General
      Back to home
      1. Knowledge Base
      2. General

      How Highlight Protects Sensitive Data

      Highlight ensures the security of data shared with the platform through a robust information security program.

      Data collected by Highlight may include sensitive project details, individuals’ survey responses, and other proprietary or personally-identifiable (PII) data-points.

      Highlight ensures the security of these data by operating a robust information security program that:

      • classifies all data types according to their sensitivity and risk
      • restricts access to data according to their classification
      • ensures all data are encrypted in transit using transport-layer security (TLS) and industry-best cipher algorithms
      • ensures all data are encrypted at rest within Highlight’s cloud datastores

      Data Classification

      Highlight classifies data into one of four levels based on sensitivity:

      1. Restricted (most sensitive)
      2. Confidential
      3. Internal Use
      4. Public (least sensitive)

      Highlight’s approach to data governance restricts access to data classified as Internal Use or higher to people and systems with both (a) a legitimate business purpose and (b) adequate training to securely handle it.

      The data shared with us by our customers and Highlighters are typically classified as Confidential, with particularly sensitive fields or records occasionally requiring the most stringent, Restricted classification.

      Data Security

      Data collected by Highlight are stored inside a secure Virtual Private Cloud (VPC) in Amazon Web Services (AWS) and subject to a layered security architecture for access, backup and recovery. This including strict ingress rules on VPCs, at-rest encryption within datastores (AWS Aurora, AWS S3), use of strong ciphers (e.g. AES256) , cryptographic key storage in a Hardware Security Module (HSM) within a dedicated key Management Service (AWS KMS), and transport-layer security (TLS) between stores and services.

      In the limited cases where Highlight employees may need to review or access data to deliver our products and services, access is limited on a “need to know” basis and secured by Single Sign On (SSO) and Multi-Factor Authentication (MFA).

      Data backup and recovery

      All data stored within Highlight’s VPC are backed up daily to maintain a Recovery Point Objective (RPO) of not more than 24h. Regular tests performed to verify our ability to restore to recent Recovery Points within a Recovery Time Objective (RTO) of 12h.