Information Security at Hive
Hive is committed to ensuring that we conduct our activities in a way that information is safeguarded from potential security threats. In support of this, we have aligned our approach to information security with the ISO27001 framework.
As part of our ISO27001 certified Information Security Management System we have developed a comprehensive set of information security policies covering a range of topics, such as an Information Security Policy, Data Protection Policy, Change Management Process and Incident Management Procedures.
All data sent to and from Hive is encrypted in transit using TLS 128-bit encryption. Data is also encrypted at rest using the AES 256 cipher.
Our servers live within Hive’s own VPCs to prevent unauthorised network requests.
Additionally, data is separated between service customers at the database level (logical segregation) to ensure data privacy and to prevent one customer from accessing another customer’s data.
The data is stored and backed up in Dublin, Ireland.
Authorised users of the management console authenticate using a username and strong password, with the option to also use SMS text messages as multi-factor authentication.
Employees are sent unique pre authorised tokens to facilitate survey submission without having to authenticate.
Yes. Our reference is ZA246797.
Hive has processes in place to support customers if their employees exercise any of their privacy rights, such as the right of access.
We provide customers with a range of options to keep their employee information up to date. These include:
- Self-service administration
- Integration with employee records systems via Tray.IO, so that changes in personnel are automatically updated within Hive.
- Secure file transfer of employee data files, such as via Egress Secure Workspace.
Hive uses two essential sub-processors outside the EU and have ensured contracts include Data Processing Agreements and encompass appropriate EU approved Standard Contractual Clauses.
- A sub-processor based in the USA is responsible for the delivery of emails as part of the surveying aspect of Hive. To email individuals a unique link to a survey they process the first name and email address.
- A web analytics sub-processor based in the USA processes the IP address of Hive users to help provide insights into how the Hive application is used and navigated. They also provide:
- Natural language processing that allows Hive’s reporting suite the ability to determine sentiments and themes
- Translation of application content and employee feedback
Hive also has an optional sub-processor based outside the EU and has also ensured contracts include Data Processing Agreements and encompass appropriate EU approved Standard Contractual Clauses.
- The sub-processor based in the USA is responsible for providing integration functionality with customer HR systems to ensure that Hive has current employee information. They would process essential personal data, such as name and email address and selected demographics, such as gender, location, team and employment tenure. They are SOC 2 Type 2 certified and ensure all data is encrypted at rest and in transit.
When planning to use any third parties risk assessments are carried out to ensure there’s an adequate level of security and data protection in place, such as checking security certifications, ensuring Data Protection Agreements or EU approved Standard Contractual Clauses are in place.
Information Security Policy
We have developed this Information Security Policy to provide our employees and customers with assurances about the way we receive, store, and process information. This policy forms part of our Information Security Management System (ISMS) and is based on the ISO 27001:2013 Standard. Our Statement of Applicability details the controls that are relevant to our organisation and how we address risks in each of those areas.
Information is at the heart of our business, and any threat to its confidentiality, integrity, or availability is a direct threat to our business. Information security concepts apply to, and are the responsibility of, all our employees. Hive’s Senior Leadership Team is fully supportive of the need for, and enforcement of, information security policies, procedures and Hive’s ISMS. The Information Security & Compliance Manager is responsible for the management and maintenance of the ISMS.
The Senior Leadership Team is committed to ensuring that we conduct our activities in such a way that information is adequately safeguarded from potential security threats and this policy has been approved by the CEO to ensure that all information assets (information in all its forms) are protected and are used in the best interests of the company and its clients, within applicable laws and regulations, and as part of our contractual agreements. Each year we set information security objectives and measure and report on adherence to these objectives throughout the year in various internal forums. It is essential that we all understand the importance of information security, our responsibilities, and the consequences of ignoring them, and ultimately the effects of security on our success, and that we all recognise and understand our role in protecting our information assets. We identify risks and opportunities that are relevant to our organisation, and document, assess, plan, and treat them as necessary, always with the objective of continual improvement in mind.
The Information Security Manual will help you understand your role in delivering this aspect of our organisations risk management activities. It will also help us continually improve the security of our information assets.
If there is anything within this policy you do not understand, please speak with the Information Security & Compliance Manager who will be able to advise you.
John Ryder – CEO & Founder
Policy Owner: Information Security & Compliance Manager
Policy Authorised By: CEO Classification: PUBLIC
Date of Review
Summary of Change
Date of Next Review
Transfer to new template, general review and update
Information Security & Compliance Manager
General review and update
Information Security & Compliance Manager
Compliance Statement: This policy forms part of the HiveHR’s induction and ongoing general awareness programme. If there is anything within this policy that is not clear, or has not been understood, then you must inform your line manager or policy owner to seek further clarification. Policies that are downloaded or externally circulated should be considered as insecure. This document should not be replicated, redistributed, or modified without express permission from the policy owner.
Failure to comply with this policy, in whole or in part, may lead to disciplinary action.