Skip to main content
Skip table of contents

Data Privacy and Security FAQ

Last updated: December 2024

1. Which security frameworks and certifications does HqO follow?

HqO complies with industry-leading frameworks and certifications to ensure its data security practices meet global standards. We are certified under ISO 27001, which focuses on confidentiality, integrity, and availability. Additionally, we have achieved SOC 2 certification. To address regional requirements, HqO follows the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States. We have also self-certified with the EU-US and Swiss-US Privacy Shields. Our approach is also aligned with the NIST Cybersecurity Framework (CSF) and ethical AI practices, which are governed by the EU AI Act.

2. How does HqO implement encryption for data security?

HqO applies robust encryption standards to protect customer data at all stages of its lifecycle. Data stored on our systems are encrypted at rest using AES-256. During transmission, we utilize TLS 1.2+ to safeguard data, protecting any interception. Sensitive information transmitted over email is also encrypted and a password is usually added. These encryption protocols extend to backups and logs.

3. How does HqO handle system and event logs?

HqO maintains detailed logs to ensure visibility and accountability across its systems. Logs include records of login attempts, data access events, configuration changes, and system errors. These logs are encrypted both at rest and in transit. Access to logs is strictly restricted to authorized personnel, and advanced tools are used to analyze logs in real-time for suspicious behavior or anomalies. Logs are also included in routine backups and retained for extended periods to comply with auditing, and respecting GDPR.

4. What measures are in place to prevent unauthorized access?

Preventing unauthorized access is a core priority for us. We use Role-Based Access Control to limit user permissions to only what is necessary for relevant job responsibilities. Access to sensitive systems requires multi-factor authentication, which provides an additional layer of security by requiring these users to verify their identity. 

Administrative accounts with elevated privileges are monitored through Privileged Access Management to prevent misuse. Regular access reviews are conducted to ensure permissions remain appropriate, and unauthorized devices are restricted using JAMF Device Management (MDM).

5. How does HqO detect and respond to failed access attempts?

Failed access attempts are tracked in real-time and flagged for review. After multiple failed login attempts, affected accounts are temporarily locked, and alerts are sent to HqO’s security team for investigation, via AWS and alerts on Slack. This helps mitigate potential brute-force attacks or unauthorized access attempts. Logged events are analyzed to identify patterns or persistent threats, as we focus on risk mitigation.

6. What anti-malware measures does HqO use?

HqO protects our systems against malware through JAMF and its anti-malware tools configured for threat detection, automatic updates, and regular scans. JAMF is used to enforce endpoint security policies on managed devices. This includes mandatory installation of approved anti-malware software and restrictions on unauthorized applications. Regular audits of device configurations further enhance protection.

7. How are vulnerabilities in HqO’s systems addressed?

HqO actively identifies and mitigates system vulnerabilities through regular vulnerability scanning, penetration testing, and prompt patch management. Vulnerability scans identify weaknesses like unpatched software, misconfigurations, or outdated protocols, while penetration testing simulates attacks to evaluate the system’s resilience. When vulnerabilities are discovered, they are prioritized based on risk severity and promptly resolved through updates or configuration changes.

8. How does HqO secure physical infrastructure?

Physical infrastructure, including office spaces and data centers, is secured with advanced access controls and surveillance. Access to HqO offices and server rooms is limited to authorized personnel and requires badge systems or biometric authentication for entry. Security cameras monitor sensitive areas, and all access attempts are logged. HqO’s data hosting is managed in AWS data centers, which meet Tier 3 or higher standards for physical security.

You can find further information on AWS data centres here.

9. How does HqO secure third-party relationships?

All third-party integrations undergo our Risk Security Assessments, which follow our own security and privacy standards.

We evaluate third-party vendors before onboarding them, based on their certifications, encryption protocols, and security policies. This includes reviewing their certifications, data handling practices, and encryption protocols. Data exchanged with Vendors is also encrypted using TLS, and legal agreements define their obligations to protect customer data.

When we disclose your personal data to third parties, we take reasonable measures to ensure that the

rules set out in our Privacy Policy are complied with and that these third parties provide sufficient

guarantees to implement appropriate technical and organizational measures to protect your personal

data.

Vendors are required to sign data protection agreements outlining their responsibilities for securing client data. Regular audits are conducted to ensure ongoing compliance with our policies as well. 

Those audits are built upon the following 6 functional areas: Govern, Identify, Protect, Detect, Respond, and Recover. Within these 6 functional areas, 22 control categories are identified, and a total of 106 individual security controls are defined. The NIST CSF framework directly maps to ISO 27001, the compliance framework used within our environment to develop, implement, and maintain our Information Security Management program.

For further information, you can request our Information Security Management policy.

10. How are logs retained for compliance and security purposes?

HqO retains system logs for extended periods to meet auditing and compliance requirements under frameworks such as GDPR and SOC 2. Logs are securely stored with encryption and are backed up regularly to prevent data loss. Retention periods are defined based on the type of log (e.g., security, event, or transaction logs).

11. What types of personal data does HqO collect?

HqO collects personal data necessary for the platform, including names, email addresses, work locations, and optional avatars. Additional data, such as location, is collected only when required for customer-enabled integrations, like workspace analytics or building access systems.

12. How is personal data anonymized for analytics?

HqO removes all personally identifiable information (PII) during the data anonymization process. Aggregation techniques are applied to group individual data points into collective insights. For example, workspace occupancy metrics are anonymized and aggregated to show usage trends without exposing individual behaviors. This ensures compliance with GDPR and CCPA regulations.

13. How does HqO comply with GDPR?

HqO’s GDPR compliance is embedded into the data collection, processing, and storage practices. Data minimization ensures that only the necessary data is collected, while users retain rights to access, correct, and delete their data. We conduct regular Data Privacy Impact Assessments.

Please see below an overview of our data compliance approach:

 

  • HqO complies with GDPR, CCPA, industry standards such as ISO 27001:2022 and SOC 2 Report. We can provide evidence if required;

  • We ensure encryption at transmission and at rest, we follow data minimisation principle meaning we only collect, store, and process adequate and relevant amount of personal data from customers to deliver our service, such as name, work email address, and main work location;

  • HqO utilises Amazon Web Services (AWS), situated in Ireland for our European operations, which is an extremely reliable host and has loads of certifications in place. They also follow loads of regulations including GDPR. Please see here for further information;

  • We perform penetration testing on our application and infrastructure at least annually;

  • Clients remain the Data Controllers;

  • All data we surface back to the customer in reports / analytics are anonymised and aggregated, never person-level, per our privacy policy;

  • As a security measure for the users, users are unable to see other users within the mobile application by default;

  • Each user is in control of their information (e.g., their password, their avatar, etc.) as well as their notification preferences.  Users can disable certain types of notifications, while keeping others enabled. They can also unsubscribe.

14. How does HqO’s user preferences function and how are they managed?

Each user is in control of their information (e.g., their password, their avatar, etc.) as well as their notification preferences. Users can disable certain types of notifications, while keeping others enabled. These preferences are managed on the user’s Settings screen within the application.

Preferences are stored in our database and aggregated data for statistics are anonymized.

15. Why is there a need for Location services to be switched on to use Mobile Access?

Depending on the provider, Location Services are used to enhance reliability of the app communicating with a reader. HID recommends Location Services set to 'Always'. Without this, the app needs to be open/in the foreground to function.

16. Can users request data deletion?

Yes, HqO supports user requests for data deletion in accordance with GDPR and CCPA. Users can contact support to request the removal of their personal data, which is processed promptly. Deletion is performed securely to ensure no residual data remains.

You can request it here.

17. Does HqO keep customer information after termination?

By default, we purge the data from users and their subsequent users after termination. There is an option for users to keep the data, but written authorization is required.

18. How does HqO ensure backups and disaster recovery?

HqO performs regular backups using AWS native tools to create encrypted snapshots of its systems. 

Backups are stored across multiple AWS regions, ensuring resilience against data loss during regional outages. 

The only part of the system architecture that stores state is the MySQL database. We use a read slave architecture in a separate AWS availability zone (AZ). Our infrastructure, app deployment, and connected services are all provisioned with code. This code is exercised constantly when we stand up “sandboxes” that mimic production. We also stand up a mirror of production regularly, to test “creating production from scratch”. 

The Disaster Recovery Plan (DRP) includes routine testing, including this technique above, to validate recovery procedures, ensuring that critical systems and data can be restored promptly during emergencies.

19. How is business continuity managed?

HqO’s Business Continuity Plan (BCP) is designed to minimize disruption during incidents like system failures, cyberattacks, or natural disasters. Key measures include geographically redundant systems, trained response teams, and predefined communication protocols to inform stakeholders.

Services run on geographically distributed AWS infrastructure, following operations during localized outages. Response teams, including Incident Response, Engineering, IT, and Communications, handle issues and provide updates through Slack, email, and the HqO Status Page. Regular drills and simulations test procedures, identify weaknesses, and improve processes. The plan includes defined roles for each team, ensuring clear accountability during incidents. 

Customer Success teams directly engage clients, offering updates, managing concerns, and addressing specific needs. 

Post-incident reviews analyze outcomes to refine future strategies.

20. How are production, testing, and development environments separated?  

HqO maintains strict segregation between production, testing, and development environments. Each environment is hosted on distinct AWS accounts, preventing accidental mixing of data or systems. Sensitive production data is never used in testing or development environments unless it has been anonymized. 

Access to these environments is restricted to authorized personnel, with activities logged for auditing purposes. 

Production infrastructure access is restricted to a select few individuals and is isolated from other environments using a separate AWS account for production. Deployments are tested in staging and executed by 'bot' accounts. PII-scrubbed log data from production is used for post-mortem analysis. 

21. Describe HqO’s response model for bug tickets

Prior to an app release, we run both manual tests (by way of internal process, plus a third-party service) and automated tests (unit, e2e, functional) over the codebase. Post-deployment, we rely on our logging and monitoring softwares (datadog, rollbar) to catch bugs in the field. 

When a bug is found by a user in the field that was otherwise not "caught" by our process (as outlined by our Software Development Lifecycle policy), which is inevitable, users within the application are encouraged to send us an email us at support@hqo.co, which creates a new issue in Zendesk (our ticket management system). A tenant experience teammate is assigned to the issue for triage. 

If they determine that the issue is in fact a bug, they can select to automatically create a ticket from ZendDesk directly to Jira (our project management system). When a new bug comes into Jira, our product team's Senior staff is alerted (Slack/Email). Based on the bug's impact and likelihood, they will determine the priority of the bug and what resources are needed to solve it. 

For high-priority issues, the product team will move the issue to the top of the engineering queue for resolution ASAP. Once an engineer has a fix for the bug, the bug is tested using our automated tests on a staging environment. Once it passes there, the engineering team needs sign-off from a Senior to push this bug fix into production immediately.

22. Describe the process for minor feature requests?

Individuals with minor feature requests start off by having a conversation with our tenant experience and product teams to draw up next steps and costs, if applicable. During this conversation, the feature goals are discussed. Next, the product team will provide several options for the execution of the minor feature, with timeframe and cost estimates. Although the definition of minor is subjective, and only in a very general way, minor feature requests can be executed in four weeks (two engineering sprints, one sprint for discovery/documentation/planning, one for building).

 

23. What encryption methods are used for data transmission and storage?  

HqO encrypts all data transmitted between systems and endpoints using TLS (Transport Layer Security) protocols, which prevent interception or tampering during communication. For stored data, HqO uses AES-256 encryption, one of the most robust encryption standards available. These encryption methods extend to backups, ensuring that data is secure during both active use and storage.

24. How are communication tools like Slack and file sharing platforms secured?  

HqO uses Slack as an internal communication tool, with strict controls to protect sensitive conversations. Sensitive data shared within Slack is encrypted, and user access permissions are carefully managed. For file sharing, we rely on Google Workspace, where access is controlled through permissions and monitoring. External file sharing is secured with password-protected and encrypted files. Logs of communications and file-sharing activities are retained for auditing, always respecting compliance.

25. How does HqO ensure secure data disposal?  

HqO follows strict procedures for securely disposing of sensitive data. For digital data, secure deletion tools are used to overwrite files, making sure they cannot be recovered. Physical media, such as hard drives, are destroyed using shredders or other approved methods. Most removable media devices are forbidden. These processes comply with ISO 27001 and GDPR requirements. Electronic documents are purged when they reach the end of their retention life span. Customer data is disposed of through automated or manual scripts that perform a full hard delete. Printed material is shredded before disposal. Former employees' business emails are securely disposed of after 12 months of inactivity. Disposal is suspended during litigation or claims until authorized by management and legal counsel.

26. How are privileged accounts managed?  

Privileged access is assigned to separate user IDs from normal business use. Access must be approved by the Director of Production Operations & IT or an authorized designee. Requests for privileged access require a formal statement of need and manager submission. Access is periodically reviewed, and monitoring procedures are in place to detect inappropriate activities.

27. How does HqO protect against insider threats?  

To mitigate insider threats, HqO enforces strict access controls through RBAC, monitors user activity via detailed logs, and provides regular training on ethical and secure behavior. Alerts are triggered for unusual activity, such as unauthorized data access or downloads, and immediate action is taken to investigate and remediate risks.

28. How are security audits performed?  

HqO conducts regular security audits to evaluate the effectiveness of its controls. These audits include internal reviews, vulnerability scans, and external assessments by independent auditors. The findings are documented, and remediation plans are implemented to address identified gaps.

29. How are employees trained on security practices?  

HqO provides mandatory security training for all employees, covering topics such as phishing awareness, password management, data protection, and reporting suspicious activity. Training is updated regularly to reflect emerging threats and regulatory changes. Employees also receive specialized training for tools like Slack, Google Workspace, and endpoint security platforms.

30. How are mobile devices secured?  

HqO enforces its Mobile Device Management (MDM) Policy using tools like JAMF, which ensures that all mobile devices comply with security configurations, including encryption, password protection, and remote wipe capabilities. Unauthorized applications or non-compliant devices are restricted from accessing company systems.

31. How does HqO respond to data breaches?  

In the event of a data breach, HqO follows its Incident Response Plan, which includes immediate containment of the breach, identification of impacted systems, and mitigation of further risks. HqO has a list of primary contacts for each customer. We notify customers via email and phone, if available, per our Service Level Agreement (SLA), as detailed by our Incident Response policy. Lessons learned are used to strengthen defenses and prevent similar incidents in the future. 

32. How does HqO secure API communications?  

All API communications within HqO’s systems are encrypted using TLS, ensuring that data exchanged between applications is protected from interception. API endpoints are authenticated using secure tokens, and rate limiting is applied to prevent abuse or denial-of-service attacks.

33. What is the policy on user authentication?  

User authentication is secured through multi-factor authentication and strong password requirements policies. Passwords must meet complexity requirements and are required to be updated periodically. For high-risk systems, additional identity verification steps, such as biometric authentication, may be required.

34. How does HqO manage access reviews?  

Access reviews are conducted quarterly to ensure that users have appropriate permissions based on their roles. Any accounts with excessive or unnecessary access rights are flagged and adjusted. These reviews maintain the principle of least privilege and minimize the risk of unauthorized access. The review process includes:

  1. Obtaining an access control list from the People Team, which includes all individuals with access to the premises.

  2. Reviewing the list to confirm that users have access only to areas necessary for their job functions.

  3. Verifying that all access cards are active and not reported lost or stolen. 

  4. Documenting any issues or concerns identified during the review.

35. How is sensitive customer data protected during transit?  

Sensitive customer data in transit is encrypted using TLS, ensuring that it cannot be intercepted or tampered with during communication between systems. Additional measures, such as secure headers and strict authentication, are applied to safeguard data during transfers. Customer data is encrypted both in transit and at rest using robust algorithms like AES-256. TLS is used to secure data during transmission, while access to encryption keys is restricted to authorized personnel with role-based access controls.

36. How does HqO handle client concerns about data residency?  

HqO ensures that data residency requirements are met by hosting customer data in specified AWS regions. For customers in the EU, data is hosted in Europe to comply with GDPR’s data residency requirements. Similar practices are followed for customers with region-specific preferences.

On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for

data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to

controllers or processors established outside the EU/EEA (and not subject to the GDPR).

These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data

Protection Directive 95/46. Consequently, we are relying on standard contractual clauses for transfers

of personal data from the EEA.

37. How is privileged session activity monitored?  

Privileged session activity is logged in real-time, with alerts triggered for unusual behaviors, such as accessing unauthorized files or modifying system configurations. These logs are encrypted and reviewed regularly to ensure compliance with security policies. 

We support different access levels for both app and admin users. On the app side, users can be assigned permissions to restrict access to specific utilities, integrations, or content using audiences. For admin users, access to the admin portal is provisioned by roles. These include User Admins, who manage users and authorizations; Managers, who handle company settings, apps, and technologies; Operators, who operate apps and technologies; Programmers, who manage content and short-term services; and Viewers, who can access reports, analytics, and documentation without editing. We also build and maintain SCIM capabilities to map roles from identity providers like Okta, making role assignments seamless and efficient.

38. How are internal applications secured?  

Internal applications are developed following coding practices, with regular code reviews and security testing. Our Software Development LifeCycle and Change Management policies outline how our product is deployed. At a high level, any new code is documented and reviewed by at least two engineers. Automated tests (including unit tests and linting) are run upon each code push. 

Functional and integration tests are executed when code is merged into staging branches. After the code is deployed to staging, smoke tests are executed. Tools are used to scan for vulnerabilities in real-time, and patches are deployed for identified risks. 

Indeed, we perform extensive manual testing (internally and using a third-party service) on production release candidates to identify regression issues. 

39. What frameworks guide HqO’s risk management?  

HqO’s risk management practices are guided by the NIST Cybersecurity Framework (CSF), which outlines processes for identifying, assessing, and mitigating risks. Annual risk assessments evaluate vulnerabilities, and findings are addressed through remediation plans.

40. How are third-party integrations monitored post-deployment?  

Post-deployment, third-party integrations are monitored through continuous logging and periodic reviews. Prior to an app release, manual and automated tests are run over the codebase. Post-deployment, logging and monitoring software catch bugs in the field. Users report bugs via support@hqo.co, creating Zendesk tickets that are triaged and escalated to Jira. High-priority bugs are resolved ASAP after VP of Engineering approval. Fixes are tested in staging before deployment to production. Any changes to the integration are subject to reassessment to ensure ongoing compliance with HqO’s security standards.

41. How does HqO ensure secure email communication?  

Email communication is secured using end-to-end encryption for sensitive messages. For Workspace accounts, Gmail includes advanced protections like end-to-end encryption, phishing detection, and data loss prevention (DLP.) We use anti-phishing measures, such as link scanning and domain monitoring, to prevent fraudulent emails from reaching users.

42. How does HqO ensure uptime and system availability?  

HqO employs a read-slave database architecture in separate AWS availability zones, with infrastructure and services provisioned through code. Load balancing and auto-scaling mechanisms ensure that the platform remains responsive during high-demand periods.

43. How does HqO secure backups?  

Backups are encrypted during creation and storage, ensuring data remains secure at all times. Routine testing of backup restoration procedures validates their integrity and readiness for emergencies. Database snapshots are taken every five seconds and full backups live for 30 days. If a security incident were to arise, snapshots and relevant logs would be captured and stored for auditing purposes, as per our Back-up Management and Incident Response policies.

44. Who can we contact if we have any further questions?

If you have any questions about the information practices of the HqO Services details above please email privacy@hqo.co.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close