Security Overview

HunchBuzz is a New Zealand company that provides cloud-based idea and Innovation Management Software (IMS) globally. Our company is an approved supplier to the UK Government via the G-Cloud digital marketplace and the New Zealand Government Digital Marketplace. Our services are hosted at Amazon Web Services (AWS) datacenters.

HunchBuzz products include HunchBuzz Idea Management and krunch collaboration services. This policy applies to all HunchBuzz products.

Secure Communication

All connections to HunchBuzz products are secured via SSL. Any attempt to connect over HTTP is redirected to HTTPS.

API and DMZ

HunchBuzz has a secure internal API framework within a Demilitarized Zone (DMZ). Front-end code is separated from the core API providing a robust security layer, access to the API is strictly limited.

Securely hosted in the Cloud

HunchBuzz utilises secure development best practices that integrate security reviews throughout design, prototype, and deployment. Hosted within a secured public cloud, the HunchBuzz platform is self-contained and cannot detect, interfere with or view any other platform within the hosting environment. This policy is managed at a layer not accessible to other platforms within the environment. More detail:

• The HunchBuzz platform sits within a secure environment leveraging built-in Unix security policies.
• The platform is separated from all other systems within the cloud environment.
• The Platform has its own custom binary and source code. The executable code can only be triggered via web requests.
• The environment allows nothing to be executed within, or to be written to the file system. These strict measures help eliminate the possibility of malicious code being written to or executed within the hosting environment.
• Customer data is maintained in the Amazon RDS service. RDS data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots.
• Some user data is stored in the AWS S3 storage service which provides special security policies above PCI (bank) standards.
• All communications between the application and RDS are encrypted in transit using SSL/TLS.
• Services use a dynamic firewall and forwarder to connect to the database and memcache. These are network layer redirects routed directly to the services.
• It is not possible for any app within our hosting provider to connect to our services–even if they were using hijacked credentials. Requests to our services are only permitted if they come from the HunchBuzz app, else they are rejected.
• A malicious instance within our hosting providers environment has no access to the layer where the redirect was created.
• Finally, a firewall and intrusion detection layer inspects and validates each request. This firewall is updated nightly to include the latest intrusion detection rules.

Limited Staff Access

HunchBuzz has strict rules and checks around who has access to the back-end database and services. Only specific staff have access to make changes and modifications, all access to the back-end systems is logged.

Content Verification

Post content verification is achieved through a web application firewall. Post-like events such as spam, login credentials, hacking, XSS, SQL injection will be stopped in real-time.

Browser Integrity Check

Our network Scans HTTP headers abused by spammers and denies access. These checks also challenge visitors that do not have a standard web browser or user agent.

Application Firewall

We use an industry standard Web Application Firewall (WAF) which detects and blocks common keywords used in comment spam, as well as attack signatures used in cross-site scripting attacks and SQL injections.