<- Legal Center

Secure Development Policy

Last Updated

The purpose of this document is to define basic rules for the secure development of software and systems at Haystack. This policy applies to the development and maintenance of all services, architecture, software, and systems that are part of the Haystack services. All employees involved in software development at Haystack are required to adhere to the guidelines set forth in this document to ensure the security and privacy of our systems and data.

Secure Development and Maintenance

Securing the Development Environment

Access to the development environment is restricted to authorized employees only. Development environments are separated from testing and production environments to minimize risks. This separation ensures that vulnerabilities identified during development do not affect live systems or sensitive data.

Secure Engineering Principles

Engineering Management is responsible for issuing procedures for information security and privacy system engineering, applicable to both new system development and the maintenance of existing systems. These procedures include setting minimum-security standards that must be complied with across all projects. These secure engineering principles also apply to outsourced development, ensuring that third-party developers adhere to Haystack's security standards.

Security and Privacy Requirements

Documentation of Security and Privacy Requirements

When acquiring new information systems or modifying existing ones, the appropriate project team must document the applicable security and privacy requirements. This documentation ensures that all necessary security controls are considered and implemented during the development process.

Security and Privacy Controls for Public Networks

Engineering Management is responsible for defining security and privacy controls related to information in application services that pass over public networks. This includes descriptions of authentication systems, methods to ensure confidentiality and integrity, and mechanisms to ensure non-repudiation of actions. Controls for online transactions must address issues such as misrouting, incomplete data transmission, unauthorized message alteration, duplication, and data disclosure.

Checking and Testing Implementation

Engineering Management must define the methodology, responsibilities, and timing for checking whether all security and privacy requirements from the Security and Privacy Requirements Specification have been met. This process ensures that systems are acceptable for production and meet Haystack's security standards.

Repository and Version Control

Use of GitHub

Haystack uses GitHub for code version control management. Access to this tool is restricted to employees with a business need, based on the principle of least privilege. This approach ensures that only authorized personnel can make changes to the codebase, reducing the risk of unauthorized modifications.

Change Control

All changes made during the development and maintenance of systems must follow the Change Management Policy. This policy outlines the procedures for requesting, approving, and implementing changes to ensure they are properly reviewed and documented.

Protection of Test Data

Handling Confidential Data

Confidential data, including data related to individuals, must not be used as test data. Exceptions may be granted only by Engineering Management. This policy helps protect sensitive information from being exposed during testing.

Required Security Training

Security and Privacy Skills

Engineering Management defines the required level of security and privacy skills for the development process. All engineers must review the OWASP Top 10 Security and Privacy Risks, which include issues such as broken access control, cryptographic failures, injection, insecure design, security misconfiguration, and more. This training ensures that developers are aware of common security risks and best practices for mitigating them.

Exceptions

Haystack recognizes that business needs, local situations, laws, and regulations may occasionally require exceptions to this policy or any other Haystack policy. In such cases, Haystack management will determine an acceptable alternative approach. This flexibility ensures that the company can adapt to specific circumstances while maintaining security standards.

Enforcement

Any violation of this policy or any other Haystack policy may result in disciplinary action, up to and including termination of employment. Haystack reserves the right to notify appropriate law enforcement authorities of any unlawful activity and cooperate in any investigation of such activity. Conduct in violation of this policy is not considered within the course and scope of an employee's or contractor's work duties.

Responsibility, Review, and Audit

Haystack reviews and updates its security and privacy policies annually to maintain organizational security and privacy objectives and meet regulatory requirements. The results of these reviews are shared internally, and findings are tracked to resolution. Any changes to the policies are communicated across the organization to ensure awareness and compliance.

Mailing Address
1645 Abbot Kinney Suite 202, Venice, CA 90291
Privacy Contact
privacy@haystackteam.com
General Inquiries
hello@haystackteam.com
Legal Contact
legal@haystackteam.com
Haystack
About UsSecurityFounder LetterNewsroomLinkedIn
Product
CommunicationsEventsDirectoryKnowledgeHaystack AIMobile Apps
Features
Universal SearchSecure DeliveryEmergency AlertsFreshness EngineRecognitionGlossary
Solutions
Single Source of TruthEmployee OnboardingFrontline SupportLegacy ReplacementsEmployee EngagementBuilding Culture
Resources
Resource CenterHelp CenterCustomer StoriesRFP BuilderRecorded Demo
Copyright Haystack Team, Inc. 2024
Terms of ServicePrivacy PolicyCookiesGDPR