Caret down icon

Security

Security

Communication
  • All connections to Hero are encrypted by default, in both directions using modern ciphers and cryptographic systems. Hero maintains an A+ from Qualys SSL Labs
  • Any attempt to connect over HTTP is redirected to HTTPS
  • Hero use HSTS to ensure browsers interact with Hero only over HTTPS
Application and Data
  • Hero uses standard, well-reviewed cryptographic protocols and message formats when transferring and storing data
  • Software engineering teams follow industry-standard secure coding guidelines, such as those recommended by OWASP
  • Security settings of applications are tuned to ensure appropriate levels of protection
Infrastructure and Network
  • Hero's servers are hosted in Amazon Web Services. Physical and environmental security is handled entirely by Amazon and their vendors
  • Amazon provides as extensive list of compliance and regulatory assurances, including SOC 1, 2, and 3, and ISO 27001. See Amazon compliance and security docs for more detailed information
  • Hero operates within Amazon Virtual Private Cloud (VPC), with network segregated by security level and firewalls configured to restrict network access
Access Control
  • Multi-factor authentication and strong password controls are required for administrative access to systems
  • Hero controls access to sensitive data, application data, and cryptographic keys
  • Access to secure services and data is strictly logged and audit logs are reviewed regularly
Policies
  • Hero has developed a comprehensive set of Information Security policies covering a range of topics
  • Hero performs background checks on all new employees in accordance with local laws
  • Hero mandates that employees act in accordance with security policies designed to keep customer data safe
  • All employees annually attend Information Security Awareness Training
Vulnerability Disclosure

Hero strives to stay on top of the latest security developments both internally and by working with external security researchers and companies. If you believe you’ve discovered a bug in Hero’s security, please get in touch at security@herohealth.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until we have had a chance to address it. To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.