Howspace is a web-based engagement platform that companies can use to create and host development projects or training sessions. Administrators chosen by the company can create private workspaces for selected groups of people and invite participants to join these workspaces. Depending on the objective of the project or training, people can use the workspace to discuss ideas, exchange information and share their knowledge or expertise with other participants.
Administrators have a set of tools to steer the participants’ activities and adapt the content to the match needs of their project. The platform also engages the participants by letting them share documents, take part in discussions, answer questions and vote and prioritize development ideas and learning objectives.
Howspace supports all modern up-to-date browsers, including, but not limited to:
Howspace is a cloud-based service that companies can access anytime, anywhere. The service is hosted and provided within the EU/EEA by Amazon Web Services & MongoDB Atlas.
MongoDB Atlas is a global cloud database service for modern applications. MongoDB Atlas enables Howspace to “deploy fully managed MongoDB databases in AWS with best-in-class automation and proven practices that guarantee availability, scalability, and compliance with the most demanding data security and privacy standards.” https://www.mongodb.com/cloud/atlas
Amazon Web Services (AWS) provides Howspace “a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world.“ https://aws.amazon.com/about-aws/
With the shared responsibility model, the responsibilities of security and compliance is shared between AWS and Howspace. AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities. At Howspace, this enables the technical team to concentrate more on Howspace core business, which is to develop the product for your best experience.
The security of Amazon Web Services has been proven by multiple certifications and audits, including ISO/IEC 27001, SOC 1 and SOC 2. The services that Howspace uses from Amazon Web Services are all certified individually with ISO 27001 and SOC 1, 2, 3.
Amazon Web Services ISO/IEC 27001:2013 certification: https://d1.awsstatic.com/certifications/iso_27001_global_certification.pdf
Amazon Web Services System and Organization Controls 3 (SOC 3) report: https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf
Data security of Howspace is achieved through multiple mechanisms. Howspace is a multi-tenant system, where customer data is logically separated from other customers data. Logical separation of data is based on application level security mechanisms (Access-Control Policies) and logical separation of data in the data storages (Database, Object Storage).
Isolated and layered networking tiers (VPC) are used to secure the resources used. Public subnets that need to be accessed from the internet are used for web servers, and private subnets that need no direct access from the internet are used for backend systems.
To protect the Howspace data at rest, the databases, object storages, logs and backups are encrypted with industry standard AES-256 encryption. To protect the data in transit between Howspace and the customer, Howspace uses TLS versions from 1.2 upwards.
The data security on the physical level is achieved via mechanisms provided by the platform, Amazon Web Services. https://docs.aws.amazon.com/whitepapers/latest/aws-overview-security-proc esses/physical-and-environmental-security.html
Howspace data is stored on Amazon Web Services premises across multiple physically separated devices spanning a minimum of three Availability Zones, each separated by miles across the region. Active user generated content and files are stored in Amazon Web Services region eu-north-1 (Stockholm, Sweden).
Howspace takes daily, automated backups. Each backup is stored for a set period of time in the same cloud region by the following retention policy:
Last day of month
When a workspace is deleted, all data stored in the workspace is deleted from the active data storage automatically after a 30 day retention period. Based on the above-mentioned backup retention policy, after 12 months all the data is deleted from all the systems, including active databases and backups.
In cases where workspaces are not deleted manually and the customer agreement has ended, data is deleted automatically from the active data storage after 6 months retention period, followed by the 12 month backup retention period. During the 6 month retention period customers can manually delete all their workspaces to shorten the 6 month retention period. At any time during the agreement, customers can also schedule workspace archival and deletion to suit their internal retention policies and controls.
Howspace is based on a high-availability system architecture to ensure the service stays available for our customers.
Howspace runs on multiple instances, in three availability zones within one AWS region, with distributed resources where the traffic generated by users is evenly distributed by a load balancer. Howspace infrastructure automatically scales based on application usage to ensure that Howspace is running smoothly and stays accessible for all customers.
Automatic scaling allows us to manage larger volumes when there is unanticipated extra traffic, for example, due to flash crowds or DDoS attacks. Howspace Load Balancer also automatically blocks many common DDoS attacks, such as SYN floods or UDP reflection attacks.
Users invited to use Howspace can join a workspace with their preferred device. Participants can access their workspace on personal computer, tablet or a mobile device using any of the supported modern web browsers.
By default, customer admin users login into Main User Dashboard with email and password combination. Main User login has predefined password requirements (minimum length & complexity), password history saving, and account lockout after 10 incorrect login attempts to ensure the safety of the login.
Access into a workspace can be made with a secure, personal login link that will be sent to the user via email. By default, a user session is valid for 10 hours. Users inside workspaces are split into two user roles, workspace admins and workspace participants. Both user roles have different types of permissions inside the workspace and can be modified by the admin users of the workspace. With additional IP-restrictions, workspace access can be limited for defined IP-addresses from the workspace security settings.
For organizational usage, SAML2 protocol single-sign-on can be configured between Howspace and the customer's identity provider. For more information about single-sign-on (details & pricing) can be acquired through Howspace Support or Sales.
Howspace employees cannot access the customer generated content without an invitation from the customer. Howspace developers have means to access the customer generated content, but the access is restricted by a policy which states that no access should be made without a permission acquired from the customer.* Permissions are usually acquired for helping or problem solving.
* Excluding any urgent, security related issues.
Secure development principles
To ensure that the quality and security of Howspace stays consistent, our technical team follows certain development principles in their daily work. The developed features are made and tested in environments separated from production, away from regular users and production data.
For standardized way of working, our developers follow predefined workflows and the development is done on a local copy of the software stack, where the changes can be verified and tested safely. Prior to deploying new features into our release pipeline, the changes are peer reviewed to ensure consistent quality of the releases. Additionally, a static code security analysis tool is used to detect vulnerabilities in the changes made to the source code.
The release pipeline automatically deploys the new release into our testing environment for additional testing. Automatic release pipeline ensures that the deployments are done in uniform fashion without any manual steps required. With automation we can remove risks of human errors in deployments and keep the deployment process consistent.
After the quality of the release has been verified in a separate testing environment, the release can then be promoted into the production environment and to the use of our customers.
To help our technical team to ensure that Howspace stays free of vulnerabilities, our application is regularly penetration tested by 3r d party security professionals. The testing is based on industry standard OWASP Top 10 framework, that represents the most critical security risks to web applications. Would there be any issues found during the testing, these are prioritized and mitigated in a timely manner.
Howspace automatically collects logs of service usage into a Centralized Log Management solution for tracking the application status around the clock.
From the Log Management solution Howspace technical team can follow the log events, monitor the performance of Howspace and automatically be alarmed of any irregularities or anomalous events in the application. This enables the technical team to respond quickly to potential threats or service issues.
Would there be any problems or difficulties using Howspace, contacting our Technical Support enables us to provide solutions or fixes to these issues. Howspace Technical Support works as the first point of contact, between the customer and the Howspace technical professionals.
Howspace technical support and technical team follow predefined processes and plans to act, follow, manage and report different kinds of situations, including bugs, usage issues, security concerns or security incidents.
External communication about the status of Howspace is done via https://status.howspace.com. The page is also updated during possible ongoing incidents.
Howspace is committed to full disclosure in customer affecting situations.
Each person working at Howspace has their identity checked before entering employment. Employees at Howspace must follow an IT Security Policy that defines and describes acceptable information security practices for the use of hardware, software and network resources provided by Howspace to the employee.
For the safety of Howspace and the users, in addition to the security policies and best practices followed at work, the key personnel for information security follow the latest developments in the field of web application security to provide the best possible security related solutions to Howspace users.
For situational awareness of Cyber security worldwide, the key personnel also follow daily news and reports provided by the Finnish National Cyber Security Centre (NCSC-FI). https://www.ncsc.fi/
Howspace is designed to collect only a minimum amount of user data. This data, commonly only the user’s name and email address, is stored under the user’s profile on the Howspace database. Howspace uses this data to identify each user that joins a workspace.
To enable certain services, to ensure that the service works as expected and to create a security-related audit trail, Howspace maintains logs of each user’s actions inside Howspace. This information includes e.g. user’s last login times and information about which web browser the user was using.
Due to the nature of the service, the workspace administrators may ask additional details from users who join the workspaces. As each workspace is controlled by the administrator unaffiliated with Howspace Oy, Howspace Oy has no control over what information gets collected.
Howspace Oy recommends that anyone who sets up a workspace clearly inform the users of the workspace on how the information gathered within a workspace is used and that the person setting up the workspace has acquainted themselves with the data protection requirements set in the European Union’s (EU) General Data Protection Regulation (GDPR).
Howspace Oy provides each client with a set of instructions that illustrate how the GDPR pertains to the use of Howspace and how the regulations affect the collection of information when one or more of the users is an EU citizen.
Howspace fulfills all requirements for data privacy and data subject rights as stated in GDPR. Howspace has been built from the ground up with data protection and privacy as the default practice. This enables us to comply with the new rights of data subjects such as the Right to Rectification, Right to Access and Right to be Forgotten as well as ensuring we meet all information security requirements and that our users’ personal data is protected by appropriate technical and organizational measures.
Howspace Oy has a process in place for managing and handling subject access requests (SAR). The process for exporting a user’s information stored in the service is built into Howspace. The service also supports removal of user data. The removal is, however, dependent on the owner of the data and the permissions regarding access to their data given to Howspace Oy.