Security Policy

Last updated: Feb 13, 2024

Tariff Hippo Security Policy is issued under and forms part of the Terms and Conditions. Provider considers the protection of Customer Content a top priority. Provider uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration, or disclosure of Customer Content stored on systems under Provider’s control. In order to protect our network from evolving threats and disruptions, ensuring effective security controls, Provider may modify this Security Policy, with notice to Customer. Any modification will not materially decrease Provider Security obligation during a Subscription Term.

1. Customer Content Access and Management Controls

Tariff Hippo implements formal procedures to limit its personnel’s access to Customer Content as follows:

  1. Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access and individually assigned Secure Socket Shell (SSH) keys for external engineer access.
  2. Limits the Customer Content accessible to Provider personnel on a “need to know basis”.
  3. Limits access to Tariff Hippo’s production environment by Provider’s personnel on the basis of business need.
  4. Prohibits Tariff Hippo personnel from storing Customer Content on electronic portable storage devices, such as computer laptops, portable drives, and other similar devices.
  5. Logically separates each of Provider’s users’ data and maintains measures designed to prevent Customer Content from being exposed to or accessed by other users.

2. Data Encryption

Provider provides industry-standard encryption for Customer Content as follows:

  1. Implements encryption in transport and at rest.
  2. Uses strong encryption methodologies to protect Customer Content, including AES 256-bit encryption for Customer Content stored in Tariff Hippo’s production environment.
  3. Encrypts all Customer Content located in cloud storage while at rest.
  4. Implements full-disk encryption for hard-drives on all personnel individual workstations.

3. Network Security, Physical Security, and Environmental Controls

  1. Tariff Hippo implements properly configured and patched firewalls, network access controls, and other technical measures designed to prevent unauthorized access to systems processing Customer Content.
  2. Tariff Hippo maintains effective controls to ensure that security patches for systems and applications used to provide the Service are properly assessed, tested, and applied.
  3. Tariff Hippo monitors privileged access to applications that process Customer Content, including cloud services.
  4. Tariff Hippo operates on Amazon Web Services (“AWS”) and is protected by Amazon’s security and environmental controls. Detailed information about AWS security is available at AWS Security and Sharing the Security Responsibility. AWS ISO certification and SOC Reports are available at AWS ISO Certified and AWS SOC FAQs, respectively.
  5. Customer Content hosted in AWS is AES-256 encrypted both in transit and at rest. AWS does not have access to unencrypted Customer Content.

4. Independent Security Assessments

Tariff Hippo will periodically assess the security of its systems and the Service as follows:

  1. Annual penetration testing of the Service is conducted by independent third-party security experts that include black box automated and manual penetration testing of the infrastructure and application (including mobile versions). At Customer’s request, Tariff Hippo will provide Customer with a high-level summary of the most recent penetration test, subject to reasonable confidentiality protections.
  2. Monthly vulnerability scanning.

5. Incident Response

If Tariff Hippo becomes aware of unauthorized access or disclosure of Customer Content under its control (an “Incident”), Tariff Hippo will:

  1. Take reasonable measures to mitigate the harmful effects of the Incident and prevent further unauthorized access or disclosure.
  2. Upon confirmation of the Incident, notify the Customer’s designated security contact by email within 72 hours. Tariff Hippo is not required to make such notice to the extent prohibited by Laws, and Tariff Hippo may delay such notice as requested by law enforcement and/or in light of Tariff Hippo’s legitimate need to investigate or remediate the matter before providing notice.
  3. Each notice of an Incident will include:
    • The extent to which Customer Content has been, or is reasonably believed to have been, used, accessed, acquired, or disclosed during the Incident.
    • A description of what happened, including the date of the Incident and the date of discovery of the Incident, if known.
    • The scope of the Incident, to the extent known.
    • A description of Tariff Hippo’s response to the Incident, including steps Tariff Hippo has taken to mitigate any harm caused by the Incident.

6. Business Continuity Management

  1. Tariff Hippo maintains a business continuity and disaster recovery plan in accordance with industry trends and standards.
  2. Tariff Hippo maintains processes to ensure failover redundancy with its systems, networks, and data.
Agent J. Bond

Agent J. Bond I'm here to assist you

J Bond Welcome to Tariff Hippo, let's get started