Third-party integration security
Hyperproof supports third-party integrations for file synchronization, task synchronization (e.g., Jira, Asana, and ServiceNow), and evidence collection from a wide range of cloud-based PaaS and SaaS applications. These integrations are known as LiveSync and Hypersyncs in the product. These integrations are designed to automate and simplify evidence collection from external systems while giving customers full control over how their data flows into Hyperproof. We treat the security of these integrations with the utmost seriousness, applying rigorous controls and policies to safeguard customer data.
Secret types and storage
Integrations are authorized by users within an organization using one of the following methods: OAuth, API keys, or username/password credentials. Once authorization is complete, Hyperproof stores a secure access token in an integration connection, which enables ongoing communication with the third-party service’s API.
All access tokens are encrypted in transit and at rest, which is consistent with how we secure all sensitive data. Users retain full control over their integrations and can revoke access at any time. When a user deletes a connection, the corresponding access token is immediately deleted from Hyperproof’s storage. Additionally, many integrated services offer mechanisms to revoke or manage API access from their own dashboards.
Under the direction of the end user, Hyperproof uses these tokens to retrieve data as configured by the user. Tokens are never repurposed or used outside of this scope. Integration secret data is stored in a double-encrypted, access-controlled database environment. Only sandboxed integration services have access to this environment, and secrets are logically isolated by organization identifier to ensure tenant separation.
Access to systems that store or use these tokens is restricted to a small, vetted group of Hyperproof engineers who have passed annual criminal background checks, formally acknowledged our customer data handling policies, and completed our annual security and privacy training. All access is logged and continuously monitored to enforce strict separation of duties.
Recommended usage practices
To help customers maintain strong security hygiene when using integrations, we recommend the following best practices:
Use dedicated service accounts for integrations whenever possible.
Apply the principle of least privilege to all service accounts and integrations—only grant the minimum necessary permissions. Our product documentation details the permissions needed for each integration and proof type to help you understand and limit access appropriately.
Limit access to integration setup within Hyperproof. Users with access to an integration can create new Hypersyncs, so restrict this capability to trusted personnel.
Monitor connection health regularly, watching for authentication failures or permission errors. See Connection health notifications.
Disconnect unused integrations promptly. When an integration is removed in Hyperproof, its associated credentials are permanently deleted.
End users initiate and control all integration-related data synchronization, such as file imports, task mirroring, or evidence collection,and can pause or delete synchronizations at any time.
Subservice providers
For select Human Resource (HR) systems such as BambooHR and Workday, Hyperproofpartners with Finch , a provider of a universal integration platform for payroll and HR systems. Finch meets our stringent security requirements, holds a current SOC 2 certification, which we review annually, and is CCPA compliant. Finch hosts their infrastructure on AWS. You can find out more about Finch’s strong commitment to security on their website.
For additional information, see What information does my IT admin need to know?.