Application infrastructure
Hall utilizes industry-standard cloud infrastructure vendors to provide the our service. Hall’s infrastructure is primarily managed through Amazon Web Services, and is complemented by additional secondary infrastructure vendors to provide specific features within the Hall web application.
Principally, the Hall web application leverages Amazon Web Services for infrastructure hosting.
The Hall web application is hosted in the Amazon Web Services us-east-1 region located in North Virginia, United States.
Amazon Web Services has been granted formal certification, attestation, and audit reports for ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and more – the full list of compliance resources is available on the Amazon Web Services Security page.
Access controls
All Hall employees have limited access to Hall infrastructure and systems and access is always provisioned on a minimum-necessary, least-privilege, basis.
Access is only granted on a need-to-use basis, based on the responsibilities and duties of the employee.
Authentication
Every Hall employee has unique authentication details that identify them when accessing infrastructure systems, assets, and applications. Multi-factor authentication is enforced and passwords must be rotated every 90 days.
Physical controls
Hall utilizes Amazon Web Services as the principal web application infrastructure. Amazon Web Services data centers feature a layered security model, including extension safeguards such as:
- custom-designed electronic access cards
- motion alarms and sensors
- video surveillance
- perimeter fencing
- metal detectors
- biometrics
Hall employees do not have physical access to Amazon Web Services data centers, servers, network equipment, or storage.
Vulnerability management
Hall has vulnerability management policies and procedures in place to describe how we monitor for new vulnerabilities, enforce timelines and processes for remediation.
Scanning and detection
Hall utilizes a number of services to perform internal vulnerability scanning and package monitoring on a continuous basis.
Hall employs automated and integrated security scans of the web application. Automated scans occur at least daily and any detected vulnerabilities immediately notify the engineering team.
Hall subscribes to various security alerts program. If a vulnerability is detected in one of the web application’s dependencies, the engineering team is notified.
Severity and timing
Hall defines the severity of an issue via industry-recognized Common Vulnerability Scoring System (CVSS) scores, which all modern scanning and continuous monitoring systems utilize. The CVSS provides a way to capture the characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Low Severity - 0.1 - 3.9
Low severity vulnerabilities are likely to have very little impact on the business, perhaps because they require local system access.
Medium Severity - 4.0 - 6.9
Medium severity vulnerabilities usually require the same local network or user privileges to be exploited.
High Severity - 7.0 - 8.9
High severity vulnerabilities are typically difficult to exploit but could result in escalated privileges, significant data loss, and/or downtime.
Critical Severity - 9.0 - 10.0
Critical severity vulnerabilities likely lead to root level compromise of servers, applications, and other infrastructure components. If a critical vulnerability cannot be addressed within timelines as defined, an incident response ticket will be opened, documenting what interim remediation has been made.
Remediation process
When a vulnerability is detected and verified, the engineering team will remediate vulnerabilities within the SLA depending on the severity. Compliance of vulnerability SLAs is enforced via Vanta and tracked using Clubhouse.
Vulnerability disclosure
This policy governs how security researchers should raise security concerns with us, and how we will respond.
Data security is a top priority for Hall, and we believe that working with skilled security researchers can identify weaknesses in any technology.
If you believe you’ve found a security vulnerability in our service, please notify us; we will work with you to resolve the issue promptly.
Disclosing a weakness
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at legal@usehall.com. We will acknowledge your email within ten business days.
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.
Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Hall service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
Exclusions
While researching, we’d like you to refrain from:
- Distributed Denial of Service (DDoS)
- Spamming
- Automated penetration tests or vulnerability scans
- Social engineering or phishing of Hall employees or contractors
- Any attacks against Hall’s physical property or data centers
Logging and monitoring
Hall application and infrastructure uses industry-standard tooling and multiple logging layers to monitor the application health and alert the engineering team when something is not working as expected.
Application logging
Hall utilizes Sentry, Amazon CloudWatch Logs, and Datadog for application logging and monitoring to help diagnose and fix issues within Hall. Application error logs are stored in Sentry for 30 days and are used to help investigate issues raised from automatic alarms raised via Sentry, Cloudwatch, and Datadog.
Infrastructure logging
Hall utilizes Amazon CloudWatch and Datadog to log, monitor, and alert on resource allocation and operational performance of the infrastructure of the Hall web application. Infrastructure logs are stored for 365 days.
Audit logging
Hall utilizes Amazon CloudTrail to enable governance, compliance, and operational risk auditing of operations and actions taken on Amazon infrastructure and services. Audit logs are stored indefinitely.
Intrusion detection and prevention
Hall employs industry-standard techniques for detecting and preventing possible intrusions. Detected intrusions can result in escalation through incident response procedures.
IDS & IPS
Hall utilizes Amazon GuardDuty as an Intrusion Detection System (IDS) and as an Intrusion Prevention System (IPS).
GuardDuty continuously monitors for malicious activity and unauthorized behavior to protect Amazon Web Services accounts, workloads, and data stored in Amazon S3. GuardDuty employs machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
Firewall
Hall is protected by Amazon’s web application firewall (WAF) and assists in blocking common web exploits and attack patterns. Hall manages a number of firewall rules, including rules that address issues like the OWASP Top 10 security risks.
Brute force prevention
The Hall web application employs log in attempt rate limited with automated account lockout and secure password reset practices to prevent against brute force attacks. We also maintain a large email domain blacklist to prevent malicious actors and spam.