This policy outlines the security and organizational measures implemented by haptapt LLC (“haptapt” or “Service Provider”) to protect customer data and the integrity of the SaaS Platform Services. These measures are designed to ensure a level of security appropriate to the risks associated with processing Personal Data, in compliance with the Data Processing Addendum (DPA) and the Master Subscription Agreement (MSA).
1. Organizational Security and Governance
Haptapt maintains strong organizational controls to manage risk, ensure staff accountability, and uphold our contractual commitments.
1.1. Staff Training and Awareness
All personnel with access to customer data receive mandatory, regular training on data protection, security best practices, and confidentiality requirements. All staff are subject to confidentiality obligations outlined in employment agreements or Non-Disclosure Agreements (NDAs).
1.2. Access Control Policy
Access to all haptapt systems and Customer Data is based on the principle of least privilege and need-to-know. Access is strictly limited to authorized personnel who require it for their defined job function, and is promptly revoked upon termination of employment.
1.3. Incident Response Plan (IRP)
haptapt maintains a formal, written Incident Response Plan (IRP) detailing procedures for detection, containment, eradication, recovery, and required notification for any identified security event or Personal Data Breach, in compliance with the strict timelines outlined in the DPA.
1.4. Security Audits and Testing
haptapt performs regular internal security reviews and testing of its systems and processes to ensure controls meet the requirements of its internal standards and contractual commitments.
2. Technical and Logical Access Controls
Technical controls are implemented to protect the confidentiality, integrity, and availability of the Service and Customer Data.
2.1. Authentication
All users and internal staff utilize unique user IDs and strong authentication requirements. Multi-factor authentication (MFA) is required for all administrative access to the production environment.
2.2. Encryption
All Customer Data, including Personal Data, is protected by encryption both in transit and at rest:
– Encryption in Transit: All data transmitted between the Customer’s device and the haptapt platform, and between haptapt’s internal components, is encrypted using TLS 1.2 or higher.
– Encryption at Rest: All Customer Data is stored in encrypted format on the underlying hosting infrastructure (AWS), utilizing AES-256 encryption or higher. Customer passwords are encrypted using industry best practices.
2.3. Network Security
The production environment is securely segregated from the corporate network and protected by industry-standard firewalls and network segmentation where appropriate. Secure connections are enforced using technologies such as Virtual Private Clouds (VPC).
2.4. Change Management
Changes to the production environment, source code, or security controls must follow a defined change management process, including peer review, testing, and formal approval, prior to deployment.
3. Infrastructure and Service Continuity
The security and availability of the haptapt platform are built upon enterprise-grade cloud infrastructure.
3.1. Physical Security
The haptapt Service is hosted within Amazon Web Services (AWS) facilities. AWS maintains global certifications for physical security (e.g., ISO 27001, SOC 1/2/3). haptapt does not operate its own data centers or physical infrastructure for data storage.
3.2. Data Backup and Recovery
Customer Data is backed up daily to a secure, redundant storage environment. haptapt maintains documented procedures for recovery, tested periodically, ensuring the ability to restore service and data in the event of an unforeseen incident or disaster.
3.3. Scalability and Availability
The system architecture is designed for high availability and redundancy across multiple availability zones to mitigate the risk of single points of failure, ensuring consistent service uptime and business continuity.
4. Policy Maintenance and Contact
haptapt LLC is committed to the continuous improvement of its security controls. This policy may be updated from time to time to reflect advancements in security best practices or changes to the Service.
Notification of Material Changes: The Customer’s administrative contact will be notified of any material updates to this policy at least thirty (30) days prior to the update taking effect, as specified in the Master Subscription Agreement.
Contact for Inquiries: Please direct any questions regarding this policy to support@haptapt.com.
