Headway - Changelog as a service. Simple as that.

Security at Headway

At Headway we take data security and privacy very seriously. This page provides some general information about our practices to give you confidence in how we secure your data.

Data Center Security

Headway hosts its infrastructure and data entirely in Amazon Web Services (AWS).
We follow AWS’ best practices which allows us to take advantage from their secured, distributed, fault tolerant environment. To find out more information about AWS security practices, see: https://aws.amazon.com/security
We use help of external consulting companies to review our infrastructure under AWS Well Architected framework.

Failover and Disaster Recovery

Our systems were designed and built with disaster recovery in mind.
Our infrastructure and data are spread across multiple AWS Availability Zones and systems will continue to work even in case of any one of those data centers fail.
Our databases use hot standby replicas located in different data centers to ensure high availability.

Virtual Private Cloud

All of our servers are within our own virtual private cloud (VPC) with network access controls that prevent unauthorized connections to internal resources.

Encryption

The entire Headway application is encrypted with TLS.
We maintain an A+ from Qualys/SSL Labs.
Our databases use encryption at rest and in transit.

Application Level Security

Login pages and logins via the Headway API have brute force protection.
We stored all passwords in hashed form ensuring that we can't view them.

Vulnerability Scanning

We use third party security tools to continuously scan for vulnerabilities as part of our Continuous Integration pipeline.

Protection from Data Loss

All our data is automatically backed up every day.
We regularly test that our backups are working and can be easily restored.

Internal IT Security

Only authorized employees have access to our software version control
Access to servers, source code, and third-party tools are secured with two-factor auth whenever possible.
Employees are given the lowest level of access that allows them to get their work done.
All employee contracts include a confidentiality agreement.

PCI Obligations

When you purchase a paid Headway subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1 Stripe's security information is available online. To find more about Stripe's security information, see: https://stripe.com/help/security.

Responsible Disclosure

If you’ve discovered a vulnerability in the Headway application, please don’t hesitate to contact us at security@headwayapp.co. We review all security concerns brought to our attention, and we take a proactive approach to emerging security issues.

Contact Us

If you have any questions, please contact us at hello@headwayapp.co.