We take a layered approach to our security practices to address the people and data we protect.
We have created a robust security environment for all Hootsuite employees. This is reflected in our hiring processes, employee onboarding initiatives, and ongoing security awareness training all of which promote a strong security culture.
Background employment checks are performed on new employees appropriate for their responsibilities up to and including federal government security clearances. Where local labor laws or statutory regulations permit, the background screening may comprise of criminal, employment, and / or reference checks. Key employees that have elevated privileges may be required to complete more extensive background checks.
Hootsuite requires all employees to sign confidentiality and non-disclosure agreements as conditions of their employment. The agreements address Hootsuite and customer data and include the consequences related to non-compliance with Hootsuite’s information security policies.
Our security processes include limiting access to systems where individual roles require it (least privileged). Account access requests are recorded, reviewed and provisioned by our Information Technology and Product Operations and Delivery teams. Accounts are reviewed quarterly and deficiencies are remediated.
Hootsuite implements a leading commercial MFA system that uses cryptographically-strong push authentication. This MFA authentication is used for Hootsuite’s system and, where supported, for those system that don't support SSO.
Hootsuite uses a combination of AWS Key Management Service (KMS) and Hashicorp Vault for the storage of master keys and other sensitive authentication credentials. Depending on the risk and sensitivity of the data, Hootsuite uses AES-256 encryption to protect data-at-rest. Data-in-transit external to our AWS infrastructure is encrypted using TLS 1.2 (HTTPS) for all products and all pages related to payment card processing.
Hootsuite has a formal third-party risk management policy and related processes. All third-party services that could potentially impact the security of Hootsuite’s or Hootsuite’s customer’s information are reviewed by our Security and Compliance risk assessment team.
Hootsuite uses a limited number of subcontractors to assist both with the development of our software as well as with the management and operations of our production systems. All contractors are thoroughly vetted, are required to sign confidentiality and security agreements governing their use of information and systems, and have their work reviewed and approved by Hootsuite staff before being committed to production.
At Hootsuite, we have a formal Security Vulnerability Management Program. We use AWS Inspector to scan all production servers for vulnerabilities. In addition, all traffic external to Amazon Web Services (AWS) infrastructure is monitored using Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). Hootsuite also uses Host Intrusion Detection Systems (HIDS) to monitor activity on all of its servers and to alert on atypical usage patterns.
Hootsuite uses Amazon Web Services Shield for Distributed Denial of Service (DDoS) attack protection and AWS CloudWatch to monitor and alert on events related to its AWS infrastructure. The relevant logs are aggregated using a secure third-party logging and SIEM service which continuously monitors log events and alerts on suspicious or anomalous behaviour.
We track patches from our major suppliers and test and apply them in accordance with our Vulnerability Management Policy. The Security Operations team monitors threat intelligence sources as input to both IT and production vulnerability management.
The Security Operations and Engineering team regularly conducts penetration tests of Hootsuite’s existing production services, as well as new features and services that have not yet been made generally available. Annually, Hootsuite engages the services of an independent third-party to conduct vulnerability assessments and penetration tests of our services. A summary of their report is available to enterprise customers under NDA.
Security Incident Management
Hootsuite has developed and deployed multiple security-monitoring tools which provide coverage and visibility over Hootsuite’s technology infrastructure. A combination of commercial and customized tools are deployed to ensure the security and integrity of the Hootsuite production environment. Security events are logged to the centralised log management system, which can automatically log tickets for review and action. Significant events that require immediate attention are forwarded to our alerting service.
The Security Operations team operates a 24/7 basis.
Hootsuite operates in an agile environment to develop, modify, test and release code into the production environment. Code change processes are based on change management policy. These processes are documented and communicated to necessary personnel by Development teams.
The Lead Developer receives change request, iterates on details with the team and the responsible product manager, beforing approves the request.
Distinct development, staging, and production environments exist and are segregated. Code is developed in the development environment. The migration of code between the staging and production environment is performed by Development team personnel using a defined release management process.
Development teams conduct a security review of the high-risk components on a semi-annual basis to ensure that code deployed to production is secure. Any exceptions noted from this review are investigated and resolved on a timely basis.
The Security Operations team also conduct security testing on new features and projects. Feedback is given to Development teams, and the team issues tickets for vulnerabilities or flaws that require remediation.
Hootsuite utilizes various tools, technologies, and procedures to monitor and evaluate the performance of our production services. Responsibility for ongoing monitoring, and acting on exceptions, is shared amongst various teams. Documented procedures are in place to facilitate the monitoring of our systems.
An on-call schedule is used to ensure that personnel are available 24/7 to respond to operational issues. Different functional teams and designated on-call engineers are available to support the systems under their control.
The service availability and operational status of the Hootsuite system is available to customers to view directly from the Hootsuite System Status page at http://status.hootsuite.com/ or by contacting Hootsuite Customer Support or Customer Success teams.
Hootsuite’s systems are architected to minimize single points of failure and to deploy redundant or distributed servers to mitigate the impact of any particular server malfunctioning. Hootsuite monitors its servers and services continuously, and automatically scales to meet the tidal shift in demand. Capacity expansion to manage growth is handled through detailed monitoring of load patterns and the configuration of either additional or more powerful servers as appropriate.
As Hootsuite infrastructure is distributed across multiple Amazon Web Services data centres and regions it is able to quickly recover from the loss of even an entire data centre by spinning up new instances in a different data centre and region.