Customer trust and data security are critical to everything we do at Handbook.

Protection

Our network is protected through the use of key GCP security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Logical Access

Access to the Handbook Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Handbook Production Network are required to use multiple factors of authentication.

Intrusion Detection and Prevention

Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Threat Intelligence Program

Handbook participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.

DDoS Mitigation

Handbook has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of GCP scaling and protection tools provide deeper protection along with our use of GCP DDoS specific services.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Redundancy

Handbook employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Threat Intelligence Program

Handbook participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.

Encryption in Transit

All communications with Handbook UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Handbook is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service subscribers may choose to leverage at their own discretion.

Encryption at Rest

Service Data is encrypted at rest in GCP using AES-256 key encryption.

PCI Obligations

All payments made to Handbook go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.

Secure Credential Storage

Handbook follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.

API

The Handbook API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using either basic authentication with your username and password, or with a username and API token. OAuth authentication is also supported.

Methodology

Handbook stores all documents securely using a multitude of encryption methods. We utilize encryption-at-rest methodology that ensures documents stored on the physical file system is encrypted unless it is called by an authorized user on the application.

Transmission Security

All communications with Handbook servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and Handbook is secure during transit. Additionally for email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.

Configurable Password Policy

Handbook native authentication for products available through Settings provides the ability to set custom password rules, appropriate subscription required.

Double Encryption Protection

Handbook utilized Google Cloud Storage (GCS) for primary protection of Handbook services yet takes encryption to another level. All data is first encrypted by GCS handlers, then is encrypted by Handbook’s application. This means customer data is secured using a multitude of encryption methods and systems.

Access Privileges & Roles

Access to data within Handbook is governed by access rights, and can be configured to define granular access privileges. Handbook has various permission levels for users (Employee, Manager, Administrator, etc).

Login Tracking

For added security, your Handbook instance tracks the users signing into Handbook. When someone signs into an account, it is added to the audit log in that Audit Log module.

2-Factor Authentication (2FA)

Handbook native authentication for products available through Settings offers 2-factor (2FA) for end users via an authenticator app, appropriate subscription required.

IP Restriction Masking

Handbook can be configured to only allow access from specific IP address ranges you define. These restrictions can be applied to all users or only to specific users, appropriate subscription required.

Transport Layer Security + 0-RTT

We employ the latest version of transport layer security (TLS) 1.3 and 0-RTT. It allows the client’s first request to be sent before the TLS connection is fully established, resulting in faster connection times.

Transport Layer Security Requirement

We enforce strong cryptographic standards where we require strong cryptography by requiring visitors browsers to employ the latest Transport Layer Security (TLS) protocol version.

Threat Mitigation

Handbook employs a multi-layered hybrid firewall system that protects Handbook’s core services from Distributed Denial of Service attacks, Denial of Service attacks, and many other threats.

Edge + Origin Protection

Handbook utilizes Edge and Origin Certificate techniques to prevent man-in-the-middle (MIM) attacks between nodes and customer browsers. This enhances security between Handbook and the customer.

Origin Ghosting

The Handbook Origin servers employ Ghosting mechanisms to ensure attackers cannot see server locations, IPs, or information related to the Handbook service. This is handled by a multitude of the commercials vendors and firewall technologies in-place.