The safest place

for your meeting knowledge

Learn more about Hugo's security infrastructure, processes and compliance to ensure the safety of your data

Security illustration

Rest easy - Hugo's got your back

Security of your Data

In addition to our commitment to your privacy, we have invested heavily in the security of your data. Some measures are outlined here:

Product Security

SSO and Multi-Factor Authentication
Hugo's Google Single Sign-on and Office 365 Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials, it also reduces the risk associated with additional passwords to access Hugo.

We recommend that you enforce Multi-Factor Authentication through Google Suite and Microsoft Office 365 to increase the security of your Google and Microsoft credentials, and in turn the security of the data you store in Hugo.
Permissions
We enable team member and admin permission levels within the app to be set for your teammates.

Admin permissions ensure only authorized users can remove team members, change billing settings or change other teammates' permission levels.

Network and application security

Data Hosting and Storage
All Hugo services and data are hosted with Amazon Web Services (AWS) in the United States in the US West region. Amazon employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security/.
Failover and Disaster Recovery
We have the ability to leverage multiple AWS availability zones and we will be able to quickly restore availability should any data center fail.
Virtual Private Network
All of our servers are located within an isolated Virtual Network separated from other internal & external networks that prevent unauthorized access.
Backups and Monitoring
We use AWS backup services to reduce any risk of data loss in the event of a hardware failure, backup to multiple data centers and utilize a number of monitoring services to alert the team in the event of any failures affecting users.
Permissions and Authentication
Access to Hugo infrastructure is limited to authorized employees who require it for their role. Changes are automated using access roles with the least required permissions.

Every Hugo page and service is served over https.

We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS and other critical tools and services to ensure access to cloud services are protected.
Encryption
All data sent to or from Hugo is encrypted in transit and all data stored by Hugo is encrypted at rest, using 256 bit encryption. Our API and application endpoints are TLS/SSL only.
Incident Response
Hugo has a process for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Other

Employee Vetting
Hugo performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for employees.
Confidentiality
All employee contracts include a confidentiality agreement.
PCI Compliance
All payments made to Hugo go through our partner, Stripe. Details about their security setup and PCI compliance can be found here.
More questions? Contact us

Privacy Shield Privacy Policy

Last updated January 15, 2019

 

Hugo Corporation (“Hugo”) has created this Privacy Shield Privacy Policy to help you learn about how we handle Personal Information that is collected in the European Economic Area (the"EEA") and Switzerland and transferred to Hugo in the US.

Hugo adheres to the EU-U.S. Privacy Shield Framework by adopting and implementing the EU-U.S. Privacy Shield Principles, which include a set of Supplemental Principles. Hugo also commits to adhere to the Swiss-U.S. Privacy Shield Framework by adopting and implementing the Swiss Privacy Shield Principles. We will refer to the EU-U.S. and Swiss Privacy Shield Principles collectively as the “Principles.” Our certification can be found at www.privacyshield.gov/list.

This Privacy Shield Privacy Policy supplements the Hugo Privacy Policy. Unless specifically defined in this policy, the terms in this Privacy Shield Privacy Policy have the same meaning as in our Privacy Policy. In case of conflict between our Privacy Policy and this Privacy Shield Privacy Policy, this Privacy Shield Privacy Policy prevails. In case of conflict between this Privacy Shield Privacy Policy and the Principles, the Principles will govern.

1. How we obtain Personal Information

We obtain and process Personal Information in different capacities.

As a data controller, we collect and process EEA and Swiss Personal Information directly from individuals, either via our publicly available websites, including, or in connection with our customer, partner, and vendor relationships.

As a data processor, we process and store EEA and Swiss Personal Information obtained from our customers when providing theHugo application and related services (“Services”). In that context, we only process Personal Information on behalf of and at the instructions of our customers, which are the data controllers.

Hugo commits to subjecting to the Principles all Personal Information received from the EEA and Switzerland in reliance on the Privacy Shield (which includes both types of activities).

2. Notice

We provide information in our Privacy Policy regarding our privacy practices.

When using our Services, customers determine the categories of data they upload into our systems and the purposes for which the data is processed. Accordingly, customers are responsible for providing notice to the individuals from whom they have collected Personal Information.

3. Data Integrity and Purpose Limitation

We may use any Personal Information we obtain for the purposes indicated in our Privacy Policy or as otherwise notified to you. We will not process Personal Data in a way that is incompatible with these purposes or as subsequently authorized by you. We take reasonable steps to limit the collection and usage of Personal Information to that which is relevant for the intended purposes for which it was collected, and to ensure that such Personal Information is reliable, accurate, complete, and current. We will adhere to the Principles for as long as we retain the Personal Information collected under the Privacy Shield.

When we process Personal Information in the context of our Services, we process and retain Personal Information only as necessary to provide our Services, or as required or permitted under applicable law.

4. Data Disclosures

We disclose Personal Information as described in our Privacy Policy. If we disclose it to a third party acting as a data controller or as an agent, we will comply with, and protect the Personal Information as provided in, the Accountability for Onward Transfer Principle.

In case of disclosure to an agent, we remain responsible for the processing of Personal Information received under the Privacy Shield and subsequently transferred to that agent if it processes such Personal Information in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the inconsistent processing.

When we process Personal Information in the context of our Services, we disclose Personal Information as necessary to provide the Services and as authorized in our agreements with customers.

As stated in our Privacy Policy, we may also share your Personal Information that we control or process in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

5. Data Security

We use reasonable and appropriate measures to protect your Personal Information from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information. You can read more about our security processes and infrastructure by clicking one of the tabs in our Security Center.

6. Choice and Access

Where appropriate, Hugo provides you with access to the Personal Information that we maintain about you and the ability to correct, amend or delete that information when it is inaccurate or has been processed in violation of the Principles by sending a written request as indicated in “Contact Information” below. We will review your request in accordance with the Principles, and may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles.

If we intend to use your Personal Information for a purpose that is materially different from the purposes listed in this policy or if we intend to disclose it to a third party acting as a controller not previously identified, we will offer you the opportunity to opt-out of such uses and disclosures where it involves non-sensitive information or opt-in where sensitive information is involved.

When we process Personal Information in the context of our Services, we only process and disclose the data as necessary to provide the Services. Our customers control how the information they upload to the Services is disclosed and used, and how it can be modified. Accordingly, if you wish to request access, to limit use, or to limit disclosure of Personal Information uploaded to the Services by our customer, please contact the customer who submitted your data to our Services. If you provide us with the name of our customer that is processing your Personal Information, we will refer your request to that customer, and will support the customer as needed in responding to your request.

7. Recourse and Enforcement

We conduct an annual self-assessment of our Personal Information practices to verify that the attestations and assertions made in this Privacy Shield Privacy Policy are true and have been implemented as represented.

In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection and use of your Personal Information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at the contact information provided below. We have further committed to refer unresolved Privacy Shield complaints to the JAMS Privacy Shield Program, an alternative dispute resolution provider in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to to file a complaint. The services of JAMS are provided at no cost to you. We will cooperate with JAMS pursuant to the JAMS International Mediation Rules, which are accessible on the JAMS website at http://www.jamsadr.com. For residual complaints not fully or partially resolved by other means, you may be able to invoke binding arbitration as detailed in the Principles.

Hugo is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

8. Changes to the Privacy Shield Privacy Policy

This Privacy Shield Privacy Policy maybe changed from time to time, consistent with the requirements of the Privacy Shield. You can determine when this Privacy Shield Privacy Policy was last revised by referring to the "Last Updated" legend at the top of this page. Any changes to this Privacy Shield Privacy Policy will become effective when we post the revised version on our website.

9. Contact Information

If you have any questions, concerns or complaint regarding our privacy practices, or if you’d like to exercise your choices or rights, contact us via:

●     Email Hugo’s Privacy and Data Protection Officer at privacy@hugo.team; or

●     Mail at Hugo, ATTN: Privacy and Data Protection Officer, 1700 Montgomery St, Suite 108, San Francisco CA 94111

GDPR Statement

Last updated March 22, 2018

Background

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to improve data protection for all individuals within the European Union (EU).

Hugo is aware of new GDPR requirements and restrictions and will be fully compliant with GDPR when it comes into effect.

Some of the key actions we’ve taken to ensure compliance include:

Data Protection Officer

Appointment of a Data Protection Officer (DPO) to ensure that our policies and practices remain in compliance going forward and that we embrace a policy of data protection by design and by default.

Personally Identifiable Information

A complete review of our policies and practices surrounding storage of customer data to ensure that any Personally Identifiable Information (PII) is kept in a way that enables us to comply with the rights of individuals as provided under the GDPR.

Privacy Policy

Updates to our privacy policy to make it clear how EU citizens can contact us for matters regarding their personal data, including the right to be forgotten and individual data access requests.

Data Processing Agreements

Strong data protection commitments are a key part of GDPR’s requirements. We will provide a data processing agreement upon request to our EU customers.

Questions?

If you have any further questions regarding Hugo's approach to the GDPR, please feel free to contact us at privacy@hugo.team.

SOC 2 Compliance

 

Coming soon

Hugo. Connected Meeting Notes.

See exactly how Hugo works.

White Play button
Video thumbnail
Close icon
See Pricing for Teams
Try Hugo for Free