Hugo's Google Single Sign-on and Office 365 Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials, it also reduces the risk associated with additional passwords to access Hugo.
We recommend that you enforce Multi-Factor Authentication through Google Suite and Microsoft Office 365 to increase the security of your Google and Microsoft credentials, and in turn the security of the data you store in Hugo.
We enable team member and admin permission levels within the app to be set for your teammates.
Admin permissions ensure only authorized users can remove team members, change billing settings or change other teammates' permission levels.
All Hugo services and data are hosted with Amazon Web Services (AWS) in the United States in the US West region. Amazon employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security/.
We have the ability to leverage multiple AWS availability zones and we will be able to quickly restore availability should any data center fail.
All of our servers are located within an isolated Virtual Network separated from other internal & external networks that prevent unauthorized access.
All data sent to or from Hugo is encrypted in transit and all data stored by Hugo is encrypted at rest, using 256 bit encryption. Our API and application endpoints are TLS/SSL only.
Hugo has a process for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
We use AWS backup services to reduce any risk of data loss in the event of a hardware failure, backup to multiple data centers and utilize a number of monitoring services to alert the team in the event of any failures affecting users.
Hugo performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for employees.
All Hugo employees go through employee onboarding that includes security awareness training covering information security topics such as phishing, password management and more.
All Hugo employees are required to sign a confidentiality agreement before they begin.
Hugo uses Fleetsmith to monitor its Mac devices, with enforced policies for full-disk encryption, OS updates and more.
Hugo laptops are equipped with anti-malware software to protect against malicious software.
Hugo continuously updates and patches its systems and monitors for threats and vulnerabilities.
Access to Hugo infrastructure is limited to authorized employees who require it for their role. Changes are automated using access roles with the least required permissions.
Every Hugo page and service is served over https.
We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS and other critical tools and services to ensure access to cloud services are protected.
Hugo adheres to the principle of least privilege with respect to identity and access management.
Hugo does quarterly access reviews of all employee privileges to sensitive systems.
All Hugo issued laptops utilize 1Password for employee’s to manage passwords and maintain password complexity.
All payments made to Hugo go through our partner, Stripe. Details about their security setup and PCI compliance can be found here.
Hugo undergoes independent third-party assessments to test our security and compliance controls.
Hugo is SOC 2 ready and expects to have a final SOC 2 Type 1 Report in early 2022 and a SOC 2 Type 2 Report soon after.
Hugo undergoes an independent third-party penetration at least annually to hunt down security vulnerabilities.