the purposes described above.

Important to say that Hawk's source code is open-source. That means that everyone can view this code, check it for vulnerabilities, send us reports and attempt to improve the code. That's positively affects security and compliance.

Maintenance and enforcement

The CodeX team, as product maker and owner, is responsible for the maintenance of the Policy statements. CodeX DevOps, Security departments, and all Hawk maintainers are responsible for its enforcement.

Responsibilities

Hawk Catchers integration requires small code changes of a customer application. Unfortunately, even small changes that have been made wrongly can cause accessibility or other issues in target apps. Such problems are in an area of responsibility of developers making an integration. We highly recommend carefully test these changes in a staging environment before shipping them to production.

Along with that, It's highly recommended for Hawk users to set up the Sensitive data filtering on Catchers configuration to prevent sending us sensitive information. Read more below.

Sensitive Data Filtering

Sensitive Data Filtering is a mechanism provided by Hawk that allows removing the data that you should not pass anywhere. For example, users' credentials, wire transfer data, and others. 

This feature works by default on Hawk's side and also there is the ability to remove any sensitive data on the user's part before sending it to the Hawk. Read more about Sensitive Data Filtering.

Security Weaknesses and Vulnerabilities

Hawk intends to mitigate potential risks in several ways:

  1. Static code checks
  2. Dynamic code checks on CI/CD
  3. Manual testing after any significant changes
  4. Regular dependencies updating
  5. Application-layer penetration tests
  6. Infrastructure-layer penetration tests
  7. Network-layer penetration tests
  8. Internal CodeX Security Department tests and audits.

Data Backups

We do regular (daily and weekly) backups of every data storage. Each backup stored in three independent places including fr-PAR-2 of Scaleway data center. Some backups stored for one week, some of them — for one year.

We are performing regular backups restoration rehearsals.

Erasure and Disposal

Each user can dispose of the accidentally sent sensitive data or any other data they don't want to store anymore writing on [email protected]

Password Policy

After signing up, Hawk generates a cryptographically well-built artificial pseudorandom password for a user. This password will be sent to the user's email.

At any time, a user can change a password for his's own. Passwords are stored hashed by the Argon2 algorithm.

Messaging Security

Hawk sends email for notifications and other purposes. We use AWS SES for delivering.

Amazon SES authentication options such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) confirms the right to send on behalf of the domain. Virtual private cloud (VPC) support makes email sending secure. Amazon SES is globally available with HIPAA eligibility, in-region compliance (C5, IRAP), and global certifications (Fed-Ramp, ISO, GDPR).

Data Encryption

All data sent to Hawk encrypted with TLS protocol. The Garage — service for events monitoring — is available only for encrypted connections.

Physical and Hardware Security

Our servers are distributed to different data centers secured by industry top-level standards of data protection.

Vulnerability Disclosure

Hawk is a young open-source project so everyone can help us improving security and compliance. We really appreciate such contributions.

If someone found a security issue or vulnerability, he can send us a report to [email protected] describing problem details, steps to reproduce, and so on. We will check each message carefully and answer as soon as possible.

Responding to Security Breaches

In each case of a successful event of cyberattack we'll do the following:

Data loss Data will be restored from our backups
Data integrity breach Data will be restored from our backups
Data theft Customers will be informed as soon as possible with advice on what they should do to protect themselves
Virus / Mallware detection We will do attempts to establish what the virus is, what it is doing, and where it came from. Then, it will be removed.
Physical Theft / Damage  Equipment will be replaced as soon as possible

We will inform affected customers as soon as possible using any available contacts data.