Hootsuite Security Practices
Last updated: July 9, 2024
Hootsuite Inc. and its affiliates (collectively, “Hootsuite”) maintains organizational and technical measures (“Security Practices”) to protect information you provide to us (“Customer Information”) from loss, misuse, and unauthorized access or disclosure. These measures take into account the sensitivity of the information Hootsuite collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing Hootsuite engages in.
Where used in this Security Practices document, “Hootsuite Services” means the Self-Serve or Enterprise Services defined in the Hootsuite Self-Serve Terms of Service or Enterprise Terms of Service, as applicable. “Sparkcentral Services” means the Services defined in the Sparkcentral Terms of Service . “Heyday Services” means the Services defined in the Heyday Enterprise Terms of Service. The Hootsuite Services, Sparkcentral Services and Heyday Services are collectively referred to as the “Services”. Capitalized terms not defined in this document have the meanings given to them in the relevant terms of service applicable to your access to and use of the Hootsuite Services, Sparkcentral Services and/or Heyday Services.
The Security Practices include:
1. Assigned Security Responsibility. Hootsuite has a designated security official and security team responsible for overseeing the development, implementation, and maintenance of its Security Practices.
2. Personnel Practices.
a. All of Hootsuite’s employees:
i. are bound by Hootsuite policies regarding the confidential treatment of Customer Information;
ii. receive security and privacy training during onboarding and on an ongoing basis at least annually thereafter, and supervision at a level and substance that is appropriate to their position;
iii. are required to read and sign information security and privacy policies covering the confidentiality, integrity, availability and resilience of the systems and services Hootsuite uses in the delivery of the Hootsuite Services.
b. Hootsuite maintains appropriate controls to restrict its employees’ access to the Customer Information that you and your Authorized Users make available via the Services, and to prevent access to Customer Information by anyone who should not have access to it.
c. Hootsuite conducts appropriate pre-employment screening commensurate with the sensitivity of a role, which may include criminal background checks for particularly sensitive positions, where permissible by law.
3. Compliance and Testing. Hootsuite undergoes a rigorous audit process for various security-related certifications for its Services. Respective certifications for each of the Services is set out in our Trust Centre (https://trustcenter.hootsuite.com/).
a. Service Organization Control (SOC) Reports: Hootsuite undergoes a SOC 2 Type II audit annually which is performed by an independent third party auditor. A copy of Hootsuite’s most recent report is available upon request for existing Enterprise customers or for prospective Enterprise customers who agree to hold the report in confidence under a Hootsuite form of non-disclosure agreement.
b. ISO 27001: Hootsuite undergoes an ISO 27001 audit annually which is performed by an independent third party auditor.
c. PCI DSS: When payments are processed via credit card, Hootsuite uses third-party vendors that are PCI DSS compliant. At no point does Hootsuite store, transmit, or process your credit card information; Hootsuite simply stores anonymous tokens that identify the applicable processed transactions.
d. FedRAMP Authorization: The Hootsuite Services are authorized for use under the U.S. government’s Federal Risk and Authorization Management Program (FedRAMP Marketplace), a certification process that is audited against the NIST SP 800-53 standard.
e. External Pentest: The Services are subjected to annual penetration testing performed by an independent third party, for its web and mobile applications.
4. Access Controls. Hootsuite has and will maintain appropriate access controls, including:
a. Policies and procedures that address onboarding, off-boarding, transition between roles, regular access reviews, limitations and usage control of administrator privileges, and inactivity timeouts;
b. Segregation of conflicting duties and areas of responsibility;
c. Maintaining current and accurate inventories of computer and user accounts;
d. Enforcing the principles of “least privilege” and “need to know”;
e. Reviewing user access rights on a regular basis to identify excessive privileges;
f. Enforcing a limit of invalid login attempts; and
g. Password requirements that include a defined minimum complexity, password changes after the first login, and subsequent changes at predetermined intervals with limits on reuse.
5. Multi-Factor Authentication.
a. Access to the systems used by Hootsuite employees and contract personnel is controlled by multi-factor authentication. This means that all Hootsuite employees and contractors are required to provide an additional authentication credential in addition to the password credentials, in order to gain access to any system used in the provision of the Services.
b. Hootsuite also supports multi-factor authentication capability for its Customers and their Authorized Users in respect of their use of the Services (as a tool for their use in maintaining the security of their accounts).
6. Single Sign-On.
a. Hootsuite has implemented single sign-on (SSO) company-wide to ensure greater and more centralized access control to the systems used by Hootsuite employees and contract personnel.
b. Hootsuite also supports SSO capability for Enterprise customers that wish to ensure greater and more centralized access control to their accounts.
7. Data Encryption.
a. All Customer Information is encrypted at rest and in transit. The Services support the latest secure cipher suites and protocols to encrypt all traffic in transit. Hootsuite currently supports only TLS 1.2 or above on its website and all pages that accept credit card information.
b. Hootsuite monitors the changing cryptographic landscape closely and makes commercially reasonable efforts to upgrade the Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.
8. Logging and Intrusion Detection.
a. All systems used in the provision of the Services, including firewalls, routers, network switches, and operating systems, log information to secure log servers in order to enable security reviews and analysis.
b. Hootsuite maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Services. Logs are analyzed for security events via automated monitoring software, overseen by Hootsuite’s security team.
c. Hootsuite monitors the Services for unauthorized intrusions using network-based and host-based intrusion detection mechanisms and web application firewalls.
9. Network Protection. In addition to system monitoring and logging, Hootsuite has implemented firewalls. Ports not utilized for delivery of the Services are blocked by configuration with our data center provider.
10. Host Management. Hootsuite performs automated malware and vulnerability scans on its production workloads and uses commercially reasonable efforts to remediate any findings that present a material risk to the Services environment. Hootsuite enforces malware scans, screen lockouts and the usage of full disk encryption for company laptops.
11. Disaster Recovery.
a. When your use of the Services requires Hootsuite’s systems to store Customer Information, such Customer Information is stored redundantly at multiple locations in Hootsuite’s hosting provider’s data centers to ensure availability. Hootsuite has backup and restoration procedures to allow recovery from a major disaster, where applicable.
b. Customer Information and Hootsuite’s source code is automatically backed up on a nightly basis. Hootsuite’s operations team is alerted in the event of any failure with this system. Backups are fully tested to confirm that these processes and tools work as expected.
12. Physical Security. Hootsuite currently uses Amazon Web Services (AWS) for its production data centers to provide the Services. AWS was selected for its high standards of both physical and technological security, and has internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others. For more information about Amazon Web Services' certification and compliance, please visit the AWS Security website (https://aws.amazon.com/security/) and the AWS Compliance website (https://aws.amazon.com/compliance/).
13. Security Policies and Procedures. Hootsuite implements and maintains security policies and procedures that align with the National Institute of Standards and Technology (NIST) cybersecurity framework. In particular, the Services are operated in accordance with the following policies and procedures:
a. Customer passwords are stored using a one-way salted hash.
b. Customer authentication logs are captured to safeguard customer data and to aid in the investigation of security incidents.
c. Customer passwords are not logged.
d. Hootsuite personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.
14. Product Design Security Practices. New features, functionality, and design changes go through a review process facilitated by Hootsuite’s security team. In addition, Hootsuite’s code is tested and manually peer-reviewed prior to being deployed to production. Hootsuite’s security team works closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development.
15. Incident Management & Response. Hootsuite maintains robust security incident management policies and procedures for incident response. Hootsuite notifies impacted customers without undue delay of any unauthorized disclosure of their Customer Information by Hootsuite or its agents of which Hootsuite becomes aware, to the extent permitted by law.