International Stress Awareness Week 2nd - 6th November 2020 Learn more ›
Platform
Solutions
Happiness Lab

Security statement

About this document

This security statement applies to the products, services, websites and apps, collectively referred to as “services” offered by Happiness Lab. We value the trust that you place in us by letting us act as custodians of your data and take our responsibility to protect and secure your information seriously and aim for complete transparency around our security practices.

Encryption

We encrypt your data in transit using secure TLS cryptographic protocols. All connections to our services are via TLS 1.1 and above and we support forward secrecy and AES-GCM. We prohibit insecure connections, as well as secure connections attempting to use TLS 1.0 and below or RC4, as these are widely considered to also be insecure. Protocols and Cipher Suites for encryption used by our services are regularly reviewed to be in line with industry best practices.

Data Centre and Infrastructure

Our services are hosted in the UK with our servers benefitting from hardware and software firewall protection located in ultra-secure, ISO 27001 accredited data centres. The infrastructure our servers are on is monitored and maintained on a 24-7-365 basis with regular threat scans and analysis as well as penetration testing on core infrastructure. Encrypted backups are taken nightly of all data to an alternative UK based data centre location with backups being stored for up to six months. Access to our servers is heavily limited and restricted, only available from specific locations and connections with privileges granted on a need to know basis, with least privileges required.

Development

Our development teams strive to adhere to best practices and secure coding techniques. Including, but not limited to, using the highly regarded OWASP Top Ten as the most effective guide to critical security risks for web applications. We run and maintain separate environments for development, testing and production. Updates are not made available to the production environment without first going through development and testing environments. We make use of a git revision control system to maintain the source code for services which allows for tracking of and reviews of all code changes before deployment to any environment. This also allows us the ability to “cherry pick” important/critical updates and accelerate them to our production servers. Access to source code is maintained on a need to know basis with least privileges required.

Logging and Monitoring

Our services and infrastructure have multiple levels of logging and audit information systems in place for both security and quality of service purposes. Our logs are actively monitored and analysed for abnormal pattern and unauthorised access attempts, as well as to maintain performance levels and in support of troubleshooting efforts. Access to this information is strictly limited and where possible only retained for up to 6 months.

Email

All emails that are sent from our services are done so using Sendgrid, an independent company specialising in the delivery of transactional emails. We can guarantee that all emails leaving our services are free from viruses and spyware, however as messages are then relayed through multiple further servers to reach the intended recipient, we would recommend that as with all emails, they are scanned upon arrival to a company network. This will be the case for any email from any user to any network and all providers should scan email before delivering to a user account.

Your Account

We provide our clients with control of their own users and their data. As such it is important for clients and their users to practice good security practices by using strong account passwords and where necessary, restricting user accounts access and permissions to aid in keeping your data secure. We can guarantee that all emails leaving our services are free from viruses and spyware, however as messages are then relayed through multiple further servers to reach the intended recipient, we would recommend that as with all emails, they are scanned upon arrival to a company network. This will be the case for any email from any user to any network and all providers should scan email before delivering to a user account.

If you need further help or have any questions about this document or Happiness Lab in general, please get in touch: info@happinesslab.com, +44 (0)1285 860359