© 2022 Hack The Box
Where applicable, this will serve as the relevant Annex to the Standard Contractual Clauses and the DPA. The following provides more information regarding HackTheBox’s technical and organizational security measures set forth below.
HackTheBox maintains Customer Data in an encrypted format at rest using Advanced Encryption Standard and in transit using TLS.
HackTheBox's customer agreements contain strict confidentiality obligations. Additionally, HackTheBox requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in HackTheBox's customer agreements. The infrastructure for the HackTheBox Services spans multiple fault-independent availability zones in geographic regions physically separated from one another, supported by various tools and processes to maintain high availability of services.
HackTheBox performs regular backups of Customer Data, which is hosted in the data centers. Backups are retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256).
HackTheBox maintains a risk-based assessment security program. The framework for HackTheBox’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. HackTheBox’s security program is intended to be appropriate to the nature of the Services and the size and complexity of HackTheBox’s business operations. HackTheBox has a separate and dedicated security team that manages HackTheBox’s security program. This team facilitates and supports independent audits and assessments performed by third-parties to provide independent feedback on the operating effectiveness of the information security program.
HackTheBox personnel are required to use unique user access credentials and passwords for authorization. HackTheBox follows the principles of least privilege through role-based and time-based access models when provisioning system access. HackTheBox personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval prior to access provisioning. Access is promptly removed upon role change or termination.
Customer Data is encrypted when in transit between Customer and HackTheBox Services using TLS.
Customer Data is stored encrypted using the Advanced Encryption Standard.
HackTheBox office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security.
HackTheBox monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is centralized by the security team. Log activities are investigated when necessary and escalated appropriately.
HackTheBox applies Secure Software Development Lifecycle (Secure SDLC) standards to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before new Services are deployed; (b) bi-annual penetration testing by independent third parties; and (c) threat models for new Services to detect any potential security threats and vulnerabilities.
HackTheBox adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. Monitors are in place to notify the security team of changes made to critical infrastructure and services that do not adhere to the change management processes.
HackTheBox maintains a risk-based assessment security program. The framework for HackTheBox’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. HackTheBox’s security program is intended to be appropriate to the nature of the Services and the size and complexity of HackTheBox’s business operations. HackTheBox has a separate and dedicated Information Security team that manages HackTheBox’s security program. This team facilitates and supports independent audits and assessments performed by third parties. HackTheBox’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with the Chief Trust and Security Officer meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all HackTheBox employees for their reference.
HackTheBox taking into account its legal obligations requires the minimum personal data in order to create an account and access and use the Service.. Additionally, HackTheBox has built in self-service functionality to the Services that allow Customers to delete and update Customer Data.
HackTheBox has a three-fold approach for ensuring data quality. These measures include: (i) unit testing to ensure the quality of logic used to make API calls, (ii) volume testing to ensure the code is able to scale, and (iii) daily end-to-end testing to ensure that the input values match expected values. HackTheBox applies these measures across the board, both to ensure the quality of any Usage Data that HackTheBox collects and to ensure that the HackTheBox Platform is operating in accordance with the documentation.
Each HackTheBox Customer chooses what Customer Data they route through the HackTheBox Services and how the Services are configured. As such, HackTheBox operates on a shared responsibility model. HackTheBox ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data leaves HackTheBox to flow to a downstream destination.
HackTheBox Customers unilaterally determine what Customer Data they route through the HackTheBox Services and how the Services are configured. As such, HackTheBox operates on a shared responsibility model. If a Customer is unable to delete Customer Data via the self-services functionality of the Services, then HackTheBox deletes Customer Data upon the Customer's written request, within the timeframe specified in the Data Protection Addendum and in accordance with Applicable Data Protection Law.
HackTheBox has adopted measures for ensuring accountability, such as implementing data protection policies across the business, maintaining documentation of processing activities, recording and reporting Security Incidents involving Personal Data, and appointing a Privacy and Security Officer. Additionally, HackTheBox conducts regular third-party audits to ensure compliance with our privacy and security standards.
HackTheBox's Customers have direct relationships with their end users and are responsible for responding to requests from their end users who wish to exercise their rights under Applicable Data Protection Laws. HackTheBox has built-in self-service functionality to the Services that allow Customers to delete and modify Customer Data. If a Customer is unable to use such self-service functionality, HackTheBox specifies in the Data Protection Addendum that it will provide assistance to such Customer as may reasonably be require to comply with Customer's obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection). If HackTheBox receives a request from a Data Subject in relation to their Customer Data, HackTheBox will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.
When HackTheBox engages a sub-processor under this Addendum, HackTheBox and the sub-processor enter into an agreement with data protection terms substantially similar to those contained herein. Each sub-processor agreement must ensure that HackTheBox is able to meet its obligations to Customer.
In addition to implementing technical and organisational measures to protect personal data, sub-processors must a) notify HackTheBox in the event of a Security Incident so HackTheBox may notify Customer according to applicable law;; b) delete data when instructed by HackTheBox in accordance with Customer’s instructions to HackTheBox; c) not engage additional sub-processors without authorization; d) not change the location where data is processed; or e) process data in a manner which conflicts with Customer’s instructions to HackTheBox.
If you want to receive notifications about changes in our
Terms & Policies, subscribe here.