IntegrateHQ has been certified by independent third-party auditors as compliant with ISO/IEC 27001:2013.
Learn more about our certification and download our certification certificate here.
IntegrateHQ engages an independent third party to perform regular web application vulnerability testing and penetration testing of the platform. Click on the trust mark (left) to verify our status or download our "secure application" attestation here.
We use a reputable SOC 2 certified data center to host the services we provide.
Our hosting provider is Amazon Web Services (AWS) in the USA. We make full use of the best practice security and availability capabilities offered by AWS including Virtual Private Cloud (VPC) technology for network isolation and multi-availability zones for reliability. Read about AWS cloud security (https://aws.amazon.com/security) and SOC compliance (https://aws.amazon.com/compliance/soc-faqs/).
We take the security of our internal and external networks very seriously. Communication between our servers and your business applications / web browser is encrypted.
Within our VPC network we employ public and private subnets. All application servers reside in private subnets and so have no public IP addresses; external communication is routed via NAT Gateways. Network security is multi-tiered including strict Network Access Control List rules, role based Network Security Groups, host IP Table restrictions and user based authorization. All user user interaction with IntegrateHQ services is encrypted over HTTPS/TLS. Access to the production VPC is restricted - only select team members responsible for maintaining operational stability of the application are able to connect to resources within the VPC.
Stored customer data is encrypted.
IntegrateHQ stores account information, user information and integration/connection configuration. If an integration is configured to do so, IntegrateHQ may also store integration related data. In all cases customer data is encrypted when stored ("encryption at rest").
Integration processes execute in isolated, account unique, temporary run-time environments.
IntegrateHQ follows the serverless paradigm. Before each integration process executes a new, strongly isolated, integration execution run-time is provisioned 1. The integration runs to completion in this environment after which the environment, along with temporary artifacts created during the run, is destroyed.
1 When launching an integration in an "event triggered" fashion, if multiple event occur in rapid succession, the same run-time environment may be re-used to process each event sequentially. This re-use only happens for the same account running the same integration so there is zero risk of "cross account" data leaks.
Users must be explicitly authorized to access an IntegrateHQ account.
Each IntegrateHQ user requires their own sign-in credentials, and only your IntegrateHQ account administrators can grant access an IntegrateHQ account. The IntegrateHQ sign-in process supports, encourages and optionally enforces the use of multi-factor authentication during sign-in.
Our customer support team may only access your account if you explicitly authorize access from your "Profile and Preferences" page.
We have GDPR compliant data protection agreements in place with our sub-processors.
You can view our current list of sub-processors here.