Find out how Hedgehog Security keeps your data safe.

Quick facts

Has a disaster recovery plan
Has cyber insurance
Deletes customer data on request
Has a privacy policy
One or more annual third-party audit(s)
Has a formal mobile device management (MDM) program



Here are the answers to our most commonly asked compliance questions.
How do you encrypt information at rest?
We store client information in Siloed containers within our OpenSearch cluster. Each client is assigned their own AES256 encryption phrase which includes a random 128 bit random salt.
How do you manage encryption in transit?
All data connections are done over a VPN using AES256 encryption with a 256bit key and a 128bit random salt. For standard web connections, all connections are held over TLSv1.3, although we will degrade that to TLSv1.2 for organisations unable to handle the newer TLS.
Who owns the personal data processed using Hedgehog's services?
As a customer, you maintain ownership of the personal data we may come across duing auditing, testing or monitoring. We do not access or use your personal data for any purpose other than what is agreed upon with you in advance, except in each case as necessary to comply with the applicable laws or a binding order of a governmental body.
Who controls personal data?
As a customer, you control your data. We offer industry standard security features to protect and encrypt your data in transit and at rest which are appropriate to the risks presented by the processing of your data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of your data, the nature of the data as well as the risk and severity for the rights and freedoms of natural persons. If we hold any personal data you wish removing, this can be done by raising a SOC ticket.
Where is my data stored?
Data is stored in one of our two Data Centres, either in Spain or in the UK depending on the juristictional preferences of your data.
What steps does Hedgehog take to protect personal data?
Our highest priority is securing our customers’ data, and we implement rigorous contractual, technical, and organisational measures to protect the confidentiality, integrity, and availability of the information regardless of the region where the customer is located and the origin of the data.
Do you have a formal and documented security program that undergoes continuous improvement?
We have an Information Security Policy which describes all the security programs maintained across the organisation. The information security policy shall be reviewed by the CISO on an annual basis and is audited annually as part of our ISO27001 certification audits. Hedgehog Security has adopted the NIST Cybersecurity Framework (CSF) as our official cybersecurity framework.
Are information security roles and responsibilities clearly defined and communicated to the employees?
Hedgehog has clearly defined roles and responsibilities related to cybersecurity and privacy. The information security policies shall be communicated to all associates on an annual basis as part of mandatory annual training.
Is security awareness training provided to employees of Hedgehog?
All users shall participate in annual information security, privacy, compliance, and awareness training and complete such training by the deadline established by the CISO. Specialised training for developers is offered annually to developers.
List all the Compliance programs implemented by Hedgehog Security
We have implemented controls to comply with the following compliance programs: Payment Card Industry (PCI) Data Security Standard (DSS), Sarbanes Oxley Act (SOX), ISO 27001:2022, ISO9001, ISO22301 and NIS2.

You can read more in the articles below.
Do you have a vulnerability management system?
All the assets are scanned for vulnerabilities weekly. Vulnerabilities are remediated based on internal and industry standards, remediation is performed every Wednesday morning.
Do you continually monitor internal systems?
Our SOC365 service monitors our own systems and networks, providing high quality assessments of weaknesses in our internal and internet-facing systems. Using our own service against ourselves allows us to be rapidly informed whenever new vulnerabilities are released.