Where is my data located?
Our servers are currently dedicated machines hosted by ServerCentral, located in Chicago, IL, USA. ServerCentral leases hardware to us and assists with hardware fixes and replacements. However, they don’t install software and don’t have logical access to our machines. (Please note that in the future, our hosting option might change as we evaluate cloud hosting options.)
We also back up data with both Amazon Web Services and Google Cloud, and both are located in the U.S.
Do you have a SOC2 report to share?
We rely on our server host’s audit, and they audit with AT-101 SOC 2 to cover control level specifically targeted for IT service providers. We can share the audit report after establishing a non-disclosure agreement (NDA).
Do you have a business continuity plan?
We maintain a business continuity plan and a disaster recovery plan. Those documents are reviewed annually or if major changes occur within the business and we can share a non-internal version after establishing a non-disclosure agreement.
Do you have an incident report plan?
We maintain a security incident response plan to provide a framework to ensure that potential computer security incidents are managed in an effective and consistent manner. This document is reviewed at least annually.
Do you have a security questionnaire to share?
We can share an updated security self-assessment questionnaire after establishing a non-disclosure agreement.
Is my data encrypted?
All data is encrypted in transit, and all connections use TLS 1.2/1.3. Passwords are stored hashed and salted using bcrypt with a work function of 12. Backups are encrypted using the AES-256 cipher. Attachments and other file assets are stored encrypted at rest on Amazon S3. Other data is stored securely but not encrypted at rest.
Do you update your systems?
Our security and operations teams follow the latest security standards, keep all our systems updated, and research any suspicious activity. If a security issue is discovered, we fix it immediately—security is a top priority. We have a security team working to improve all of the security control and procedures on a daily basis.
Do you have logs? What is the retention policy?
We keep a central logging indexed infrastructure and an internal activity log. Application logs (for assisting Harvest and Forecast support cases) are retained for 90 days.
Do you have a bug bounty program?
Yes, it’s hosted on HackerOne. We are under a 24/7 security audit performed by the people participating in the program.
Is any data stored outside the U.S.?
No, all of our data is stored within the U.S.
Do you comply with GDPR and are you Privacy Shield certified?
We’re committed to our customers’ privacy. As a SaaS platform, we offer a number of tools that may assist our customers in meeting their obligations under the new GDPR regulations:
- As we always have, we allow customers to access and modify personal information in their accounts, which helps them address data subject access or correction requests they may receive.
- We allow customers to download the data from their account at any time during or at the end of their use of our services.
- We are Privacy Shield certified.
- We offer a data processing agreement (DPA) which aims to help our customers meet their obligations under GDPR.
Are you PCI compliant?
Yes, Harvest has a PCI-DSS Merchant Certificate, although we don’t store any payment info.
Is customer data accessible by Harvest employees?
Harvest employees can access customers’ data for troubleshooting purposes. This access is restricted, logged, and monitored.
Are intrusion detection/prevention systems employed?
We don’t run any commercial IDS/IPS, but we have in-house alert systems set on our infrastructure and application logs to detect suspicious activity and anomalies. A member of the operations team is always on call.
Do you perform periodic risk assessments?
While we don’t perform specific formal periodic risk assessments, we do have internal procedures for sensitive data transmission, retention periods, and data classification, and these are evaluated from time to time. We will also perform a risk assessment if a significant change to our service is planned.
How is identity and access managed?
We currently support sign-in via email/password and SSO with Gmail and G Suite accounts. Open sessions and identity options can be checked in the Security section of Harvest ID.
We also have different access permissions inside the account to manage access. Please see our Help Center article on permissions for details.
Do you support SSO/SAML?
We provide single sign-on via Google for companies using G Suite or individuals using Gmail addresses.
What is your password policy?
We follow NIST 800-63-3 (Digital Identity Guidelines) whenever they’re applicable to us. We require a minimum length of 8 characters and provide a password strength estimator to help users choose strong ones and avoid passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. Since we follow NIST recommendations, we don’t enforce complexity, keep history, force expiration, or lock accounts.
Does Harvest own any intellectual property (IP) over our data?
As stated in our Terms of Service in Section 3 Intellectual Property, “You own your content. We do not represent any ownership or claim any intellectual property rights over the information that you provide or that is provided to us.”
What is your release cycle? Could you provide more information on the security patch management process?
Our software release cycle is very rapid, as we perform multiple deploys per day. Security patches for third-party libraries are deployed as soon as they become available. Operating systems auto-apply all security patches as they become available.