Hockeystick maintains a comprehensive set of IT controls which are regularly audited by an independent auditor to ensure the company is meeting its compliance obligations. The control procedures for our service has been verified in a SOC 2 Type I report.
Users control their own password and authentication on Hockeystick. You do not need to share your password to share data or perform any action on Hockeystick, simply use the sharing tools built into the platform to add or revoke sharing at any time.
Passwords must meet the following criteria:
Users who hold owner or administrator rights have access to additional functionality which allows them to add or remove other users, assign user roles and permissions, and enable data sharing.
Hockeystick maintains bank-level digital security: 256-bit SSL encryption (with an A+ rating via Qualys SSL Labs). This includes OCSP stapling and HTTP strict transport security.
We utilize Amazon Web Services (AWS) to host our servers and data. AWS has a suite of compliance certificates for their data centers, include full SSAE 16 (SOC 1, SOC 2, and SOC 3) compliance. Our server instances are hosted in a virtual private cloud, using only data centers located in Canada. Only select Hockeystick engineers have access to our production environment. All direct access to our production systems is protected by public key encryption and two-factor authentication.
Our files, including those that you upload, are hosted on the AWS storage service. We protect access to download these private files through cryptographic signatures, and links are time-limited for extra protection. Private keys are rotated at least annually, and access to private keys is restricted to a subset of Hockeystick engineers.
All database queries and traffic is only routed through SSL secured connections.
All technical and software changes go through a rigorous peer-review process and a full suite of technical acceptance tests.
The Hockeystick website is only served over TLS version 1.2 to keep website traffic secure.
Attempts to log in with incorrect usernames or passwords are rate-limited to greatly reduce the opportunity to brute-force break into a User Account.
All passwords are hashed using bcrypt which is a hashing function based on the Blowfish cipher.
Our database is backed up hourly to servers located only within Canada.
All changes to any customer data are automatically logged. This allows us to identify what data changed, on which date, by whom, and from where.
Each entity in Hockeystick — company, fund, organization — owns their own data and has full control over who data is shared with. This right is retained no matter how many times the owner shares the data.
Anyone who receives data has full rights to use that copy of it without risk that it can be modified or deleted by the original owner. Where data is gathered from public sources, the company has the right to enhance and correct such data in their public profile.
The Hockeystick team cares deeply about the security of its product and the data that our customers entrust to us. We will thoroughly investigate any reported vulnerability that jeopardizes either. Once a vulnerability is fully investigated and its content addressed, we will work with you to disclose the vulnerability in a way that acknowledges your work and protects our customers.
If you believe you've found a security issue with our product, please send an email to firstname.lastname@example.org.