Information Security Policy

The purpose of this document is to clearly define the boundaries of the Information Security Management System (ISMS) at Haystack. This policy applies to all documentation and activities within the ISMS. The intended users of this document are key members of Haystack management, including the CEO, CTO, and the Information Security Management System Owner and Data Privacy Officer (DPO).

Company Overview

Founded in 2019 by Cameron Lindsay and Haibo Zhao, Haystack Team Inc. aims to make companies feel smaller through enhanced internal communication and collaboration. All Haystack employees work remotely, contributing to a modern intranet solution that centralizes company resources, communication channels, and disparate systems to help organizations collaborate effectively and achieve their business goals.

System Descriptions

Haystack is designed to streamline internal communication and collaboration by connecting the company's distributed teams and systems to a centralized hub. Main features include internal communications, internal events, resources, people & teams, and universal search. Haystack integrates with widely adopted SaaS applications such as OKTA, Microsoft Azure, Google Identity Service, OneLogin, Elastic, Twilio’s Sendgrid, Slack, Google Drive, Google Calendar, and Atlassian’s Confluence.

Information Security Management System (ISMS) Scope and Components

Haystack's ISMS is designed to achieve specific business objectives in accordance with management-specified requirements. The scope includes the entire organization, covering infrastructure, software, people, procedures, and data. The Privacy Information Management System (PIMS) scope includes services processing personally identifiable information (PII) on behalf of client companies.

ISO27001 Scope

The ISO/IEC 27001:2013 certification scope is limited to Information Security Management Systems supporting Haystack Team, Inc.'s SaaS, Web, and Mobile (Android & iOS) application products in accordance with the Statement of Applicability.

ISO27701 Scope

The ISO/IEC 27701:2019 certification scope is limited to services processing PII on behalf of client companies in accordance with the Statement of Applicability.

Applicable Legislative, Regulatory, Contractual, and Other Security Requirements

Haystack complies with various standards and regulations, including ISO27001:2013, ISO27701:2019, AICPA SOC, and HIPAA. This ensures that the company's security practices meet industry standards and legal requirements.

Infrastructure

Haystack leverages Google Cloud Platform (GCP) for its cloud computing needs, utilizing services such as Virtual Private Cloud (VPC) and Google Kubernetes Engine (GKE) to ensure secure, scalable, and manageable network architecture. Client data is encrypted at rest and in transit, and the infrastructure is designed for high availability and redundancy across multiple zones.

Servers

Haystack uses GKE to host application APIs and web servers, benefiting from GKE's native security features and Google's Container-Optimized OS for enhanced security. The production environment is locked down to minimize unauthorized access, and all external traffic is managed through load balancers and secure networking practices.

Databases

Haystack uses Google Cloud SQL for relational database hosting, providing secure, managed storage for client information. File storage is handled by Google Cloud Storage (GCS), which securely stores uploaded images, attachments, videos, and other assets in dedicated client locations.

Software

The Haystack system is supported by various software components, including hosting systems, storage and database solutions, network security tools, source control, access management, monitoring and alerting systems, customer support, vulnerability scanning tools, and notification services. These components are essential for building, securing, maintaining, and monitoring the Haystack platform.

Device and Network Security

Devices issued to company personnel must meet security criteria, including full-disk encryption and up-to-date antivirus software. The company's security measures include vulnerability management, penetration tests, restrictive firewalls, and strong encryption of data in transit.

People

The company's departments include Executive Management, Engineering, Product, Customer Success, People Operations, Finance, Sales, and Marketing. Each department has specific responsibilities related to the development, management, and security of the Haystack system.

Procedures

Information Security and Privacy Program

The Information Security and Privacy Program is led by the CTO and the ISMS team, with representation from executive management, engineering, people operations, and customer success. The team is responsible for continuously reviewing and improving Haystack's security and privacy procedures.

Employee Access and Training

Access to sensitive information is limited to senior staff members, and all access is logged and audited. Two-factor authentication is required for access to critical systems. Employees must pass background checks and attend security training during onboarding and annually thereafter.

Access to User Data

Access to sensitive customer data is restricted to authorized personnel, and non-sensitive data is accessed via web-based tools. All access requires management authorization or explicit customer approval.

Risk Management

Haystack conducts annual risk assessments to analyze and treat risks related to unauthorized access, use, disclosure, disruption, modification, and destruction of systems and data.

Change Management

Code changes are tested in a development environment, logged in a source code management system, and reviewed through automated testing or peer reviews. Releases are tested and signed off by QA before deployment.

Vulnerability Management

Haystack's environments are monitored for vulnerabilities and system issues, with a 24/7 on-call staff to respond to critical issues. Clients are notified of data breaches within 24 hours when applicable.

Incident Response

An incident response plan defines roles, responsibilities, escalation paths, and communication requirements in case of incidents affecting the system's security, availability, or confidentiality. Impacted customers are informed as per the Terms of Services and other contractual obligations.

Disaster Recovery and Data Backup

The system is hosted in multiple availability zones to ensure high availability. Annual recovery tests are conducted to ensure system resilience in case of a complete failure.

Data

Haystack stores and processes user information confidentially and privately, with access restricted to authorized personnel. Data is segmented using unique identifiers to ensure confidentiality.

Data Privacy

Haystack is committed to protecting PII processed on behalf of client companies, only using data as contractually agreed. The company carefully vets and contracts with sub-processors to maintain high security standards.

Subservice Organizations (Subprocessors)

Haystack uses vetted sub-processors such as GCP, Elastic, Slack, and Twilio’s SendGrid. These sub-processors are required to meet security standards similar to Haystack's, ensuring the protection of client data.

Validity and Document Management

This document is valid as of December 28, 2023. The owner, Georgios Vouzounaras, is responsible for annual updates and maintaining compliance with the defined scope and requirements.