General Security Q&A

What kind of data is handled in the application?

There are mainly two data types synchronized between Humly and the booking systems (i.e., Office 365)

1. Events Data:
   These data are synced between the Humly control panel and the booking system.
   • Event start and end times.
   • Event Subject
   • Event Organizer
   • Event Attendees
   • Visibility (i.e., Private/Not Private)
   • Resource Name
2. Usage Data: this is applicable for the on-prem installations
   • Server Hardware Resources (for on-premises installation), including the CPU, Memory, NICs, OS type, and UUIDs.
   • Connected Devices IPs and MAC addresses.
   • Active Licenses for Humly Workplace solutions products.
   • Statistics on how the meeting rooms and desks are utilized.

How long will the data be stored on Humly?

Meetings data is kept as long as HCP runs or until the user resets the HCP service in Global settings, the data is kept mainly for the statistics calculation.
Humly does not reserve any historical data about deleted meetings from the booking system. The user can control how long the future HCP synchronized with the booking system, options are available between one week to six months.

Any possibility of federating accounts (SSO)? Ex. Azure AD

Yes, Single sign-on SSO for Azure AD and/or ADFS for local AD.

Who will be responsible for adding/removing user accounts on Humly?

The Customer IT operator

Where is the data stored?

Our hardware, including the data storage, is hosted in a data center in Germany.

Does Humly have any other DR location outside the EU?

No, currently, we have one location in Germany. A DR site is planned in Sweden, or the Netherlands, or another location outside the EU in the future

What are the DDOS protection measurements?

• We continuously monitor, Patch, and update all resources to harden against attacks.
• We use Multilayer Security against DDOS and BOT attacks, Enterprise WAF, IPS package analysis, and real-time monitoring.
• Our customer’s instances are isolated from each other, each customer has his own instance with a separate application and database on the cloud, and we use a content distribution network CDN to distribute the resources and IP addresses.

What is the backup policy used by Humly?

• We have a backup policy that can go back a month, we use weekly incremental backups on the storage level.
• The customer can take a backup from the application itself at any point in time and keep it in safe storage.

Will there be any software installations needed?

No, in case of using the cloud, Humly Control Panel should be installed in case of an on-prem installation.

Is the data encrypted at rest?

Disk encryption is enabled on all data stores when using the cloud. It is the customer's responsibility to apply proper disk encryption for on-prem installation.

Is the data encrypted at transfer?

All communication between Humly Control Panel and the booking system is encrypted end-to-end using SSL/TLS.

What is the process for storing account passwords? Hashing, salt, etc.

Passwords are stored using the bcrypt algorithm, ensuring passwords are salted and non-reversible. This also protects against rainbow table attacks.

Is it possible to add IP restriction towards the application or MFA (multi-factor authentication)?

Access to the application can be restricted to a specific IP/Network with conditional access, please reach out to support@humly.com for this. Single sign-on can also be configured as an alternative login in Humly Control Panel by the use of ADFS or Microsoft SSO.

What are the brute force mitigations on login Humly has?

• We are using rate limiters on REST API endpoints and on the DDP (websocket) method calls. For the REST API we use a global rate limiter (regardless of IP or user), and user rate limiter in combination.
• For DDP (websocket) method calls, we use a rate limiter limited by the address except for login, which is limited by address and the user.
• The updated user password is rate limited by user address to 3 requests per 30 seconds

What are the Password quality rules?

The minimum password length can be changed from the application as the customer want, when the application generates the password the first time, we use at least 16 complex characters

What is the password change process?

• The user password can be changed using a verification code sent to the registered email address.
• We have the measurement to ensure that this function cannot be misused or lead to any attacker, we have rate limiters applied on the IP and user.

Will there be a different kinds of authorization roles? How is that handled?

• We have five user types, Global Admins, Local Admins, Users, Guests, and Statistics Accounts, each user type has a different access level.
• Those accounts are handled by assigning one of the five roles to a user. A user can only have one role and will only have the access level of that role.
• More details can be found in this link Accounts and users in HCP

How is the data validation handled when uploading data to HCP?

• All inputs are validated against a schema so it can only contain permitted strings, numbers, and allowed characters.
• All uploaded files are being scanned using the cloud AV solution, in case of on-prem installation, it is the customer’s responsibility to install proper AV solutions.

How often does Humly perform an external penetration test?

We do not have a specific schedule for doing pen tests, but we do them almost once a year or when needed. And it will be a white box pen test. 

What kind of actions are logged?

Depending on the log level chosen in settings, different amounts of logging of the system's performance will be done. Any sensitive information is masked out by a rule set that filters any logs. The customer is the only one that has access to the logs.