Data Privacy and Security FAQ
HqO is committed to protecting your data. This FAQ covers our security certifications, compliance practices, and data handling policies.
Last updated: June 2025
Security Frameworks and Certifications
HqO is certified under ISO 27001 and SOC 2. We comply with GDPR in Europe and CCPA in the United States. We've also self-certified under EU-US and Swiss-US Privacy Shields. Our approach aligns with the NIST Cybersecurity Framework and EU AI Act.
Encryption
How does HqO encrypt data?
Data at rest uses AES-256 encryption. TLS 1.2+ protects data in transit. These protocols extend to backups, logs, and sensitive email communications.
System and Event Logs
HqO logs login attempts, data access events, configuration changes, and system errors. Logs are encrypted at rest and in transit. Only authorized personnel can access them. Real-time analysis flags suspicious activity, and retention periods comply with GDPR and auditing requirements.
Access Control
How does HqO prevent unauthorized access?
- Role-Based Access Control (RBAC) limits user permissions to what their role requires
- Multi-factor authentication (MFA) is required for sensitive systems
- Privileged Access Management monitors administrative accounts
- Quarterly access reviews confirm permissions remain appropriate
- JAMF Device Management restricts unauthorized devices
How are failed login attempts handled?
Failed attempts are tracked in real-time. After multiple failures, accounts are temporarily locked and the security team receives an alert via AWS and Slack. Patterns are analyzed to identify persistent threats.
Anti-Malware and Vulnerability Management
HqO uses JAMF-managed anti-malware tools for threat detection, automatic updates, and regular scans. Vulnerability scans, penetration testing, and patch management run on a regular cycle. Vulnerabilities are prioritized by risk severity and resolved promptly.
Physical Infrastructure
Office spaces and data centers use badge systems, biometric authentication, and surveillance cameras. All access is logged. Customer data is hosted exclusively on AWS in US East (Northern Virginia) and EU Central (Frankfurt). AWS facilities meet Tier 3+ physical security standards, including mantraps, 24/7 surveillance, and intrusion detection. No personal data is stored at HqO offices.
Third-Party Security
All third-party integrations go through HqO's Risk Security Assessment process. Vendors are evaluated on certifications, data handling, and encryption protocols. Data exchanged with vendors is encrypted using TLS. Vendors sign data protection agreements and are audited against 22 control categories across the NIST CSF framework. Contact us to request the Information Security Management policy.
Personal Data
What personal data does HqO collect?
Names, email addresses, work locations, and optional avatars. Location data is collected only for customer-enabled integrations β such as workspace analytics or building access β where it's required.
How does HqO anonymize data for analytics?
PII is removed during anonymization. Data is aggregated into group insights β for example, workspace occupancy shows trends, not individual behavior. This approach complies with GDPR and CCPA.
GDPR Compliance
- HqO collects only the data needed to deliver the service (data minimization)
- Users retain the right to access, correct, and delete their data
- Regular Data Privacy Impact Assessments are conducted
- AWS Ireland hosts EU operations; AWS Frankfurt is the primary EU data region
- Annual penetration testing is performed on application and infrastructure
- Clients are the Data Controllers
- All analytics surfaces anonymized, aggregated data only β never person-level
- Users cannot see other users in the mobile app by default
- Each user controls their own information and notification preferences
User Preferences and Location Services
Users manage passwords, avatars, and notification preferences from the Settings screen in the app. Individual notification types can be enabled, disabled, or unsubscribed at any time.
Location Services are required for Mobile Access features. Depending on the access provider, HID recommends setting Location Services to Always so the app can communicate with readers in the background.
Data Deletion
HqO supports user data deletion requests under GDPR and CCPA. Submit a deletion request at hqo.com/request-your-data. Deletion is performed as a hard delete β no residual data remains.
Data Retention After Termination
By default, user data is purged after termination. Retaining data beyond termination requires written authorization.
Backups and Disaster Recovery
HqO uses AWS native tools to create encrypted database snapshots every five seconds. Full backups are retained for 30 days. Backups are stored across multiple AWS regions. Infrastructure is provisioned with code and regularly tested by standing up production mirrors. The Disaster Recovery Plan includes routine recovery validation.
Business Continuity
HqO's Business Continuity Plan covers system failures, cyberattacks, and natural disasters. It includes geographically redundant AWS infrastructure, trained response teams (Incident Response, Engineering, IT, Communications), and predefined communication protocols. Regular drills test procedures and identify gaps. Customer Success teams provide direct client updates during incidents. Post-incident reviews refine future response.
Environment Separation
Production, staging, and development environments run on separate AWS accounts. Personal data is only processed in production. Synthetic data is used in non-production environments. Access to each environment is role-based, logged, and audited.
Mobile Device Security
HqO enforces its MDM policy via JAMF Pro on all company-managed Apple devices. Requirements include encryption, password protection, and remote wipe. Non-compliant devices are blocked from accessing company systems.
API Security
All API traffic uses TLS encryption. Endpoints authenticate via secure tokens. Rate limiting prevents abuse and denial-of-service attacks.
Data Residency
Customer data is hosted in specified AWS regions. EU customer data is hosted in Europe to meet GDPR residency requirements. HqO relies on updated Standard Contractual Clauses (SCCs) for EEA data transfers.
Subcontractors
| Subcontractor | Location | Service |
|---|---|---|
| Amazon Web Services | United States | Hosting environment |
| Stripe | United States | Payment processing (Order Ahead) |
| Braze | United States | Push notification distribution |
| LaunchDarkly | United States | Web dashboard |
| Looker | United States | Business intelligence |
Employee Access Controls
All employees sign in with individual accounts β shared logins are not permitted. HqO enforces SSO via Okta and MFA via Okta Verify across all systems. Access is role-based, reviewed regularly, and revoked automatically through HR offboarding workflows. All company Apple devices are enrolled in JAMF Pro. Login and access activity is logged in AWS CloudTrail.
Bug Response Process
Pre-release, HqO runs manual and automated tests (unit, e2e, functional) plus third-party testing. Post-deployment, Datadog and Rollbar catch issues in the field. Users report bugs to support@hqo.co, which creates a Zendesk ticket. The tenant experience team triages the issue and escalates confirmed bugs to Jira. High-priority bugs are resolved by the engineering team and deployed to production after staging validation and VP of Engineering sign-off.
Contact
For questions about HqO's privacy practices, email privacy@hqo.co.
For the complete privacy policy, visit hqo.com/privacy or Trust and Security.