Information Security

Information Security at Hive

Hive is committed to ensuring that we conduct our activities in a way that information is safeguarded from potential security threats. In support of this, we have aligned our approach to information security with the ISO27001 framework.

FAQs

Hive Cyber Essentials Certified Details

Hive Cyber Essentials Certified Plus Details

Hive ISO 27001 Details (2)


As part of our ISO 27001:2022 certification we engage with auditors annually to ensure compliance with the standard. We also engage with an external party to undertake annual penetration testing.

As part of our ISO27001 certified Information Security Management System we have developed a comprehensive set of information security policies covering a range of topics, such as an Information Security Policy, Data Protection Policy, Change Management Process and  Incident Management Procedures.

All data sent to and from Hive is encrypted in transit using TLS 128-bit encryption. Data is also encrypted at rest using the AES 256 cipher.

Our servers live within Hive’s own VPCs to prevent unauthorised network requests.

Additionally, data is separated between service customers at the database level (logical segregation) to ensure data privacy and to prevent one customer from accessing another customer’s data.

The data is stored and backed up in Dublin, Ireland.

Authorised users of the management console authenticate using a username and strong password, with the option to also use SMS text messages as multi-factor authentication.

Employees are sent unique pre authorised tokens to facilitate survey submission without having to authenticate.

Hive has processes in place to support customers if their employees exercise any of their privacy rights, such as the right of access.

We provide customers with a range of options to keep their employee information up to date. These include:

  • Self-service administration
  • Integration with employee records systems via Tray.IO, so that changes in personnel are automatically updated within Hive.
  • Secure file transfer of employee data files, such as via Egress Secure Workspace.

Hive uses two essential sub-processors outside the EU and have ensured contracts include Data Processing Agreements and encompass appropriate EU approved Standard Contractual Clauses.

  • A sub-processor based in the USA is responsible for the delivery of emails as part of the surveying aspect of Hive. To email individuals a unique link to a survey they process the first name and email address.
  • A web analytics sub-processor based in the USA processes the IP address of Hive users to help provide insights into how the Hive application is used and navigated. They also provide:
    • Natural language processing that allows Hive’s reporting suite the ability to determine sentiments and themes
    • Translation of  application content and employee feedback 

Hive also has an optional sub-processor based outside the EU and has also ensured contracts include Data Processing Agreements and encompass appropriate EU approved Standard Contractual Clauses.

  • The sub-processor based in the USA is responsible for providing integration functionality with customer HR systems to ensure that Hive has current employee information. They would process essential personal data, such as name and email address and selected demographics, such as gender, location, team and employment tenure. They are SOC 2  Type 2 certified and ensure all data is encrypted at rest and in transit.

When planning to use any third parties risk assessments are carried out to ensure there’s an adequate level of security and data protection in place, such as checking security certifications, ensuring Data Protection Agreements or EU approved Standard Contractual Clauses are in place.

Information Security Statement

We have developed this Information Security Statement to provide our employees and customers with assurances about the way we receive, store, and process information. This statement forms part of our Information Security Management System (ISMS) and is based on the ISO/IEC 27001:2022 Standard. Our Statement of Applicability details the controls that are relevant to our organisation and how we address risks in each of those areas.

Information is at the heart of our business, and any threat to its confidentiality, integrity, or availability is a direct threat to our business. Information security concepts apply to, and are the responsibility of, all our employees. Hive’s Senior Leadership Team is fully supportive of the need for, and enforcement of, information security policies, procedures and Hive’s ISMS. The Information Security & Compliance Manager is responsible for the management and maintenance of the ISMS.

The Senior Leadership Team is committed to ensuring that we conduct our activities in such a way that information is adequately safeguarded from potential security threats and this statement has been approved by the CEO to ensure that all information assets (information in all its forms) are protected and are used in the best interests of the company and its clients, within applicable laws and regulations, and as part of our contractual agreements. Each year we set information security objectives and measure and report on adherence to these objectives throughout the year in various internal forums. It is essential that we all understand the importance of information security, our responsibilities, and the consequences of ignoring them, and ultimately the effects of security on our success, and that we all recognise and understand our role in protecting our information assets. We identify risks and opportunities that are relevant to our organisation, and document, assess, plan, and treat them as necessary, always with the objective of continual improvement in mind. 

The Information Security Manual will help you understand your role in delivering this aspect of our organisations risk management activities. It will also help us continually improve the security of our information assets.

If there is anything within this statement you do not understand, please speak with the Information Security & Compliance Manager who will be able to advise you.

John Ryder – CEO & Founder