Security & Compliance.

You trust us with your data, and at Haystack we take that responsibility seriously. Security and compliance are top priorities for Haystack because they are fundamental to your experience and trust with our service. Haystack is committed to securing the data you store with us, eliminating systems vulnerability, and ensuring continuity of access.

Haystack uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Haystack employees undergo background checks before employment and are trained on security practices during company onboarding and on an annual basis.

Security is directed by Haystack’s Chief Technology Officer and maintained by Haystack’s Security Officer.

Haystack is SOC2 Type 2 compliant, which also includes regular 3rd party audits & penetration tests.

You can also visit our Security Center for additional documentation and live status of our controls environment.

SOC2 Type 2 Accreditation symbol

Infrastructure & Network Security

Physical Access Control

Haystack is hosted on Google Cloud Platform (GCP)’s West EU-1 Region. GCP’s data centers feature a layered security model, including extensive safeguards such as:

  • Custom-designed electronic access cards

  • Alarms

  • Vehicle access barriers

  • Perimeter fencing

  • Metal detectors

  • Biometrics

According to the Google Security Whitepaper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”

Haystack employees do not have physical access to GCP data centers, servers, network equipment, or storage.


Logical Access Control

Haystack is the assigned administrator of its infrastructure on Google Cloud Platform, and only designated authorized Haystack technical team members have access to configure the infrastructure on an as-needed basis requiring two-factor authentication and a VPN connection. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.


Penetration Testing

Haystack undergoes annual penetration testing conducted by an independent, third-party agency. For testing, Haystack provides the agency with an isolated clone of the Haystack platform and a high-level diagram of application architecture.  No customer data is exposed to the agency through penetration testing.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. A summary of penetration test findings is available upon request to enterprise customers.

Third-Party Audit

Haystack undergoes regular 3rd party audits as part of its SOC 2 Type 2 compliance. On top of this, Google Cloud Platform, our cloud provider, undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16-compliant SOC 2 certification and ISO 27001 certification.

Intrusion Detection and Prevention

Unusual network patterns or suspicious behavior are among Haystack’s most significant concerns for infrastructure hosting and management. Haystack and Google Cloud Platform’s intrusion detection and prevention systems (IDS/IPS) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.

IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.

Haystack does not provide direct access to security event forensics but does provide access to the engineering and customer support teams during and after any unscheduled downtime.

Business Continuity and Disaster Recovery

High Availability

Haystack’s service uses properly-provisioned, redundant servers (e.g., load balancers, web servers, replica databases) in the case of failure. Haystack’s database is stored on GCP managed cloud DB with High Availability configuration. As part of regular maintenance, servers are taken out of operation without impacting availability.

Business Continuity

Haystack keeps daily encrypted backups of data in multiple zones on Google Cloud Platform. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.

Disaster Recovery

In the event of a region-wide outage, Haystack will bring up a duplicate environment in a different Google Cloud Platform region. The Haystack operations team has extensive experience performing full region migrations.

Data Flow

Data through System

Data is sent securely to/from Haystack via TLS 1.2 or 1.3. All data is AES-256bit encrypted, both in transit and at rest.

Haystack’s latest SSL Labs Report can be found here.

Data Security and Privacy

Data Encryption

All data in Haystack’s servers is encrypted at rest. Google Cloud Platform stores and manages data cryptography keys in its redundant and globally distributed Key Management Service. So, if an intruder were ever able to access any of the physical storage devices, the Haystack data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.

Encryption at rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.

Haystack exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application.

Data Retention

Haystack retains your data for as long as we need to do so to provide our services to you. Our backups store information for up to 30 days, and our system logs data is deleted after 400 days.

Data Removal

Haystack’s service gives you control over your data, which means that as a user of Haystack you are able to add, edit or delete any of the information we host about you and your users at any time. Data can also be deleted upon request by the Account Admin or the data subject.

PII Scrubbing

Haystack’s platform is a Marketing tool. As such, we recommend that users only share marketing collateral and minimize sending any personally identifiable information (PII) to Haystack. Account Admins and data subjects can request a PII scrubbing of their data at any time.

Application Security

Two-Factor Authentication & SSO

Haystack’s password policy require all Haystack staff and contractors to use 2FA and SSO wherever available.

Secure Application Development (Software Development Life Cycle - SDLC)

Haystack develops code securely by following our SDLC Policy. The policy includes safety measures such as separated testing and production environments, no customer data on testing environment, code reviews and rigorous testing prior to deployment.

Corporate Security

Workstation security

At Haystack, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations run Drata agent for enabling and enforcing anti-virus and malware protection, full-disk encryption, screen lock, and other security features.

Security Policies

Haystack maintains an internal repository of security policies, which are updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Haystack’s enterprise customers upon request:

  • Information Security

  • Risk Management

  • Security Incident Response

  • Vulnerability Management

  • Data Deletion

  • Change Management

  • System Access

  • SDLC

  • Mobile Device Security

  • Acceptable Use

  • Asset Management

  • Backup

  • Data Classification

  • Data Protection

  • Encryption

  • Password

  • Vendor Management

  • Responsible Disclosure

Background Checks & security training

Haystack conducts background checks for all new hires, including verification on the following:

  • Identity verification

  • National criminal records check

  • County criminal records check

All new employees are required to complete a security training module, and existing staff must complete a security training module at least once a year

Vulnerability Disclosure

Anyone can report a vulnerability or security concern with Haystack’s services by contacting support@thehaystackapp.com and including a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously, and once we receive a disclosure we rapidly verify each vulnerability before taking the necessary steps to fix it.