Security Center

Product Security

SSO and Multi-Factor Authentication

Hugo's Google Single Sign-on and Office 365 Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials, it also reduces the risk associated with additional passwords to access Hugo.
We recommend that you enforce Multi-Factor Authentication through Google Suite and Microsoft Office 365 to increase the security of your Google and Microsoft credentials, and in turn the security of the data you store in Hugo.

Permissions

We enable team member and admin permission levels within the app to be set for your teammates.

Admin permissions ensure only authorized users can remove team members, change billing settings or change other teammates' permission levels.

Network and Application Security

Data Hosting and Storage

All Hugo services and data are hosted with Amazon Web Services (AWS) in the United States in the US West region. Amazon employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security/.

Failover and Disaster Recovery

We have the ability to leverage multiple AWS availability zones and we will be able to quickly restore availability should any data center fail.

Virtual Private Network

All of our servers are located within an isolated Virtual Network separated from other internal & external networks that prevent unauthorized access.

Encryption

All data sent to or from Hugo is encrypted in transit and all data stored by Hugo is encrypted at rest, using 256 bit encryption. Our API and application endpoints are TLS/SSL only.

Incident Response

Hugo has a process for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Backups and Monitoring

We use AWS backup services to reduce any risk of data loss in the event of a hardware failure, backup to multiple data centers and utilize a number of monitoring services to alert the team in the event of any failures affecting users.

People Security

Employee Vetting

Hugo performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for employees.

Security Awareness Training

All Hugo employees go through employee onboarding that includes security awareness training covering information security topics such as phishing, password management and more.

Confidentiality

All Hugo employees are required to sign a confidentiality agreement before they begin.

Vulnerability Management

Endpoint Monitoring and Management

Hugo uses Fleetsmith to monitor its Mac devices, with enforced policies for full-disk encryption, OS updates and more.

Anti-Malware

Hugo laptops are equipped with anti-malware software to protect against malicious software.

Patching and Vulnerability Scanning

Hugo continuously updates and patches its systems and monitors for threats and vulnerabilities. ‍

Access and Identity

Permissions and Authentication

Access to Hugo infrastructure is limited to authorized employees who require it for their role. Changes are automated using access roles with the least required permissions.

Every Hugo page and service is served over https.

We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS and other critical tools and services to ensure access to cloud services are protected.

Least Privilege Access Control

Hugo adheres to the principle of least privilege with respect to identity and access management.

Quarterly Access Reviews

Hugo does quarterly access reviews of all employee privileges to sensitive systems.

Password Managers

All Hugo issued laptops utilize 1Password for employee’s to manage passwords and maintain password complexity.

Compliance

PCI Compliance

All payments made to Hugo go through our partner, Stripe. Details about their security setup and PCI compliance can be found here.

Third-Party Audits

Hugo undergoes independent third-party assessments to test our security and compliance controls.

SOC 2 Compliance

Hugo is SOC 2 ready and expects to have a final SOC 2 Type 1 Report in early 2022 and a SOC 2 Type 2 Report soon after.

Third-Party Penetration Testing

Hugo undergoes an independent third-party penetration at least annually to hunt down security vulnerabilities.