Howspace is a web-based engagement platform that companies can use to create and host organizational development processes or training programs. Administrators chosen by the company can create private workspaces for select groups of people and invite participants to join these workspaces. Depending on the objective, people can use the workspace to discuss ideas, exchange information and share their knowledge or expertise with other participants.
Administrators have a set of tools to steer the participants’ activities and create content to the match needs of the given objective. The platform also engages the participants by letting them share documents, take part in discussions, answer questions and vote and prioritize development ideas and learning objectives.
Howspace is a cloud-based service that companies can access anytime, anywhere. The service is hosted within the EU/EEA by OVH Hosting and TNNet. Both companies provide us with dedicated servers that are hosted in secure data centers. Each location is guaranteed to be protected against physical intrusions, network-based attacks, fires and electrical outages.
All connections to Howspace workspaces are made over a secure HTTPS (HTTP over TLS) channel. This protocol, used widely to secure communications in online banking and money transfer services, makes sure that the data people send and receive in a workspace stays encrypted and inaccessible to unauthorized persons.
Howspace workspaces are stored in secure data centers on dedicated servers. The information accumulated in each workspace is stored in a private database used only by a single workspace. This architecture ensures that no unauthorized persons can access the data stored on your workspace on purpose or by accident.
Further, software access to database servers at Howspace is limited to a small number of named developers. Access to the database server is available only through a Secure Shell (SSH) connection that is constantly monitored by Fail2Ban intrusion prevention software to prevent brute-force attacks aimed at the database server. Similarly, physical access to the database servers is limited to a small number of authorized personnel.
Howspace takes daily, automated backups of your data. All backups are stored on a separate server located either in a different server room or at a different data center to further protect your data against physical threats such as fires. Howspace stores each backup for a set period of time that ranges from one week for up to 180 days.
The Howspace service is built based on design principles laid out in the Application Security Verification Standard 3.0 by Open Web Application Security Project (OWASP). Every new design is validated against an applicable standard defined by OWASP before implementation.
The service runs on standard Ubuntu Linux 16.04 LTS platform. Publicly available, peer-reviewed codebase ensures that any possible platform-based vulnerabilities can be detected and patched quickly.
Information security professionals and cybercriminals looking to exploit vulnerabilities in web applications are in a constant arms race. Therefore, we believe in actively testing our services against potential security vulnerabilities. To make sure our infrastructure - and your data – is and stays safe, we regularly conduct third party penetration testing with industry standard penetration testing frameworks such as OWASP Top 10 and ASVS.
Howspace automatically collects logs of service usage and this log data is automatically monitored for any irregularities. The automatic monitoring tools notify our technical support team instantly if they notice any irregular activity or usage errors, enabling the team to respond quickly to potential threats or service issues.
Each person working at Howspace Oy has their identity checked before entering employment. In addition to Corporate Security Policy, employees at Howspace Oy must follow an IT Security Policy that defines and describes acceptable information security practices for the use of hardware, software and network resources provided by Howspace Oy to the employee.
In addition to the security policies and best practices followed at work, the key personnel for information security at Howspace Oy actively follow the latest developments in the field of web application security to provide the best possible security related solutions to Howspace users.
Users invited to use Howspace can join a workspace with their preferred device. Participants can access their workspace on personal computer, tablet or a mobile device using any of the supported web browsers: Google Chrome, Firefox, Safari, Edge, and Internet Explorer (Version 10 or later).
Howspace is based on a high-availability system architecture to ensure the service is always available for you. At minimum, the service runs on three separate servers to make sure that possible server outages do not prevent your access to the service. Each server is hosted by a trusted service provider
and both the availability of the service and of our servers is monitored 24/7. In case of any irregularities, our technical support team will be notified immediately of the issue.
Our hosting partners provide Howspace servers with protection against Distributed Denial of Service (DDoS) attacks. Their anti-DDOS infrastructure is capable of mitigating large-scale DDoS attacks that could otherwise prevent your access to Howspace workspaces.
Connections to Howspace databases are protected against brute-force attacks by industry standard intrusion prevention software that automatically blocks connections that may be trying to breach the service’s security.
Howspace Oy actively deploys updates to Howspace service software to provide both updates to the service and hardened security. Before deployment, each update is verified and ensured to be working as expected through automated testing. Should any issues arise due to an update, the publicly available software version of Howspace can be quickly rolled back to a previous, working version.
Howspace is designed to collect only a minimum amount of user data. This data, commonly the user’s name and email address, is stored under the user’s profile and on Howspace servers. Howspace uses this data to identify each user that joins a workspace.
To enable certain service features and to ensure that the service works as expected, Howspace also maintains a log of each user’s latest log-in times and information about which web browser the user was using. This information is, however, stored only for a few days at a time.
The service also maintains a log of all the comments that the users create in each workspace and maintains an activity stream that logs the administrative users’ actions in their workspaces.
Due to the nature of the service, the workspace administrators may ask additional details from users who join the workspaces. As each workspace is controlled by the administrator unaffiliated with Howspace Oy, Howspace Oy has no control over what information gets collected.
Howspace Oy recommends that anyone who sets up a workspace clearly inform the users of the workspace on how the information gathered within a workspace is used and that the person setting up the workspace has acquainted themselves with the data protection requirements set in the European Union’s (EU) General Data Protection Regulation (GDPR).
Howspace Oy provides each client with a set of instructions that illustrate how the GDPR pertains to the use of Howspace and how the regulations affect the collection of information when one or more of the users is an EU citizen.
Howspace fulfills all requirements for data privacy and data subject rights as stated in GDPR. Howspace has been built from the ground up with data protection and privacy as the default practice. This enables us to comply with the new rights of data subjects such as the Right to Rectification, Right to Access and Right to be Forgotten as well as ensuring we meet all information security requirements and that our users’ personal data is protected by appropriate technical and organizational measures.
Howspace Oy has a process in place for managing and handling subject access requests (SAR). The process for exporting a user’s information stored in the service is built into Howspace. The service also supports removal of user data. The removal is, however, dependent on the owner of the data and the permissions regarding access to their data given to Howspace Oy.