Security at Harbour
🔒 Harbour utilizes enterprise-grade best practices to protect our customers’ data, and works with independent experts to verify its security, privacy, and compliance controls, and has achieved SOC 2 Type II report against stringent standards.
- SOC 2 Report
- Continuous Security Control Monitoring
- Employee Access & Trainings
- Penetration Tests
- Secure Software Development
- Data Encryption
- Multi-region data storage and automated backups
- Harbour Tech Stack
- Identity and Authentication
- Compliance, Audit Logs, and Monitoring
- Data Retention and Removal
- Vulnerability Disclosure Program
SOC 2 Report
We work with an independent auditor to maintain a SOC 2 report, which objectively certifies our controls to ensure the continuous security of our customers' data.
Developed by the Assurance Services Executive Committee (ASEC) of the AICPA, the Trust Services Criteria is the set of control criteria to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.
Continuous Security Control Monitoring
Harbour uses Drata’s automation platform to continuously monitor 100+ security controls across the organization. Automated alerts and evidence collection allows Harbour to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.
Employee Access & Trainings
Security is a company-wide endeavor. All employees are required to use 2-factor authentication for data access, are restricted to only appropriate access levels, and have signed a Non-Disclosure and Confidentiality Agreement when joining the company. In addition, Harbour employees complete an annual security training program and employ best practices when handling customer data.
Harbour works with industry leading security firms to perform annual network and application layer penetration tests.
Secure Software Development
Harbour utilizes a variety of manual and automatic data security and vulnerability checks throughout the software development lifecycle.
Data is encrypted both in-transit using Transport Layer Security (TLS details) and at rest with AES256 (details).
All of our infrastructure and services run in the cloud. We do not run any routers, load balancers, DNS servers, or physical servers. We extensively use the Google Cloud Platform (GCP) and have no physical infrastructure. Our production data storage systems are Google Spanner and Google Cloud Storage (modelled on Gmail tech stack). GCP provides strong security measures, compliance, and auditing across these systems.
Multi-region data storage and automated backups
All of our cloud data is multi-region (within the United States) to avoid any impact from power outages or natural disasters. All our data is also automatically and regularly backed up and replicated across multiple US data center locations.
Harbour Tech Stack
We heavily utilize Google App Engine Standard (Python 3) with Google Spanner and Google Cloud Storage.
Click here for the full details.
Identity and Authentication
We leverage enterprise Single Sign-on (SSO) for fully-secured user authentication and identity management (via Google Cloud Identity/oauth2). We do not store user passwords and all organizations and user records are always verified against their pre-existing Google or Microsoft corporate account credentials. With an organization's corporate account settings, we can support 2-factor authentication for recommended, added security as well. Additionally, role-based access controls (RBAC) is available for enterprise accounts.
Compliance, Audit Logs, and Monitoring
We directly monitor and use third-party monitoring software for detecting potential attacks or anomalous network behavior. Every user action in the system is logged and fully auditable (details). Our GCP systems are also regularly audited for ongoing security and compliance (e.g., SOC 2). View the full details and reports here.
Data Retention and Removal
Customers may request to have their data deleted at any time by filling out a support ticket. Please allow two business weeks to process your request.
Vulnerability Disclosure Program
If you believe you’ve discovered a bug in Harbour’s security, please let us know by filling out this report and getting in touch at firstname.lastname@example.org. Our security team promptly investigates all reported issues.