Information Security at Hive
Hive is committed to ensuring that we conduct our activities in a way that information is safeguarded from potential security threats. In support of this, we have aligned our approach to information security with the ISO27001 framework.
As part of our ISO27001 certified Information Security Management System we have developed a comprehensive set of information security policies covering a range of topics, such as an Information Security Policy, Data Protection Policy, Change Management Process and Incident Management Procedures.
All data sent to and from Hive is encrypted in transit using TLS 128-bit encryption. Data is also encrypted at rest using the AES 256 cipher.
Our servers live within Hive’s own VPCs to prevent unauthorised network requests.
Additionally, data is separated between service customers at the database level (logical segregation) to ensure data privacy and to prevent one customer from accessing another customer’s data.
The data is stored and backed up in Dublin, Ireland.
Authorised users of the management console authenticate using a username and strong password, with the option to also use SMS text messages as multi-factor authentication.
Employees are sent unique pre authorised tokens to facilitate survey submission without having to authenticate.
Yes. Our reference is ZA246797.
Hive has processes in place to support customers if their employees exercise any of their privacy rights, such as the right of access.
We provide customers with a range of options to keep their employee information up to date. These include:
- Self-service administration
- Integration with employee records systems via Tray.IO, so that changes in personnel are automatically updated within Hive.
- Secure file transfer of employee data files, such as via Egress Secure Workspace.
Hive uses two essential sub-processors outside the EU and have ensured contracts include Data Processing Agreements and encompass appropriate EU approved Standard Contractual Clauses.
- A sub-processor based in the USA is responsible for the delivery of emails as part of the surveying aspect of Hive. To email individuals a unique link to a survey they process the first name and email address.
- A web analytics sub-processor based in the USA processes the IP address of Hive users to help provide insights into how the Hive application is used and navigated. They also provide:
- Natural language processing that allows Hive’s reporting suite the ability to determine sentiments and themes
- Translation of application content and employee feedback
Hive also has an optional sub-processor based outside the EU and has also ensured contracts include Data Processing Agreements and encompass appropriate EU approved Standard Contractual Clauses.
- The sub-processor based in the USA is responsible for providing integration functionality with customer HR systems to ensure that Hive has current employee information. They would process essential personal data, such as name and email address and selected demographics, such as gender, location, team and employment tenure. They are SOC 2 Type 2 certified and ensure all data is encrypted at rest and in transit.
When planning to use any third parties risk assessments are carried out to ensure there’s an adequate level of security and data protection in place, such as checking security certifications, ensuring Data Protection Agreements or EU approved Standard Contractual Clauses are in place.
Information Security Policy
We have developed this Information Security Policy in order to preserve our competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance, commercial image, protect our employees and help fulfil our strategic objectives.
Information is at the heart of our business, and any threat to its confidentiality, integrity, or availability is a direct threat to our business. Information security applies to, and is the responsibility of, all staff. The Management Team is fully supportive of the need for, and enforcement of, information security policies and procedures.
The Senior Leadership Team is committed to ensuring that we conduct our activities in such a way that information is adequately safeguarded from potential security threats. In support of this, we have aligned our approach to information security with the ISO27001 framework.
The Information Security Policy has been approved by the CEO to ensure that all information assets (information in all its forms) are protected and are used in the best interests of the company and its clients.
It is essential that we at understand the importance of information security, our responsibilities and the consequences of ignoring them, and ultimately the effects of security on our success, and that we all recognise and understand our role in protecting our information assets.
The Information Security Manual will help you understand your role in delivering this aspect of our business’s risk management activities. It will also help us continually improve the security of our information.
We conduct Risk Assessments, have produced a Statement of Applicability (found in the Appendix of the security manual) and Risk Treatment Plans to identify how information-related risks are controlled.
The Information Security & Compliance Manager is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
In particular, business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy.
If there is anything you do not understand, please speak with the Information Security & Compliance Manager who will be able to advise you.
John Ryder – CEO & Founder
- Creation: 31/01/2018
- Last Review: 19/01/2021
- Owner: John Ryder, Founder & CEO is responsible for maintaining the policy and ensuring that it is up to date.
- Classification: This Policy has been classified as Public as per our Information Classification and Data Handling Policy.
- Compliance: This policy forms part of the company’s induction and ongoing security awareness programme. If there is anything within this policy that is not clear, or has not been understood, then you must inform your line manager or policy owner to seek further clarification.
- Failure to comply with this policy, in whole or in part, may lead to disciplinary action.