Security and Compliance

Security and
Compliance Centre

Learn more

At HiJiffy, we understand that trust is the cornerstone of every successful business relationship, so we are committed to safeguarding data with the highest standards of security, privacy, and compliance.

This Security and Compliance Centre offers a comprehensive overview of our robust encryption, security protocols, and adherence to international standards, ensuring the protection of business data.

Here, you’ll find insights into how we manage security risks, our transparent data-handling practices, and our ongoing efforts to adapt and respond to new challenges in data management.

Verified Trustworthiness

System Status

Controls

Subprocessors

View all subprocessors

Amazon Web Services EMEA SARL

Used for hosting our services.

Google Cloud EMEA Limited

Used for hosting our services and utilizing their API services (e.g., Translate, LookerStudio, Google BigQuery).

Twilio, Inc.

Used as a provider for sending SMS and WhatsApp messages.

MessageBird UK Limited

Used for the Pusher service to operate our chat widget in real-time.

FAQ

View all faq’s

Where are your servers located?

Ireland, AWS

What privacy/security settings are available?

2FA, Strong password policy, SSO (SAML), IP Whitelisting, Document Data Encryption Per Account, User Permissions

Do you encrypt data at rest and transit?

Yes, Data at reset is encrypted with AES-256 encryption keys.
For all web traffic sent over the public Internet, the TLS v1.2 protocol or better is utilized.

Controls

Infrastructure security

Organizational security

Product security

Internal security procedures

Data and Privacy

Infrastructure security

CONTROL

STATUS

Unique production database authentication enforced:

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

Encryption key access restricted:

The company restricts privileged access to encryption keys to authorized users with a business need.

Unique account authentication enforced:

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

Production application access restricted:

System access restricted to authorized access only

Access control procedures established:

The company’s access control policy documents the requirements for the following access control functions: adding new users; modifying users; and/or removing an existing user’s access.

Production database access restricted:

The company restricts privileged access to databases to authorized users with a business need.

Firewall access restricted:

The company restricts privileged access to the firewall to authorized users with a business need.

Production OS access restricted:

The company restricts privileged access to the operating system to authorized users with a business need.

Production network access restricted:

The company restricts privileged access to the production network to authorized users with a business need.

Access revoked upon termination:

The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

Unique network system authentication enforced:

The company requires authentication to the “production network” to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

Remote access MFA enforced:

The company’s production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

Remote access encrypted enforced:

The company’s production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Network segmentation implemented:

The company’s network is segmented to prevent unauthorized access to customer data.

Network firewalls utilized:

The company uses firewalls and configures them to prevent unauthorized access.

Network and system hardening standards maintained:

The company’s network and system hardening standards are documented, based on industry best practices, and reviewed at least annually.

Organizational security

CONTROL

STATUS

Anti-malware technology utilized:

The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

Code of Conduct acknowledged by employees and enforced:

The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

Confidentiality Agreement acknowledged by contractors:

The company requires contractors to sign a confidentiality agreement at the time of engagement.

Confidentiality Agreement acknowledged by employees:

The company requires employees to sign a confidentiality agreement during onboarding.

Performance evaluations conducted:

The company managers are required to complete performance evaluations for direct reports at least annually.

Password policy enforced:

The company requires passwords for in-scope system components to be configured according to the company’s policy.

Security awareness training implemented:

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

Product security

CONTROL

STATUS

Control self-assessments conducted:

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

Penetration testing performed:

The company’s penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Data transmission encrypted:

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

Vulnerability and system monitoring procedures established:

The company’s formal policies outline the requirements for the following functions related to IT / Engineering:
– vulnerability management;
– system monitoring.”

Internal security procedures

CONTROL

STATUS

Continuity and Disaster Recovery plans established:

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Configuration management system established:

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

Change management procedures enforced:

The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.

Production deployment access restricted:

The company restricts access to migrate changes to production to authorized personnel.

Backup processes established:

The company’s data backup policy documents requirements for backup and recovery of customer data.

System changes externally communicated:

The company notifies customers of critical system changes that may affect their processing.

Management roles and responsibilities defined:

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

Organization structure documented:

The company maintains an organizational chart that describes the organizational structure and reporting lines.

Security policies established and reviewed:

The company’s information security policies and procedures are documented and reviewed at least annually.

Support system available:

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

System changes communicated:

The company communicates system changes to authorized internal users.

Access reviews conducted:

The company conducts access reviews at least quarterly for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion.

Access requests required:

The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

Incident response policies established:

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

Incident management procedures followed:

The company’s security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company’s security incident response policy and procedures.

External support resources available:

The company provides guidelines and technical support resources relating to system operations to customers.

Service description communicated:

The company provides a description of its products and services to internal and external users.

Third-party agreements established:

The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

Data and Privacy

CONTROL

STATUS

Data retention procedures established:

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Data classification policy established:

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Controls

Amazon Web Services EMEA SARL

Used for hosting our services.

Google Cloud EMEA Limited

Used for hosting our services and utilizing their API services (e.g., Translate, LookerStudio, Google BigQuery).

Twilio, Inc.

Used as a provider for sending SMS and WhatsApp messages.

MessageBird UK Limited

Used for the Pusher service to operate our chat widget in real-time.

Triptease Ltd

Used to operate the functionality of real-time comparison between the booking engine price and the prices on the most popular OTA platforms.

DeepL

Machine Translations

Open AI • Used only for AI add-ons

AI abilities used for AI add-ons