Data Privacy and Security FAQ

HqO is committed to protecting your data. This FAQ covers our security certifications, compliance practices, and data handling policies.

Last updated: June 2025

Security Frameworks and Certifications

HqO is certified under ISO 27001 and SOC 2. We comply with GDPR in Europe and CCPA in the United States. We've also self-certified under EU-US and Swiss-US Privacy Shields. Our approach aligns with the NIST Cybersecurity Framework and EU AI Act.

Encryption

How does HqO encrypt data?

Data at rest uses AES-256 encryption. TLS 1.2+ protects data in transit. These protocols extend to backups, logs, and sensitive email communications.

System and Event Logs

HqO logs login attempts, data access events, configuration changes, and system errors. Logs are encrypted at rest and in transit. Only authorized personnel can access them. Real-time analysis flags suspicious activity, and retention periods comply with GDPR and auditing requirements.

Access Control

How does HqO prevent unauthorized access?

  • Role-Based Access Control (RBAC) limits user permissions to what their role requires
  • Multi-factor authentication (MFA) is required for sensitive systems
  • Privileged Access Management monitors administrative accounts
  • Quarterly access reviews confirm permissions remain appropriate
  • JAMF Device Management restricts unauthorized devices

How are failed login attempts handled?

Failed attempts are tracked in real-time. After multiple failures, accounts are temporarily locked and the security team receives an alert via AWS and Slack. Patterns are analyzed to identify persistent threats.

Anti-Malware and Vulnerability Management

HqO uses JAMF-managed anti-malware tools for threat detection, automatic updates, and regular scans. Vulnerability scans, penetration testing, and patch management run on a regular cycle. Vulnerabilities are prioritized by risk severity and resolved promptly.

Physical Infrastructure

Office spaces and data centers use badge systems, biometric authentication, and surveillance cameras. All access is logged. Customer data is hosted exclusively on AWS in US East (Northern Virginia) and EU Central (Frankfurt). AWS facilities meet Tier 3+ physical security standards, including mantraps, 24/7 surveillance, and intrusion detection. No personal data is stored at HqO offices.

Third-Party Security

All third-party integrations go through HqO's Risk Security Assessment process. Vendors are evaluated on certifications, data handling, and encryption protocols. Data exchanged with vendors is encrypted using TLS. Vendors sign data protection agreements and are audited against 22 control categories across the NIST CSF framework. Contact us to request the Information Security Management policy.

Personal Data

What personal data does HqO collect?

Names, email addresses, work locations, and optional avatars. Location data is collected only for customer-enabled integrations β€” such as workspace analytics or building access β€” where it's required.

How does HqO anonymize data for analytics?

PII is removed during anonymization. Data is aggregated into group insights β€” for example, workspace occupancy shows trends, not individual behavior. This approach complies with GDPR and CCPA.

GDPR Compliance

  • HqO collects only the data needed to deliver the service (data minimization)
  • Users retain the right to access, correct, and delete their data
  • Regular Data Privacy Impact Assessments are conducted
  • AWS Ireland hosts EU operations; AWS Frankfurt is the primary EU data region
  • Annual penetration testing is performed on application and infrastructure
  • Clients are the Data Controllers
  • All analytics surfaces anonymized, aggregated data only β€” never person-level
  • Users cannot see other users in the mobile app by default
  • Each user controls their own information and notification preferences

User Preferences and Location Services

Users manage passwords, avatars, and notification preferences from the Settings screen in the app. Individual notification types can be enabled, disabled, or unsubscribed at any time.

Location Services are required for Mobile Access features. Depending on the access provider, HID recommends setting Location Services to Always so the app can communicate with readers in the background.

Data Deletion

HqO supports user data deletion requests under GDPR and CCPA. Submit a deletion request at hqo.com/request-your-data. Deletion is performed as a hard delete β€” no residual data remains.

Data Retention After Termination

By default, user data is purged after termination. Retaining data beyond termination requires written authorization.

Backups and Disaster Recovery

HqO uses AWS native tools to create encrypted database snapshots every five seconds. Full backups are retained for 30 days. Backups are stored across multiple AWS regions. Infrastructure is provisioned with code and regularly tested by standing up production mirrors. The Disaster Recovery Plan includes routine recovery validation.

Business Continuity

HqO's Business Continuity Plan covers system failures, cyberattacks, and natural disasters. It includes geographically redundant AWS infrastructure, trained response teams (Incident Response, Engineering, IT, Communications), and predefined communication protocols. Regular drills test procedures and identify gaps. Customer Success teams provide direct client updates during incidents. Post-incident reviews refine future response.

Environment Separation

Production, staging, and development environments run on separate AWS accounts. Personal data is only processed in production. Synthetic data is used in non-production environments. Access to each environment is role-based, logged, and audited.

Mobile Device Security

HqO enforces its MDM policy via JAMF Pro on all company-managed Apple devices. Requirements include encryption, password protection, and remote wipe. Non-compliant devices are blocked from accessing company systems.

API Security

All API traffic uses TLS encryption. Endpoints authenticate via secure tokens. Rate limiting prevents abuse and denial-of-service attacks.

Data Residency

Customer data is hosted in specified AWS regions. EU customer data is hosted in Europe to meet GDPR residency requirements. HqO relies on updated Standard Contractual Clauses (SCCs) for EEA data transfers.

Subcontractors

SubcontractorLocationService
Amazon Web ServicesUnited StatesHosting environment
StripeUnited StatesPayment processing (Order Ahead)
BrazeUnited StatesPush notification distribution
LaunchDarklyUnited StatesWeb dashboard
LookerUnited StatesBusiness intelligence

Employee Access Controls

All employees sign in with individual accounts β€” shared logins are not permitted. HqO enforces SSO via Okta and MFA via Okta Verify across all systems. Access is role-based, reviewed regularly, and revoked automatically through HR offboarding workflows. All company Apple devices are enrolled in JAMF Pro. Login and access activity is logged in AWS CloudTrail.

Bug Response Process

Pre-release, HqO runs manual and automated tests (unit, e2e, functional) plus third-party testing. Post-deployment, Datadog and Rollbar catch issues in the field. Users report bugs to support@hqo.co, which creates a Zendesk ticket. The tenant experience team triages the issue and escalates confirmed bugs to Jira. High-priority bugs are resolved by the engineering team and deployed to production after staging validation and VP of Engineering sign-off.

Contact

For questions about HqO's privacy practices, email privacy@hqo.co.

For the complete privacy policy, visit hqo.com/privacy or Trust and Security.

Was this page helpful?

Ask HelpHub

Ask me anything about HqO

I can help you find information in the documentation.