SourceHUB - Tech-Charged Procurement

Data Security Policy

SourceHUB users trust us with their supply chain, internal and external communications, sensitive documents, and proprietary pricing information. That trust is based upon us keeping that data both private and secure. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.

Amazon Web Services

We are 100% cloud based with our entire infrastructure located within a virtual private cloud (VPC) on Amazon Web Services. We utilize deployments to 80 availability zones in 25 regions of the world (CDN) and leverage Kubernetes to provide a fault tolerant, redundant, scalable infrastructure that's there when you need us -- whenever you need us.

Data is stored encrypted-at-rest (see: transfer encryption below), and all data between our VPC and end customers is end-to-end encrypted (see: transport encryption below).

Document Security

SourceHUB recognizes that proprietary documents are the lifeblood of your business and we take document security very seriously.

All document file uploads stored on Amazon's S3 service in private buckets inaccessible to the outside world.

Access to those files must be granted by you, to parties you designate, using temporary, cryptographically signed URLs that expire in 5 minutes for web traffic and up to 14 days when sent as a share link through email or in a report.

Network Security

SourceHUB defines its network boundaries using a combination of load balancers, firewalls, and VPNs. We use these to control which services we expose to the Internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business need and strongly authenticate that access.

Account Security

SourceHUB never stores your password in plaintext. When we need to securely store your account password to authenticate you, we use the bcrypt algorithm with a unique salt for each credential. We select the number of hashing iterations in a way that strikes a balance between user experience and password cracking complexity.

While we don't require you to set a complex password, our password strength meter will encourage you to choose a strong one. We limit failed login attempts on both a per-account and per-IP-address basis to slow down password guessing attacks.

Email Security

SourceHUB gives you a way to create communications in your account by sending emails to a unique SourceHUB email address. To protect you from malicious content, we scan all email we receive using a commercial anti-virus scanning engine.

When you receive an email from SourceHUB, we want you to be confident that it really came from us. We publish an enforcing DMARC policy to improve your confidence that email you receive from SourceHUB is legitimate. Every email we send from the @sourcehub.ai domain will be cryptographically signed using DKIM and originate from an IP address we publish in our SPF record.

Product Security

Securing our Internet-facing web service is critically important to protecting your data. Our development team drives an application security program to improve code security hygiene and periodically assess our service for common application security issues including: CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.

Our web service authenticates all third party client applications using OAuth. OAuth provides a seamless way for you to connect a third party application to your account without needing to give the application your login credentials. Once you authenticate to SourceHUB successfully, we return an authentication token to the client to authenticate your access from that point forward. This eliminates the need for a third party application to ever store your username and password on your device.

Every client application that talks to our service uses a well-defined REST API for all actions. By brokering all communications through this API, we're able to establish authorization checks as a foundational construct in the application architecture. There is no direct object access within the service and each client's authentication token is checked upon each access to the service to ensure the client is authenticated and authorized to access a particular record.

Customer Segregation

SourceHUB's service is multi-tenant and does not segment your data from other users' data. Your data may live on the same servers as another user’s data.

A big part of SourceHUB since day one has been our network and permissions, which give you fine grained controls over who you work with, and what they can see and do in regards to your data.

We do not permit users or companies you are not connected to with any access to any of your data unless you have explicitly made it public through our marketplace feature.

For companies you are connected with, you control what data is shared through your network settings and can terminate that access at any time by terminating the connection.

Data Retention and Deletion

SourceHUB retains your content unless you take explicit steps requesting that we delete it.

Activity Logging

SourceHUB service performs server-side logging of client interactions with our services. This includes web server access logging, as well as activity logging for actions taken through our API.

Data Encryption

SourceHUB uses industry standard encryption to protect your data in transit. This is commonly referred to as transport layer security (“TLS”) or secure socket layer (“SSL”) technology. In addition, we support HTTP Strict Transport Security (“HSTS”) for the SourceHUB service (app.sourcehub.ai). We support a mix of cipher suites and TLS protocols to provide a balance of strong encryption for browsers and clients that support it and backward compatibility for legacy clients that need it. We plan to continue improving our transport security posture to support our commitment to protecting your data.

The MySQL databases that store customer content are backed up regularly with all output files encrypted-at-rest. The MySQL instances are accessible only within our virtual private network and the data does not leave our VPC within Amazon Web Services.

Resiliency / Availability

We operate a fault tolerant architecture to ensure that SourceHUB is there when you need it.

In our both our physical data centers and our cloud infrastructure, this includes:

  • Diverse and redundant Internet connections
  • Redundant network infrastructure including switches, routers, and firewalls
  • Redundant application load balancers
  • Redundant servers and virtual instances
  • Redundant underlying storage

Amazon Web Services provides fault tolerant facility services including: power, HVAC, and fire suppression.

We back up all customer content at least once daily. We do not utilize portable or removable media for backups.

Privacy and Compliance

See our privacy policy.