Security Policy

Humanloop is committed to securing data, eliminating system vulnerabilities, and ensuring continuity of access. Humanloop uses industry-leading technologies and services to secure data from unauthorised access and loss.

Security processes and controls are owned by Humanloop’s Chief Technology Officer and are maintained by the engineering & operations teams.

All Humanloop employees undergo background checks before starting and are trained on security practices during company onboarding and on an annual basis.

Services covered

This document summarises the security controls applicable to the Humanloop platform, which is made up of the web application (https://app.humanloop.com/), the API and the SDKs. This represents the total surface area of the platform. More detailed documentation describing the platform can be found here.

Related documents

As part of Humanloop’s security program, other related documents are:

1. Terms of Service
2. Website Terms of Use
3. Privacy Policy
4. List of Subprocessors

Infrastructure

Humanloop is a cloud first platform and leverages Amazon Web Services (AWS) as the chosen cloud provider for production workloads:

• Humanloop inherits the data center controls as outlined by AWS. Information about security audits received by AWS is available from the AWS security website.
• A single instance of the Humanloop platform is provisioned in a single environment that is fully contained within its own secure virtual private cloud (VPC) with a firewall configuration that adopts the position of least privilege.
• The production environment is located within multiple availability zones within the US East region.
• Humanloop is the assigned administrator of the AWS infrastructure and only designated authorised Humanloop team members have access to change infrastructure configuration on a least privilege, as needed basis. Two-factor authentication within the virtual private network is required.
• Any specific private keys required by the platform are stored in a secure and encrypted location.

Data controls

Segregation

Separate environments are provisioned and maintained for the purposes of development, quality assurance/user acceptance testing and production, to ensure data segregation at the environment level.

Each environment contains a multi-tenant architecture that provides effective logical data separation for different clients via specific organization and team identifiers, with a roles-based-access control application layer.

Classification

All platform data received from the user and data derived from user data is classified as sensitive. All platform audit and telemetry data that does not contain PII and reference to specific user data is classified as not sensitive.

By default, only authenticated users can see their own sensitive data and data classified as not sensitive can be accessed by dedicated Humanloop support staff using a secure VPN connection to the private network of the VPC for the target environment. The purpose of this access is to debug issues and help improve the performance of the system. The Terms of Service define further details around data ownership and access on a case by case basis.

Encryption

Best practices around encryption are followed. All data in transit is be secured with TSL/SSL and all data at rest is encrypted using the AES-256 algorithm. All encryption keys are managed using AWS Key Management Service (KMS) as part of the VPC definition.

Storage, retention and backups

All platform data is stored in a primary database server with multi-availability zone replication. Platform data is retained indefinitely and backed up daily in a secure and encrypted manner until a request is made from the contractual owners of that data to remove it and in accordance to GDPR guidelines. Humanloop’s Terms of Service defines the contractual owner of the user data and data derived from the user data. A semi-automated disaster recovery process is in place to restore the database to a specified point in time backup as and when required.

Data breaches

Any data breaches will be communicated to all impacted Humanloop users and partners within 24 hours, along with consequences and mitigations. Breaches will be dealt with in accordance with the Humanloop data breach response policy, which is tested annually.

Return of user data

Within 30 days post contract termination, users can request return of their data and derived data (as defined by the Terms of Service). Humanloop provides this data via downloadable files in comma separated value (.csv) or .json formats.

User authentication

All users of the web application require a valid email address and password to use the system:

• Email addresses are verified on account creation.
• Passwords are verified as sufficiently complex.
• Passwords are stored using a one-way salted hash.
• User access logs are maintained including date, time, user ID, relevant URL, operation performed and source IP address for audit purposes.

All users of the API are required to authenticate with a unique API token header:

• Follows the OAuth 2.0 pattern.
• API tokens are only visible once on creation and then obfuscated.
• Users can manage the expiry of API keys.
• API token access logs are maintained including date, time, user ID, relevant URL, operation performed and source IP address for audit purposes.

Third party services

The Humanloop platform makes use of third party services primarily for hosting and analytics which are detailed further in the List of Subprocessors.

Audits and certifications

1. Humanloop is regularly penetration tested (3 times a year) by an external CREST approved penetration test provider to minimise the risk of platform vulnerabilities that would breach controls. For testing, Humanloop provides the agency with an isolated clone of a Humanloop environment with documentation. No user data is exposed during this process.
2. Humanloop runs continuous security scanning on all externally facing resources as well as automatic dependency vulnerability checking on source code.
3. Humanloop is currently in the process of attaining SOC-2 compliance status, with estimated time of completion for SOC-2 Type 1 at the end of Q2 2023 and SOC-2 Type 2 at the end of Q3 2023 (with the option to expedite if necessary).

Training

All new employees receive onboarding and systems training. This includes environment and permissions setup, security policies review and values and ethics training. All policies that are provided to employees are reviewed once a year to ensure they kept up to date.

Application development lifecycle

Humanloop has continuous integration and deployment - all code changes are committed, tested and deployed in an automated fashion. Our continuous deployment process includes a pull request review process, continuous integration with automated testing and automated security vulnerability checks. This process decreases the likelihood of security issues and improves the SLA for resolving any vulnerabilities found.

All engineering resources operate in accordance with OWASP guidelines when prioritising security related issues, with high priority security related issues resolved immediately. Release notes for Humanloop are provided by the public changelog.

Policies maintained

In general the types of controls in place for the platform are:

• Physical access controls
• System access controls
• Data access controls
• Transmission controls

Humanloop maintains the following internal security policies that detail the controls:

• Information security policy
• Information security roles and responsibilities
• Asset management policy
• Access control policy
• Data management policy
• Operations security policy
• Human resources security policy
• Physical security policy
• Risk management policy
• Third-party management policy
• Cryptography policy
• Business continuity and disaster recovery plan
• Incident response plan
• Secure development policy

Last updated: 12 May 2023