HireFire Security Policy
This document provides a high-level overview of the security practices at HireFire.
- Introduction
- Internal Security
- Access Control
- Service Security
- Database Security
- Customer Responsibilities
- Secure Development Practices
- Payment Security
- Incident Response
- Data Centers and Platforms
- GDPR Compliance
- Legal Jurisdiction
Introduction
HireFire continuously evaluates and updates its security practices to address emerging threats and adapt to changes in technology and regulations. This includes:
- Regularly reviewing and updating security policies and practices.
- Monitoring for vulnerabilities in third-party software and platforms.
- Adopting new technologies and methodologies to enhance security.
Customers are free to review this document at any time at https://www.hirefire.io/security for updates.
Internal Security
HireFire implements comprehensive security measures to prevent unauthorized access to hardware and third-party services. These measures include:
- Strong credentials
- Two-factor authentication (2FA)
- Security keys
- GPG keys
- Secure connections
- Drive encryption
- Firewalls
- Regular application of security patches
Access Control
Access to HireFire systems and data is controlled using the following measures:
- Third-Party Platform Security: Access to critical infrastructure and services is managed through platforms like Cloudflare, Heroku, and Hetzner, which provide robust authentication and access control mechanisms, including multi-factor authentication (MFA) and granular permission settings.
- Secured Server Access: Direct access to servers is restricted through secure methods such as secure shell (SSH) with key-based authentication.
- Restricted Tool Access: Internal tools and systems are accessible only to authorized personnel, adhering to the principle of least privilege.
- Session Management: Sessions automatically expire after a predefined period of inactivity to enhance security.
Service Security
To ensure service resilience and reliability, HireFire employs mechanisms for high availability in its user-facing services. These mechanisms not only enhance availability but also mitigate risks such as DDOS attacks.
All connections between users and our services, as well as communication between internal services, use Transport Layer Security (TLS) to secure data in transit. Additionally, all services are hosted within data centers or platforms equipped with DDOS protection.
Third-party software, including open-source components used in our services, is updated regularly. Security patches are applied promptly upon availability.
Database Security
All database connections are secured using Transport Layer Security (TLS). Data stored in our databases is encrypted at rest, and sensitive data is provided with an additional layer of encryption at the application level.
Databases are continuously backed up, allowing for point-in-time recovery. This ensures that in the event of a disaster, data can be restored to a specific moment in time, minimizing data loss and ensuring service continuity.
Customer Responsibilities
While HireFire implements extensive security measures, customers also play a critical role in ensuring their data remains secure. We recommend the following best practices:
- Enable Two-Factor Authentication (2FA): Activate 2FA on your HireFire account to add an extra layer of security.
- Use Strong, Unique Passwords: Ensure passwords are complex, unique, and not reused across multiple services.
- Monitor Account Activity: Regularly review account activity and immediately report any suspicious behavior.
Secure Development Practices
HireFire employs rigorous development practices to ensure the security and reliability of our services. This includes:
- Static Code Analysis: Regular automated scans of our codebase to identify and address security vulnerabilities during the development process.
- Continuous Integration (CI) Pipeline: Our CI pipeline ensures that all tests and security checks pass before deploying any changes to production, maintaining the integrity and stability of our services.
Payment Security
Stripe handles payment processing and securely stores credit card information on our behalf, while Chargebee manages invoicing. HireFire does not directly store or process any payment information, relying entirely on these providers for compliance and security.
Incident Response
HireFire is committed to addressing security incidents promptly. In the event of a breach, we will:
- Notify affected customers as quickly as possible.
- Work to mitigate the incident and prevent recurrence.
- Provide status updates through our status page.
Data Centers and Platforms
HireFire leverages third-party platforms to operate its services:
- Cloudflare (Cloudflare Inc., U.S.): Enhances content hosting, performance, security, and DDOS mitigation. Cloudflare is certified for compliance with ISO 27001, ISO 27018, and SOC 2 Type II.
- Heroku (Salesforce Inc., U.S.): Primary infrastructure and databases. Heroku is certified for compliance with ISO 27001, ISO 27017, ISO 27018, SOC 1 Type II, SOC 2 Type II, and SOC 3.
- Hetzner (Hetzner GmbH, Germany): Used for custom installations. Hetzner is certified for compliance with ISO 27001.
Platforms such as Cloudflare and Heroku enhance efficiency by automating infrastructure management tasks, such as monitoring, security updates, providing failover for services and databases, and ensuring high availability. Of course, scaling automation is handled by HireFire itself! This allows us to focus on delivering customer value while ensuring robust security, performance, and availability.
All infrastructure managed by HireFire is protected with firewalls and strong authentication mechanisms. Regular updates and prompt application of security patches further enhance security.
Relevant Links
GDPR Compliance
HireFire adheres to the principles of the General Data Protection Regulation (GDPR). For comprehensive information about data processing, retention, and your rights, please refer to our Privacy Policy and Data Processing Agreement.
HireFire ensures that a Data Processing Agreement (DPA) is signed with every vendor that handles personal data. This ensures our vendors meet strict GDPR requirements and maintain high standards of data protection. While GDPR is specific to the EU, we apply its principles universally to all customers. These practices include:
- Encrypting personal data in transit and at rest.
- Ensuring continuous database backups with point-in-time recovery.
- Respecting users’ rights to access, correct, or delete their data.
HireFire provides its own Data Processing Agreement (DPA), which does not require a signature, and goes into effect when we process personal data on behalf of our customers.
For more details, see our Data Processing Agreement (DPA).
Legal Jurisdiction
For information about governing law and jurisdiction, please refer to our Terms of Service.