As a cloud pioneer, HDE fully understands the security implications of the cloud model. Our cloud services are designed to deliver better security than many traditional on-premises solutions.
This article outlines HDE’s approach to security and compliance for HDE One , our cloud-based productivity suite.
1) Infrastructure & Software
Features except for operational features of HDE One run on Amazon Web Services (AWS).
To assure 99.9% availability we promise as our SLA, we make sure that the access points are made redundant, utilizing AWS's Availability Zones (AZ), to let a single facility failure not affect an availability.
For certain services such as SSO logins, we design the system to be tolerant to a whole region failure by duplicating data across regions, not because of the SLA but because we consider it important for our customers.
Permanent data are saved in multiple facilities, using S3/Glacier as a backend, which is designed durable enough to sustain the concurrent loss of data in two facilities.
All confidential data are saved in AWS's facilities, which are covered by certifications below.
AWS ISM Letter of Compliance
AWS ASD Letter of Certification
AWS ISO 9001 Certification
AWS ISO 27001 Certification
AWS ISO 27018 Certification
Multi-Tier Cloud Security Standard Level-3 (CSP) Certification
AWS SOC 3 Report
For more detailed information about confidential data,
please refer to this link: https://aws.amazon.com/compliance/published-certifications/?nc1=h_ls
2) Human Resource
(i) Employee Training
All HDE employees undergo security training as part of the orientation process and receive ongoing security training throughout their HDE careers. For instance, the information security team instructs all employees on topics like security and privacy incidents, information risks, vulnerabilities etc.
Authorization required to enter our workspace. Any employees are locked out without a valid key card and all entrance and exit are logged.
HDE has a dedicated internal audit team and execute internal audit related to ISMS(JIS Q 27001). For instance, this team check regularly that employees put important documents inside the desk cabinet and lock the cabinet , the PC password and encryption is set appropriately, and so on.
3) Policy to Access Data
(i) Access to Customer’s Data
Basically all access to archive data and critical data are prohibited from our employees. Only when customers or the authorities request, only the representative is allowed to search the archive under the condition indicated after confirmation of the customer.
(ii) Access Detection
All access to any archive data and critical data are logged and detected. If unexpected access should be detected, it will be researched immediately.
(iii) Access to data without Permission
All access to any data which need to be done and is not important nor critical are prohibited from our employees.
4) Maintenance Policy
(i) Vulnerability Management
HDE administrates a vulnerability management process that actively scans for security threats. And our support team is responsible for tracking and following up on vulnerabilities.
HDE’s security monitoring mechanism is focused on information gathered from network traffic, employee actions on systems and outside knowledge of vulnerabilities.
Furthermore, HDE engineers and support team look for security incidents that might affect the company’s infrastructure continuously. They actively review inbound security reports and monitor public mailing lists, blog posts, and wikis.
(iii) Incident Management
We have a rigorous incident management process for events that may affect the confidentiality, integrity, or availability of systems or data.If an incident occurs, HDE Support team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification such as dashboard and mail, escalation, mitigation, and documentation.
5) Regulatory Compliance
(i) The Law Concerning the Protection of Personal Information
This service is available for us to observe the law concerning the protection of personal information. But since there are many routes by which information can be leaked, you cannot observe the law perfectly only by introducing this service.
(ii) Foreign Exchange and Foreign Trade Act
We offer a service which encrypt e-mail attachment. This is possibly subject to Export Administration Regulations in Foreign Exchange and Foreign Trade Act. Depending on your needs, please confirm the check sheet issued by Center for Information on Security Trade Control(CISTEC).
e-Discovery is covered by all electronic data treated in house not only E-mails, but also all files in file server and so on. And Then, it is not governed by e-discovery when you just make use of our services. In other words, only a part of your e-mails sent and received are governed by e-discovery.
(iv) Patriot Act
Since archive data in AWS is encrypted, if the United States government will try to see archive data in AWS forcibly, they cannot see it.
(v) The European Union Data Protection Directive
Companies in EU are prohibited to bring personal information out of EU. If they contract a standard contractual clauses which is provided from EU, they may be able to keep them out of EU. There are many types of rule depending on countries. For particulars, ask to the office.