Security at Headway
At Headway we take data security and privacy very seriously. This page provides some general information about our practices to give you confidence in how we secure your data.
Data Center Security
- Headway hosts its infrastructure and data entirely in Amazon Web Services (AWS).
- We follow AWS’ best practices which allows us to take advantage from their secured, distributed, fault tolerant environment. To find out more information about AWS security practices, see: https://aws.amazon.com/security
- We use help of external consulting companies to review our infrastructure under AWS Well Architected framework.
Failover and Disaster Recovery
- Our systems were designed and built with disaster recovery in mind.
- Our infrastructure and data are spread across multiple AWS Availability Zones and systems will continue to work even in case of any one of those data centers fail.
- Our databases use hot standby replicas located in different data centers to ensure high availability.
Virtual Private Cloud
- All of our servers are within our own virtual private cloud (VPC) with network access controls that prevent unauthorized connections to internal resources.
- The entire Headway application is encrypted with TLS.
- We maintain an A+ from Qualys/SSL Labs.
- Our databases use encryption at rest and in transit.
Application Level Security
- Login pages and logins via the Headway API have brute force protection.
- We stored all passwords in hashed form ensuring that we can't view them.
- We use third party security tools to continuously scan for vulnerabilities as part of our Continuous Integration pipeline.
Protection from Data Loss
- All our data is automatically backed up every day.
- We regularly test that our backups are working and can be easily restored.
Internal IT Security
- Only authorized employees have access to our software version control
- Access to servers, source code, and third-party tools are secured with two-factor auth whenever possible.
- Employees are given the lowest level of access that allows them to get their work done.
- All employee contracts include a confidentiality agreement.
- When you purchase a paid Headway subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1 Stripe's security information is available online. To find more about Stripe's security information, see: https://stripe.com/help/security.
- If you’ve discovered a vulnerability in the Headway application, please don’t hesitate to contact us at firstname.lastname@example.org. We review all security concerns brought to our attention, and we take a proactive approach to emerging security issues.
If you have any questions, please contact us at email@example.com.