At HiBob, we take security very seriously – just ask the 3000 companies that trust us with their HRIS processes. The highest information security and privacy standards are part of our product and our company’s integrity:
As a SaaS company, we work tirelessly to meet the ideal security standards to protect our customers from security vulnerabilities.
Security compliance
Our certificates and resources are available upon request. Some of these assets may require an NDA. All options are below:
Resources available:
Resources subject to an NDA
We should look at two types of parties that can get access to your data:
You and your staff – your staff will have access to the data per data access credentials that you will provide them. You can control who can view, edit, upload and download any information or document based on his/her role credentials.
Our staff – a small number of periodically trained authorized Bob personnel can gain access to your data. Any Bob team member doing so will be performing specific (audited) tasks on your request via our support desk and after receiving your consent.
Our data centers backup all the data in Bob at least once a day. The data is fully restorable for disaster recovery purposes. However, we recommend periodically backing up your data in your HRIS system based on our scheduled reports or through our API.
Your data is stored in the following ways:
Facilities
HiBob hosts Bob data primarily in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn more about compliance at AWS.
AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and, ultimately, your data. Learn more about Data Center Controls at AWS.
On-Site Security
AWS on-site security includes several features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS physical security.
Data Hosting Location
HiBob uses AWS data centers in Ireland (main) and Germany (backup).
HiBob protects your data with a secure network and other multiple security protection and technology measures, including:
Dedicated Security Team
Our globally distributed security team is on call 24/7 to respond to security alerts and events.
Protection
Our network is protected using key AWS security services, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones.
Network Vulnerability Scanning
Network security scanning gives us deep insight so we can quickly identify out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program done each year, HiBob employs third-party security experts to perform a broad penetration test across the HiBob production and corporate networks.
Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from essential network devices and host systems. The SIEM alerts on triggers that notify the security team based on correlated events for investigation and response.
Intrusion Detection and Prevention
The Bob application ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Program
HiBob participates in several threat intelligence-sharing programs. We monitor threats posted to these networks and act based on risk.
Logical Access
Access to the HiBob production network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our CS Team. Employees accessing the Bob production network are required to use multiple factors of authentication.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing operations, network engineering, and security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption in Transit
All communications with HiBob UI and APIs are encrypted via industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and HiBob is secure during transit.
Encryption at Rest
Bob data is encrypted at rest in AWS using AES-256 key encryption. In general, our data encryption has two layers:
Only a select few people have access to the database and the KMS for maintenance purposes and, of course, are bound by extreme legal and security safeguards (such as confidentiality and non-disclosure provisions, permission management, etc.).
Disaster Recovery
Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating disaster recovery plans, and testing activities. Our DR location is AWS Frankfurt.
Secure Code Training
Annually, engineers participate in secure code training covering OWASP’s top 10 security risks, common attack vectors, and HiBob security controls.
Framework Security Controls
HiBob leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP’s top 10 security risks. These inherent controls reduce the exposure to SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), among others.
Separate Environments
Testing and staging environments are logically separated from the production environment. No Bob data is used in our development or test environments.
Vulnerability Management Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously scan our core applications against the OWASP’s top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Static Code Analysis
The source code repositories for our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, HiBob employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Bug Bounty Program
Through our partnership with Bugcrowd, our Bug Bounty Program gives security researchers and customers an avenue for safely testing and notifying HiBob of security vulnerabilities.
Here are some of the additional security measures we use:
Authentication Options
Customers can enable native HiBob authentication and/or Enterprise SSO for end-user authentication.
2-Factor Authentication (2FA)
HiBob recommends integrating with enterprise SSO 2-factor (2FA) authentication.
Role-Based Access Controls
Access to data within Bob applications is governed by role-based access control (RBAC) and can be configured by the Bob admin to define granular access privileges as needed.
Policies
HiBob has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to HiBob information assets.
Training
All employees attend security awareness training sessions which are given upon hiring and annually after that. All engineers receive additional sessions for secure code training. The security team provides further security awareness updates via email, blog posts, and presentations during internal events.
Reference Checks
HiBob performs reference checks on all new employees per local laws.
Confidentiality Agreements
All new hires and contractors are required to sign Non-Disclosure and Confidentiality Agreements.