Technical and Organizational Measures for Data Protection

Infrastructure

All of our services run in the cloud. Hafi does not run our own routers, load balancers, DNS servers, or physical servers.

Our services and data are hosted in several data centers across Europe, including AWS, Digital Ocean, and Hetzner. Security measures taken by these data centers are described in the respective document:

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.

Hafi uses a backup solution for datastores that contain customer data.

Data

All customer data is stored in the European Economic Area ("EEA").

Customer data is stored in multi-tenant datastores; we do not have individual datastores for each customer. However strict privacy controls exist in our application code that are designed to ensure data privacy and to prevent one customer from accessing another customer’s data (i.e., logical separation). We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.

Each Hafi system used to process customer data is adequately configured and patched using commercially-reasonable methods according to industry-recognized system-hardening standards.

Hafi engages certain sub-processors to process customer data. These sub-processors are listed at: https://hafi.pro/legal/third-parties/, as may be updated by Hafi from time to time.

Data Transfer & Storage

Data sent to or from Hafi is encrypted in transit using 256-bit encryption.

All data transferred between our data centers is encrypted using industry-grade encryption.

Our API and application endpoints are TLS/SSL only and score an "A" rating on SSL Labs' tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.

We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Authentication

Hafi is served 100% over https. Hafi runs a zero-trust corporate network.

We have two-factor authentication (2FA) and strong password policies on AWS, Digital Ocean, and Hetzner to ensure access to cloud services is protected.

Application Monitoring

All access to Hafi applications is logged and audited.

Bastion hosts are used to log in to devices.

Security Audits and Certifications

We annually engage with well-regarded third-party auditors to audit our code-base and work with them to resolve potential issues.

We use technologies to provide an audit trail over our infrastructure and the Hafi application. Auditing allows us to do ad-hoc security analysis, track changes made to our setup, and audit access to every layer of our stack.

Information about our cloud hosting security certifications and obtaining copies of security reports are available at:

Payment Processing

All payment instrument processing for purchase of the Hafi services is performed by Stripe and Paypal. For more information on Stripe’s security practices, please see: https://stripe.com/docs/security/stripe. Paypal’s security policy is located here: https://www.paypal.com/re/webapps/mpp/paypal-safety-and-security

Confidentiality

We place strict controls over our employees’ access to your data and are committed to ensuring that any customer data is not seen by anyone who should not have access to it. All of our employees and contract personnel are bound to our policies regarding customer data privacy and security, and we treat these issues as matters of the highest importance within our company.

Personnel Practices

Hafi conducts background checks on all employees before employment, and employees receive security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our strict data security and privacy policy covering the security, availability, and confidentiality of our services.