Enterprise-grade Data Protection

Trust Haystack to keep your data secure and meet your compliance requirements.

Haystack Security by Topic

Production Security

We run 100% on the cloud using Google Cloud Platform (GCP) within a Google Cloud Virtual Private Cloud. GCP runs the Haystack platform and provides a reliable, scalable and secure way to process customer data. Our production infrastructure is locked down so that only our load balancer machines are allowed to receive external web traffic. Each host is assigned a role; security groups are used to define the expected traffic between these roles.

Haystack production is deployed in Google Kubernetes Engine(GKE) VPC-native clusters. The cloud VPC enables private access only from authorized VPC networks, It cannot be accessed via the public internet, except via the user-facing portal for the authenticated users accessing the authorized resources. It allows Haystack to implement private network routing, IP restrictions, service perimeters, firewall rules, access policies and other fine-granular network controls and security measures. Google Cloud VPC protects against security risks like credential theft, compromised insider attack, IAM misconfigurations and provides comprehensive service access monitoring.

Client data is fully encrypted at rest and in transit. Our use of Google Cloud Platform enables us to take the advantage of its world-class encrypted databases and storages. All client data is fully redundant across multiple availability zones.

Web Servers & Application Servers

Google Kubernetes Engine (GKE) is used to host Haystack application APIs and web servers. GKE has many native security features built-in both at the cluster levels and node levels. GKE uses Google's Container-Optimized OS as the operating system on which to run Kubernetes and its components. Container-Optimized OS implements several advanced features for enhancing the security of GKE clusters, including: Locked-down firewall, Read-only filesystem where possible and Limited user accounts and disabled root login.

Databases

Haystack uses GCP hosted Google Cloud Sql as the relational database hosting provider. It is fully managed and security-enhanced by Google. Haystack uses it to store client information including employees, teams, posts, events and other data inputted by the customers.

File Storage

Files are securely stored in Google Cloud Storage (GCS). Haystack uses GCS to store uploaded images, attachments, videos and other assets. Files are uploaded directly into client organization's dedicated locations and are clearly separated.

Encryption-at-rest

Database data is hosted in Google Cloud SQL encrypted using the 256-bit Advanced Encryption Standard (AES-256), which is one of the strongest block ciphers available. Database data is automatically backed up and can be easily restored in disaster situations. Blob storage data is securely stored in Google Cloud Storage, which is also encrypted using AES-256 and fully replicated across multiple data center zones.

Encryption-in-transit

TLS is used everywhere to protect data in transition, within the data center and user-facing applications(web and mobile). All application communications are encrypted using HTTPS, using TLS V1.2. All underlying access from APIs to the storage and services are encrypted and via secured private networking channels.

Third-party Integrations

Haystack offers 3rd-party integrations with popular services like Google Drive, Google Calendar, Confluence, etc. It integrates with these systems via industry standard OAuth protocols; individual user's permissions are exactly respected in Haystack. Our universal search does not index the content from these services and makes no data copies. To minimize data exposure, Haystack does not proxy these search api calls either, the search calls are made directly from the user's browsers or mobile apps to the source-of-truth services via their individual search apis.

Production Access

Haystack follows the principles of least privilege to minimize the risk of exposure. It adopts a role-based-access-control model when provisioning data and production system access. Haystack personnel are authorized to access production data based on their specific task needs, job functions, roles and responsibilities. All production accesses require an explicit approval from the security lead. The access rights are reviewed semi-annually. Before a personnel is granted access to the production environment, the personnel is required to complete internal security, privacy and data protection trainings. All the production access are logged and changes in the production environment are audited. Haystack leverages the auditing infrastructure provided in GKE to automation, identify any deviation from our security and privacy standards. Accesses to production data and systems are promptly removed upon termination of their employment.

Secret & Key Management

Haystack implements encryption at-rest and in-transit by default everywhere in the system. Google Kubernetes Environment (GKE) encrypts customer content stored at rest, including secrets or other sensitive data. It handles and manages this default encryption out of the box for Haystack. On top of the system layer encryption, we added an additional application layer encryption to further safeguard any sensitive data, including secrets and keys. This provides an extra protection against attackers who gain access to sensitive data via a compromised employee account for example.
‍
Haystack adopts best-in-class key management systems for our corporate environment and production environments, including LastPass and Google Cloud Key Management Service (Cloud KMS) to host and manage keys. The key management infrastructures allows us to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized, well-controlled and audited environment.

Ready to get started? Get in touch or view our demo.

Haystack integrates with your favorite workplace tools - no need to start from scratch.

Request a DemoLearn More

Product

What is Haystack?

Core Features

More

Resources

Resources

Company

Enterprise-grade Data Protection

Haystack Security by Topic

Ready to get started? Get in touch or view our demo.