Security | Hyphen

Hyphen is committed to platform security

At Hyphen, we have always taken security and privacy of data seriously, and you can rest assured that your data is in capable hands. We apply top-notch security technologies and rigorous processes that put the safety of our customers' data first. Contact us at [email protected] for additional information.

Culture of Security

We've been security-minded since day one, putting security first in every step of the development lifecycle. Our entire Hyphen product and engineering team has been through security training and holds one another's work accountable through regular code reviews, penetration tests, and vulnerability scans.

Hyphen is committed to platform security

Data Encryption

Data Encryption

As per industry best practices HTTPS and Transport Layer Security (TLS)

Web Application Security

Web Application Security

Follows industry-standard secure coding guidelines

Physical & Network Security

Physical & Network Security

Hosts data in dedicated facilities with 24x7 security

Physical Security, Logical Data Separation, and Encryption

Hyphen operates in ISO-certified workrooms with PCI DSS Service Level 1 compliance. We keep data logically separate and tag all data by organization throughout the lifecycle. No data is transmitted to Hyphen without encryption. AES 256-bit encryption protects all data at rest, and spinning disks are encrypted at the OS level. Data is kept for long term on Amazon S3, encrypted by a customer key that is changed every 24 hours.

User-Level Security

A secure session ID tracking mechanism ensures that only authorized users are able to authenticate.

Single Sign-On (SSO) is available for employees and managers to log in using their existing company credentials, without requiring a separate Hyphen login.

Hyphen's Role-Based Access Control (RBAC) allow our customers to set up per-role or per-user permissions to data and functionality from the admin console.


The Hyphen security team performs regular scans on all new servers to check for the most common security vulnerabilities. This includes:

  • ASV scans
  • Penetration tests
  • Local file intrusion
  • Remote file inclusion
  • Unvalidated redirect
  • And more

Our penetration testing policies enable us to find and address any vulnerabilities immediately—keeping you safe, and your data secure.

Certifications and Compliance

Hyphen is a native cloud application and uses Heroku on top of AWS technologies. AWS's data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)
  • Compliant with EU General Data Protection Regulations

GDPR Compliance

Since the EU General Data Protection Regulation (GDPR) became effective on May 25, 2018, we have updated our policies and practices to align with the GDPR requirements and principles.

GDPR Compliance

From an employee awareness perspective, our communication templates clearly introduce upcoming survey invite and reminder emails, and our privacy policy details how we process data, as well as the security and anonymity that's provided.

From a legal and contractual perspective, a Data Processing Addendum (DPA) is available for our subscribers, that states the obligations of Hyphen (the Data Processor) and yourselves (the Data Controller). Along with our Terms of Service, this will form the contractual basis of GDPR compliance and the instructions under which we will process and protect your data.

In addition, all of our subcontractors are vetted for GDPR compliance.

Security & Compliance FAQs

How is security and privacy compliance enforced?

Upon request, we will share our Data Privacy and Data Architecture policy, our Information Security policy, our Business Continuity and Disaster Recovery plan.

Hyphen provides a secure environment that goes above and beyond industry security standards and guidelines. While technology companies wait much longer to get this certification, Hyphen is in the process of obtaining SOC 2 Type 1 compliance, a standard that specifies best practices and various security controls.

How does Hyphen protect sensitive information?

Sensitive information is stored using several layers of encryption in a segmented network with no public internet access. New encryption keys are generated on a daily basis, and existing keys are rotated on a regular basis.

Does Hyphen follow Web application development and security standard policies?

Hyphen application development follows industry-standard secure coding guidelines. Application is segmented by function to maintain security.  Each of our software releases are tested by QA and security teams for full scope of OWASP security risks.

How does Hyphen secure physical and network access?

Hyphen is hosted in a dedicated hosting environment with 24×7 security. Physical access to the network is strictly limited and monitored. Private networks are strictly segmented according to function. Restrictive firewalls protect communication entering the network and between private networks. All access to Hyphen’s network and services is strictly logged. Internal and external network penetration tests are performed on a regular basis by third-parties.

Is Hyphen GDPR compliant?

In 2018, Hyphen achieved GDPR compliance. Organizations established in the EU or employing EU-based individuals can rest assured that Hyphen is handling their personal information in accordance with the latest EU laws.

Does Hyphen maintain documentation of corporate technical and organizational measures?

Upon request, we will share our Data Privacy and Data Architecture policy, our Information Security policy, our Business Continuity and Disaster Recovery plan.