Data Protection & Information Security Ensuring best practices

Hawk bears an extraordinary responsibility for our clients' data and the flawless, reliable operation of the critical service we provide to them. Security is a matter of trust - our clients' trust.

This starts with hiring people with a security mindset and includes background checks, regular trainings of all employees, and constant reminders of security threats. Security is at the forefront of our daily work.

We have built and are maintaining an Information Security Management System (ISMS) in line with ISO 27001 requirements to proactively manage risks and review our controls via internal and external audits.

We constantly challenge ourselves to improve. This includes regular internal and external testing with vulnerability scans, penetration testing, and testing the implementation of all internal policies.

Security is embedded in all stages of software development, including four-eye review of every piece of code and code change, OWASP Training, automated security tests, code scanning, end2end tests, and more. We apply these practices to all our code - from Backend, Frontend, and Data Science to Infrastructure Code.  

Our 24/7 monitoring operations provide extensive security coverage of our cloud services, from the component and hardware level to code. Monitoring and alerting are focused on both availability and security aspects, which enable prompt and effective responses from our team of on-duty experts.

We apply state-of-the-art machine learning-supported technology to detect and alert us to intrusions, as well as abnormal or potentially malicious behavior in our environments. This enables our 24/7 on-duty personnel to provide all necessary information and respond in a timely manner.

Hawk follows industry best practices to proactively manage information security risks. We review the effectiveness of our technical and organizational practices on a regular, ongoing basis. Hawk is ISO 27001 certified.

Download the certificate here. 

Our access management policies follow the “principle of least privilege.” Our primary method of assigning and maintaining consistent access controls and rights is Role-Based Access Control (RBAC). This includes, but is not limited to, Multi-Factor Authentication (MFA), system access protected via VPNs, strict password policy, and Single-Sign-On (SSO).

All GDPR-relevant Personal Identifiable Information (PII) data gets tokenized, stored separately, and encrypted from other data. PII data elements do not allow tracing or matching to individuals. Access to the data necessary for investigation is secured with a roles and rights system, is logged with an audit trail, and is only granted on an individual case-by-case basis.

All of our systems are protected by sensitive Web Application Firewalls (WAF). These firewalls enable fine-tuned incoming and outgoing traffic management. We utilize Distributed Denial of Service (DDoS) mitigation measures and network intrusion detection software to monitor for malicious activity, providing additional security controls for our network stack.

All data is encrypted both in transit and at rest, resulting in the robust protection of client data. We use Advanced Encryption Standard (AES) on all information systems to ensure effective encryption. We have deployed HashiCorp Vault to store secrets and manage the key rotation for Personally Identifiable Information in line with GDPR requirements.

Hawk follows industry best practices to proactively protect client data. We review the effectiveness of our technical and organizational practices on a regular, ongoing basis. Hawk is GDPR certified.

Download the certificate here.