Hootsuite Security Practices
Last updated: May 24, 2018
Hootsuite maintains organizational and technical measures to protect information you provide to us from loss, misuse, and unauthorized access or disclosure. These measures take into account the sensitivity of the information Hootsuite collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing Hootsuite engages in.
Where used in this Security Practices document, “Hootsuite Services” means the Self-Serve Services or Enterprise Services, as applicable and as defined in the terms applicable to your access to and use of the Hootsuite Services (the “Agreement”). Capitalized terms not defined in this document have the meanings given to them in the Agreement.
Hootsuite maintains appropriate controls to restrict its employees’ access to the Customer Content that you and your Authorized Users make available via the Hootsuite Services, and to prevent access to Customer Content by anyone who should not have access to it.
All of Hootsuite’s employees are bound by Hootsuite policies regarding the confidential treatment of Customer Content.
Hootsuite employees receive security training during onboarding and on an ongoing basis. Employees are required to read and sign information security policies covering the confidentiality, integrity, availability and resilience of the systems and services Hootsuite uses in the delivery the Hootsuite Services. Where applicable, including for particularly sensitive positions, Hootsuite also conducts criminal background checks on employees before employment.
Hootsuite’s security-related audits and certifications include:
- Service Organization Control (SOC) Reports: Hootsuite undergoes a SOC 2 audit annually which is performed by independent third party auditors. A copy of Hootsuite’s most recent report is available upon request for existing Enterprise customers or for prospective Enterprise customers who agree to hold the report in confidence under a Hootsuite form of non-disclosure agreement.
- PCI DSS: When payments are processed via credit card, Hootsuite uses third-party vendors that are PCI DSS compliant. At no point does Hootsuite store, transmit, or process your credit card information; Hootsuite simply stores anonymous tokens that identify the applicable processed transactions.
Additional Security Features
Access and System Logging
All systems used in the provision of the Hootsuite Services, including firewalls, routers, network switches, and operating systems, log information to secure log servers in order to enable security reviews and analysis.
Access to the systems used by Hootsuite employees and contract personnel is controlled by multi-factor authentication. This means that all Hootsuite employees and contractors are required to provide physical proof of their identity, in addition to the provision of any password, in order to gain access to any system used in the provision of the Hootsuite Services.
Hootsuite also makes available multi-factor authentication capability for its Customers and their Authorized Users in respect of their use of the Hootsuite Services (as a tool for their use in maintaining the security of their accounts).
Hootsuite has implemented single sign-on (SSO) company-wide to ensure greater and more centralized access control to the systems used by Hootsuite employees and contract personnel.
Hootsuite also makes available SSO capability, for an additional fee, for Enterprise customers that wish to ensure greater and more centralized access control to their accounts.
Data Encryption In Transit and At Rest
The Hootsuite Services support the latest industry-standard secure cipher suites and protocols to encrypt all traffic in transit. Hootsuite currently supports only TLS 1.2 on its main website and all pages that accept credit card information. Migration to 1.2 on subsidiary pages will be completed later in 2018.
Customer Content is also encrypted at rest, where appropriate and having regard to the nature of the content and associated risks. Almost all of the information Hootsuite processes is already publicly available elsewhere and so there is no associated privacy risks, but all scheduled and approval-pending messages, for example, are encrypted at rest for additional protection.
Hootsuite monitors the changing cryptographic landscape closely and makes commercially reasonable efforts to upgrade the Hootsuite Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, Hootsuite does this while also balancing the need for compatibility for older clients.
Hootsuite’s infrastructure runs on systems that are fault tolerant and it provides Enterprise customers with a guaranteed up-time, as set out in the Enterprise Service Level Agreement.
When your use of the Hootsuite Services requires Hootsuite’s systems to store Customer Content, such Customer Content is stored redundantly at multiple locations in Hootsuite’s hosting provider’s data centers to ensure availability. Hootsuite has backup and restoration procedures to allow recovery from a major disaster. Customer Content and Hootsuite’s source code is automatically backed up on a nightly basis. Hootsuite’s operations team is alerted in the event of any failure with this system. Backups are fully tested at least every 90 days to confirm that these processes and tools work as expected.
In addition to system monitoring and logging, Hootsuite has implemented firewalls that are configured according to industry best practices, and ports not utilized for delivery of the Hootsuite Services are blocked by configuration with our data center provider.
Hootsuite performs automated vulnerability scans on its production hosts and uses commercially reasonable efforts to remediate any findings that present a material risk to the Hootsuite environment. Hootsuite enforces screen lockouts and the usage of full disk encryption for company laptops.
Logging and Intrusion Detection
Hootsuite maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Hootsuite Services. These logs are analyzed for security events via automated monitoring software, overseen by Hootsuite’s security team.
Hootsuite monitors the Hootsuite Services for unauthorized intrusions using network-based and host-based intrusion detection mechanisms. Hootsuite analyzes data collected by users' web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Hootsuite Services function properly.
Hootsuite currently uses Amazon Web Services (AWS) for its production data centers to provide the Hootsuite Services. AWS has been selected for its high standards of both physical and technological security, and has internationally recognised certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others. For more information about Amazon Web Services' certification and compliance, please visit the AWS Security website and the AWS Compliance website.
Security Policies and Procedures
Hootsuite implements and maintains industry-standard security policies and procedures that align with the National Institute of Standards and Technology (NIST) cybersecurity framework. In particular, the Hootsuite Services are operated in accordance with the following policies and procedures:
- Customer passwords are stored using a one-way salted hash.
- User access logs are maintained, containing date, time, user ID, URL executed or entity ID operated on, operation performed (created, updated, deleted), and source IP address.
- If there is reasonable suspicion of inappropriate access, Hootsuite may provide customers (on a time and materials basis, on request and at Hootsuite’s sole discretion) with copies of relevant log records to allow customers to conduct their own forensic analysis.
- Customer passwords are not logged.
- Hootsuite personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.
Product Design Security Practices
New features, functionality, and design changes go through a review process facilitated by Hootsuite’s security team. In addition, Hootsuite’s code is tested and manually peer-reviewed prior to being deployed to production. Hootsuite’s security team works closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development.
Incident Management & Response
Hootsuite maintains security incident management policies and procedures. Hootsuite notifies impacted customers without undue delay of any unauthorized disclosure of their Customer Content by Hootsuite or its agents of which Hootsuite becomes aware, to the extent permitted by law.
These security practices apply to the Hootsuite Services defined in your Agreement with Hootsuite, excluding the Hootsuite Ads Services.