Where is my data located?
All our infrastructure is hosted by Google Cloud and all data is located in the U.S. We also back up data with Amazon Web Services, also located in the U.S.
Do you have a SOC2 report to share?
Do you have an incident report plan?
We maintain a security incident response plan to provide a framework to ensure that potential computer security incidents are managed in an effective and consistent manner. This document is reviewed at least annually.
Is my data encrypted?
All data is encrypted in transit, and all connections use TLS 1.2/1.3. Passwords are stored hashed and salted using bcrypt with a work function of 12. Backups are encrypted at rest using the AES-256 cipher. Attachments and other file assets are stored encrypted at rest on Amazon S3.
Do you update your systems?
Our security and operations teams follow the latest security standards, keep all our systems updated, and research any suspicious activity. If a security issue is discovered, we fix it immediately—security is a top priority. We have a security team working to improve all of the security control and procedures on a daily basis.
Do you have logs? What is the retention policy?
We keep a central logging indexed infrastructure and an internal activity log. Application logs (for assisting Harvest and Forecast support cases) are retained for 90 days.
Do you have a bug bounty program?
Yes, it’s hosted on HackerOne. We are under a 24/7 security audit performed by the people participating in the program.
Is any data stored outside the U.S.?
No, all of our data is stored within the U.S.
Do you comply with GDPR?
We’re committed to our customers’ privacy. As a SaaS platform, we offer a number of tools that may assist our customers in meeting their obligations under the new GDPR regulations:
- As we always have, we allow customers to access and modify personal information in their accounts, which helps them address data subject access or correction requests they may receive.
- We allow customers to download the data from their account at any time during or at the end of their use of our services.
- We offer a data processing agreement (DPA) which aims to help our customers meet their obligations under GDPR.
Are you PCI compliant?
Yes, Harvest has a PCI-DSS Merchant Certificate, although we don’t store any payment info.
Is customer data accessible by Harvest employees?
Harvest employees can access customers’ data for troubleshooting purposes. This access is restricted, logged, and monitored.
Are intrusion detection/prevention systems employed?
We don’t run any commercial IDS/IPS, but we have in-house alert systems set on our infrastructure and application logs to detect suspicious activity and anomalies. A member of the operations team is always on call.
Do you perform periodic risk assessments?
While we don’t perform specific formal periodic risk assessments, we do have internal procedures for sensitive data transmission, retention periods, and data classification, and these are evaluated from time to time. We will also perform a risk assessment if a significant change to our service is planned.
How is identity and access managed?
We currently support sign-in via email/password and SSO with Gmail and Google Workspace accounts. Open sessions and identity options can be checked in the Security section of Harvest ID.
We also have different access permissions inside the account to manage access. Please see our Help Center article on permissions for details.
Do you support SSO/SAML?
We provide single sign-on via Google for companies using Google Workspace or individuals using Gmail addresses.
What is your password policy?
We follow NIST 800-63-3 (Digital Identity Guidelines) whenever they’re applicable to us. We require a minimum length of 8 characters and provide a password strength estimator to help users choose strong ones and avoid passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. Since we follow NIST recommendations, we don’t enforce complexity, keep history, force expiration, or lock accounts.
Does Harvest own any intellectual property (IP) over our data?
As stated in our Terms of Service in Section 3 Intellectual Property, “You own your content. We do not represent any ownership or claim any intellectual property rights over the information that you provide or that is provided to us.”
What is your release cycle? Could you provide more information on the security patch management process?
Our software release cycle is very rapid, as we perform multiple deploys per day. Security patches for third-party libraries are deployed as soon as they become available. Operating systems auto-apply all security patches as they become available.
Have you been affected by the log4j vulnerability?
We have been closely monitoring all our services since the vulnerability was first reported and we don’t use Java to run our production apps. The log4j dependency was only present in one of our internal logging systems running Elastic. That service didn’t have access to user data, was not affected by the RCE vulnerability, and was updated immediately after the patch was released.