Security is an integral component of our business. HqO's customers and users entrust us with their work-life information, and we aim to process and store that information thoughtfully and intelligently.
Our security team has designed and implemented a comprehensive information security management system (ISMS) program following the best practices described in ISO 27001 and NIST frameworks. The team aims to continuously improve the ISMS program alongside the business growth, reach, and input from various stakeholders including customers and regulators.
On this page, we describe the various security measures and compliance overviews at HqO. For more information about our security measures, please contact security@hqo.co.
ISO 27001
HqO is ISO 27001:2022 certified. The certification covers the ISMS supporting the confidentiality, integrity, and availability of customer data, supplier information, and HqO's internal data related to developing, operating, and planning a workplace experience platform environment.
Download Certification for HqO →
SOC 2
HqO has obtained the SOC 2 Type II report by an examination of an independent third party. The report helps understand the controls HqO has established to support operations and compliance. The report is available upon request.
CSA Star Level 1
HqO has completed and regularly maintains the correctness of answers for security self-assessment (CAIQ v4.02) from Cloud Security Alliance (CSA). The completed questionnaire gives comprehensive information about the security practices that are in place at HqO.
HqO's solution is compliant with various data protection laws and regulations where our customers are residing, such as GDPR, CCPA, and PIPEDA. View our Privacy Policy for more details.
HqO also leverages a number of third-party applications and services in support of the delivery of our solution to customers. We recognize that the company's information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, we have established a vendor management program that sets forth the requirements to be established and agreed upon when HqO engages with third parties or external vendors. For a complete list of HqO's sub-processors, please refer to our Data Processing Addendum document on our Legal Hub.
HqO is committed to safeguarding the privacy and data protection of our global customer base. Our dedication to these principles is evident in our adherence to the Data Privacy Framework (DPF), which encompasses the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. DPF serve as pillars ensuring that HqO adheres rigorously to data protection regulations, facilitating the seamless transfer of personal data from the European Union, the United Kingdom, and Switzerland to the United States, fully aligning with EU, UK, and Swiss laws, respectively. For a detailed overview of our data protection practices, please consult our Privacy Policy. At HqO, we prioritize the protection of your data above all else. Our commitment to continuous enhancement drives us to consistently improve our data protection measures, guaranteeing that our services not only meet but exceed the ever-evolving data privacy standards across all jurisdictions in which we operate.
HqO maintains a comprehensive set of security policies and procedures which are communicated and accessible to all employees. We ask our employees during their onboarding and annually thereafter to read and understand these policies and procedures. We also plan, run, and continuously improve security awareness campaigns across the company to ensure all employees are aware of security best practices and how to best protect customers and other business information.
All policies and procedures that we have internally are bound to regular review at least annually. We also perform tests and compliance controls on all these areas to ensure that the measures are running effectively.
We host customer data on Amazon Web Services (AWS) infrastructure in the US East region data center located in Northern Virginia and the EU Central region data center located in Frankfurt, Germany. All primary instances of our infrastructure are replicated in real-time to secondary instances across multiple availability zones to ensure high availability service.
All data is encrypted during transmission and at rest. Backup snapshots of the database are captured at 5-minute intervals and retained for 30 days.
For ensuring the continuous security of our production environment, security vulnerability scanning is performed every 2 weeks using a third-party solution. Every year an external party performs a penetration test on our applications (web and mobile) and infrastructure. All identified observations are tracked and resolved according to the policy and procedure previously defined.
Frequently asked questions
We collect, store, and process a very limited amount of personal data from customers to deliver our service, such as name, work email address, and main work location.