Security

Last updated: 21-02-2022

Data Security

Hortis is hosted on the Google Cloud Platform (GCP) and all user data is stored in one of the following regions: US, UK, EU or AU, depending on the location of the customer.

Our platform utilises a Cloud SQL Data Service in each relevant region hosted in a Virtual Private Cloud network with Software Defined Networking and Firewall Protection. The service is compliant with SSAE 16, ISO 27001, PCI DSS, and HIPAA.

To prevent any data loss caused by hardware failure, the cloud service data is stored on a distributed, replicated file system to ensure service continuity. Hortis is designed to prevent any data corruption caused by end users. This includes the ability to track changes of plant collection data, by storing all data revisions using an immutable data structure. As part of our disaster preparedness, the data is safeguarded using three different backup strategies:

• The data service is configured with point in time recovery (also known as continuous backup) which means we can restore or recover data from any given time, going back 7 days.
• Automated daily backups, archived on Google infrastructure.
• Automated backups, twice a day, archived on a different cloud infrastructure.

More information

• GCP's security practices
• GCP Cloud SQL

GDPR Compliance

We are committed to the principles inherent in the General Data Protection Regulations (GDPR) and adhere to these regulations which includes GDPR training of all relevant staff.

• GDPR Compliance

Application Security

Traffic is encrypted via industry standard Transport Layer Security (TLS) between the Hortis servers and web app. All connections are made over HTTPS.

The Hortis web app employs Content Security Policies (CSP) to guard against cross site scripting (XSS) attacks.

API endpoints are protected with OAuth access tokens preventing unauthorised access.

Login Security

Hortis uses OAuth 2.0 as protocol for authentication and access control.

When using built in authentication, Hortis will enforce Good password strength as outlined by Auth0 password strength policies.

In addition, we also offer Single Sign On through third party authentication from providers such as Google and Microsoft.

• OAuth 2.0
• Auth0's security practices