Humi Security

High Availability AWS Infrastructure

Humi leverages Amazon Web Services (AWS) to deliver a scalable cloud computing platform designed for high availability and dependability.

AWS uses redundant and layered controls, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24x7.

AWS enables Humi to ensure secure transactions between separate data and software applications, data replication across multiple physical data center locations, and to obtain and configure capacity with minimal friction.

Network Security

AWS provides several security capabilities and services to increase privacy and control network access. Humi uses:

  • Built-in firewalls that allow control over network access
  • Encryption in transit with TLS across all services
  • DDoS mitigation technologies

Physical Security

Humi’s data centers are co-located in some of the most respected datacenter facility providers in the world. Humi leverages all of the capabilities of these providers including physical security and environmental controls to secure our infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by our datacenter facilities includes but is not limited to:

  • 24/7 Physical security guard services
  • Physical entry restrictions to the property and the facility
  • Full CCTV coverage externally and internally for the facility
  • Biometric readers with two-factor authentication
  • Facilities are unmarked as to not draw attention from the outside
  • Battery and generator backup
  • Generator fuel carrier redundancy
  • Secure loading zones for delivery of equipment

Access to the management network infrastructure is provided through multi-factor authentication points which restrict network-level access to infrastructure based on job function utilizing the principle of least privilege. All access to the ingress points are closely monitored, and are subject to stringent change control mechanisms.

Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are able to login. We consider any system which houses customer data that we collect, or systems which house the data customers store with us to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored.

Additionally, hard drives and infrastructure are securely erased before being decommissioned or reused to ensure that your data remains secure.

Access Monitoring

Humi leverages AWS CloudWatch to enable continuous monitoring of our production environments. Our logging includes system actions as well as access and commands issued by our system administrators.

Logs are reviewed to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident reporting and response procedures.

Audit Logging

All database transactions are logged using a user identification number, IP address, timestamp, and information about the action performed.

Employee Access

Humi leverages AWS IAM access control management when issuing access to all environments. The keys that AWS uses are 2048-bit SSH-2 RSA keys and are regarded as an industry standard. Humi implements internal processes for issuing and recalling keys from authorized employees.

Data Transmission and Storage

All data is encrypted in transit with TLS, using a 2048-bit key, signed using the SHA256 RSA industry standard algorithm. Data at rest (residing in our data centers) is encrypted using the industry standard AES-256 algorithm. All data is stored securely on servers located in Canada, and meets Canadian data compliance requirements for certain industries such as the financial and public sectors.

Snapshot and Backup Security

Humi retrieves, encrypts, and stores hourly backups of our production data storage systems. These backups reside within our data centers for security and compliance purposes.

Attestations and Certifications

All AWS data centers meet and exceed the strictest of certification and compliance laws. These include:

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
  • SOC2
  • SOC3
  • FISMA, DIACAP , and FedRAMP
  • DOD CSM Levels 1-5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001
  • ITAR
  • FIPS 140-2
  • MTCS Level 3

Application Development

Humi employs SDLC practices combined with internal controls to give users peace of mind. Developers run a battery of tests against all change requests spanning multiple environments to ensure consistency and backwards compatibility.

Release management and deployment is driven through an AWS Pipeline architecture, ensuring the ability to back out of changes at any point. Token based authentication provides Humi administrators total control over access and access expiry.

Service Level Agreements

Humi has service level agreements in-place with our infrastructure and monitoring vendors. AWS provides a 99.99% uptime guarantee across all services and applications that Humi leverages.

Financial Transactions

Humi uses Stripe as our credit card storage and processing vendor. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services.

Humi Payroll partners with a leading Canadian Schedule I bank for payment processing.

Last Updated: January 18, 2022