Security at Highwing
Highwing’s clients trust us to keep their most valuable data private, secure, and available, and we take that trust seriously. We embrace proven, best-in-class security practices throughout the organization, including following principles of least privilege, Defense in Depth, Zero Trust, and immutable infrastructure. We follow industry standards and frameworks such as CIS and NIST, and undergo regular third-party testing and audits to demonstrate our adherence to these principles. This page is intended to provide further transparency about how we protect our clients’ important data.
AVAILABILITY & INFRASTRUCTURE
We partner with some of the world’s most security- and availability-conscious organizations for the infrastructure and data services that power Highwing. Amazon Web Services provides the secure networking, compute, application, and monitoring primitives we use throughout the platform. Our document management functionality is built on Box, Inc.’s enterprise-grade, secure toolkit. Our infrastructure configuration is automated and version-controlled, giving us the flexibility to quickly respond to infrastructure faults by shifting traffic to alternate locations.
Strong encryption is the foundation underlying much of our data security. All data at rest is encrypted using industry best practices, and all data in transit is encrypted with SSL/TLS using only secure cipher algorithms. Access to keys and encrypted material are separated at all times. User credentials are never stored in plaintext.
We limit network and logical access to data and systems that hold sensitive information, and guard that access using centralized multi-factor authentication and context-restricted grants to prevent unauthorized access.
TESTING & RESPONSE PROGRAM
We regularly test our applications and infrastructure for vulnerabilities and remediate those that could impact the security of customer data. Our team uses a variety of automated tools to identify issues quickly and proactively and supplements that with expert penetration testing to increase the range of our assessments. We maintain incident, disaster, and breach management policies with procedures for responding to each, including notification for stakeholders up to and including law enforcement.