Hootsuite Security Practices
Last updated: September 20, 2022
Hootsuite maintains organizational and technical measures (“Security Practices”) to protect information you provide to us (“Customer Information”) from loss, misuse, and unauthorized access or disclosure. These measures take into account the sensitivity of the information Hootsuite collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing Hootsuite engages in.
Where used in this Security Practices document, “Hootsuite Services” means the Self-Serve Services or Enterprise Services, as applicable and as defined in the terms applicable to your access to and use of the Hootsuite Services (the “Agreement”). Capitalized terms not defined in this document have the meanings given to them in the Agreement.
The Security Practices include:
1. Assigned Security Responsibility. Hootsuite has a designated security official and security team responsible for overseeing the development, implementation, and maintenance of its Security Practices.
2. Personnel Practices.
a. All of Hootsuite’s employees:
i. are bound by Hootsuite policies regarding the confidential treatment of Customer Content;
ii. receive security and privacy training during onboarding and on an ongoing basis at least annually thereafter, and supervision at a level and substance that is appropriate to their position;
iii. are required to read and sign information security policies covering the confidentiality, integrity, availability and resilience of the systems and services Hootsuite uses in the delivery of the Hootsuite Services.
b. Hootsuite maintains appropriate controls to restrict its employees’ access to the Customer Content that you and your Authorized Users make available via the Hootsuite Services, and to prevent access to Customer Content by anyone who should not have access to it.
c. Hootsuite conducts appropriate pre-employment screening commensurate with the sensitivity of a role, which may include criminal background checks for particularly sensitive positions, where permissible by law.
3. Compliance and Testing. Hootsuite’s security-related audits, certifications, and testing include:
a. Service Organization Control (SOC) Reports: Hootsuite undergoes a SOC 2 Type II and Type III audit annually which is performed by an independent third party auditor. A copy of Hootsuite’s most recent report is available upon request for existing Enterprise customers or for prospective Enterprise customers who agree to hold the report in confidence under a Hootsuite form of non-disclosure agreement.
b. PCI DSS: When payments are processed via credit card, Hootsuite uses third-party vendors that are PCI DSS compliant. At no point does Hootsuite store, transmit, or process your credit card information; Hootsuite simply stores anonymous tokens that identify the applicable processed transactions.
c. FedRAMP Authorization: Hootsuite is authorized for use under the U.S. government’s Federal Risk and Authorization Management Program (https://marketplace.fedramp.gov/#!/product/hootsuite-enterprise), a certification process that is audited against the NIST SP 800-53 standard.
d. Penetration Testing: Hootsuite’s product platform (both web and mobile) is subjected to annual penetration testing performed by an independent third party.
4. Access Controls. Hootsuite has and will maintain appropriate access controls, including:
a. Policies and procedures that address onboarding, off-boarding, transition between roles, regular access reviews, limitations and usage control of administrator privileges, and inactivity timeouts;
b. Segregation of conflicting duties and areas of responsibility;
c. Maintaining current and accurate inventories of computer and user accounts;
d. Enforcing the principles of “least privilege” and “need to know”;
e. Reviewing user access rights on a regular basis to identify excessive privileges;
f. Enforcing a limit of login attempts and concurrent sessions; and
g. Password requirements that include a defined minimum complexity, password changes after the first login, and subsequent changes at predetermined intervals with limits on reuse.
5. Multi-Factor Authentication.
a. Access to the systems used by Hootsuite employees and contract personnel is controlled by multi-factor authentication. This means that all Hootsuite employees and contractors are required to provide proof of their identity, in addition to the provision of any password, in order to gain access to any system used in the provision of the Hootsuite Services.
b. Hootsuite also makes available multi-factor authentication capability for its Customers and their Authorized Users in respect of their use of the Hootsuite Services (as a tool for their use in maintaining the security of their accounts).
6. Single Sign-On.
a. Hootsuite has implemented single sign-on (SSO) company-wide to ensure greater and more centralized access control to the systems used by Hootsuite employees and contract personnel.
b. Hootsuite also makes SSO capability available for Enterprise customers that wish to ensure greater and more centralized access control to their accounts.
7. Data Encryption.
a. The Hootsuite Services support the latest secure cipher suites and protocols to encrypt all traffic in transit. Hootsuite currently supports only TLS 1.2 and TLS 1.3 on its main website and all pages that accept credit card information, and supports TLS 1.2 and TLS 1.3 on all pages.
b. Customer Content is also encrypted at rest, where appropriate and having regard to the nature of the content and associated risks. Almost all of the information Hootsuite processes is widely accessible from Social Networks or elsewhere, but all scheduled and approval-pending messages, for example, are encrypted at rest for additional protection.
c. Hootsuite monitors the changing cryptographic landscape closely and makes commercially reasonable efforts to upgrade the Hootsuite Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, Hootsuite does this while also balancing the need for compatibility for older clients.
8. Logging and Intrusion Detection.
a. All systems used in the provision of the Hootsuite Services, including firewalls, routers, network switches, and operating systems, log information to secure log servers in order to enable security reviews and analysis.
b. Hootsuite maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Hootsuite Services. Logs are analyzed for security events via automated monitoring software, overseen by Hootsuite’s security team.
c. Hootsuite monitors the Hootsuite Services for unauthorized intrusions using network-based and host-based intrusion detection mechanisms and Web Application Firewalls.
9. Network Protection. In addition to system monitoring and logging, Hootsuite has implemented firewalls. Ports not utilized for delivery of the Hootsuite Services are blocked by configuration with our data center provider.
10. Host Management. Hootsuite performs automated vulnerability scans on its production hosts and uses commercially reasonable efforts to remediate any findings that present a material risk to the Hootsuite environment. Hootsuite enforces screen lockouts and the usage of full disk encryption for company laptops.
11. Availability. Hootsuite’s infrastructure runs on systems that are fault tolerant and it provides Enterprise customers with a guaranteed up-time, as set out in the Enterprise Service Level Agreement published at https://www.hootsuite.com/legal/enterprise-service-level-agreement.
12. Disaster Recovery.
a. When your use of the Hootsuite Services requires Hootsuite’s systems to store Customer Content, such Customer Content is stored redundantly at multiple locations in Hootsuite’s hosting provider’s data centers to ensure availability. Hootsuite has backup and restoration procedures to allow recovery from a major disaster.
b. Customer Content and Hootsuite’s source code is automatically backed up on a nightly basis. Hootsuite’s operations team is alerted in the event of any failure with this system. Backups are fully tested at least every 90 days to confirm that these processes and tools work as expected.
13. Physical Security. Hootsuite currently uses Amazon Web Services (AWS) for its production data centers to provide the Hootsuite Services. AWS was selected for its high standards of both physical and technological security, and has internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others. For more information about Amazon Web Services' certification and compliance, please visit the AWS Security website (https://aws.amazon.com/security/) and the AWS Compliance website (https://aws.amazon.com/compliance/).
14. Security Policies and Procedures. Hootsuite implements and maintains security policies and procedures that align with the National Institute of Standards and Technology (NIST) cybersecurity framework. In particular, the Hootsuite Services are operated in accordance with the following policies and procedures:
a. Customer passwords are stored using a one-way salted hash.
b. User access logs are maintained, containing date, time, user ID, URL executed or entity ID operated on, operation performed (created, updated, deleted), and source IP address.
c. Customer passwords are not logged.
d. Hootsuite personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.
15. Product Design Security Practices. New features, functionality, and design changes go through a review process facilitated by Hootsuite’s security team. In addition, Hootsuite’s code is tested and manually peer-reviewed prior to being deployed to production. Hootsuite’s security team works closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development.
16. Incident Management & Response. Hootsuite maintains security incident management policies and procedures. Hootsuite notifies impacted customers without undue delay of any unauthorized disclosure of their Customer Content by Hootsuite or its agents of which Hootsuite becomes aware, to the extent permitted by law.