HereToday is safeguarding your life’s documents and accounts, so we take security seriously.
Protecting you is our priority.
In everything we do, your security and privacy always comes first.
Fraud prevention technology
We use the latest technology to intervene when it matters. From multi-factor authentication and bank grade encryption across all of our websites and applications, to advanced analytics that can recognize fraudulent activity. We’re continuously innovating to keep you and your data safe.
Security in everything we do
Whenever you interact with us online, you’re protected by strong encryption.
When you access our site, look for the padlock in your address bar. It shows your browser is securely connected to our systems.
Safeguarding your privacy
Protecting your information and being clear about what it’s used for is a vital part of our relationship with you.
24/7 real time monitoring
We have dedicated teams looking for suspicious transactions and activity across our network and in your account. If we detect anything, we’ll contact you so please ensure your contact details are up-to-date.
Where we suspect activity or transactions may be unauthorized, we may then contact you to confirm whether the activity and transactions were undertaken by you. We may contact you using the below methods:
- A phone call from one of our team members
- An automated SMS from our SMS service system.
We will never ask you for your password.
Securing your data and protecting your privacy starts with choosing the right platform to deliver our services to you.
HereToday is built on Google Cloud Platform (GCP) and we implement their most secure services and best practices to ensure we deliver the best for you. The following section contains information about their security compliance.
Google Cloud helps protect your sensitive data, including PII, records, transaction data, and payment card information, by offering identity management, network security, and threat detection and response. To earn your trust Google certifies their products against the most rigorous global security and privacy standards.
The International Organization for Standardization (ISO) is an independent, non-governmental international organization with an international membership of 163 national standards bodies. The ISO/IEC 27000 family of standards helps organizations keep their information assets secure.
ISO/IEC 27001 outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks.
Google Cloud Platform, Common Infrastructure, Google Workspace, Chrome, and Apigee are certified as ISO/IEC 27001 compliant. The 27001 standard does not mandate specific information security controls, but the framework and checklist of controls it lays out allow Google to ensure a comprehensive and continually improving model for security management.
The International Organization for Standardization (ISO) is an independent, non-governmental organization with an international membership of 163 national standards bodies.
The ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- Additional implementation guidance for relevant controls specified in ISO/IEC 27002
- Additional controls with implementation guidance that specifically relate to cloud services
- This standard provides controls and implementation guidance for both cloud service providers like Google.
ISO/IEC 27017 provides cloud-based guidance on 37 ISO/IEC 27002 controls, along with seven new cloud controls that address:
- Who is responsible for what between the cloud service provider and the cloud customer
- The removal/return of assets when a contract is terminated
- Protection and separation of the customer’s virtual environment
- Virtual machine configuration
- Administrative operations and procedures associated with the cloud environment
- Customer monitoring of activity within the cloud
- Virtual and cloud network environment alignment
- Google Cloud Platform, Google Workspace, Chrome, and Apigee are certified as ISO/IEC 27017 compliant.
The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 163 national standards bodies.
ISO/IEC 27018 relates to one of the most critical components of cloud privacy: the protection of personally identifiable information (PII). This standard focuses in two ways on security controls for public-cloud service providers that process PII:
- Builds upon existing ISO/IEC 27002 controls by adding specific items for cloud privacy
- Provides entirely new security controls for personal data
Google Cloud Platform, Google Workspace, Chrome, and Apigee are certified as ISO/IEC 27018 compliant.
The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) existing Trust Services Criteria (TSC). The purpose of this report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.
SSAE 18 / ISAE 3402 Type II
The AICPA created the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) to keep pace with globally recognized international accounting standards.
SSAE 18 aligns closely with the International Standard on Assurance Engagements 3402 (ISAE 3402), both of which are used to generate a report by an objective third party attesting to a set of assertions made by an organization about its controls. The Service Organization Controls (SOC) framework is the method by which the control of financial information is measured.
Google Cloud undergoes a regular third-party audit to certify individual products against this standard.
The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. The Standards Council was established by the major credit card associations (Visa, MasterCard, American Express, Discover, JCB) as a separate organization to define appropriate practices that merchants and service providers should follow to protect cardholder data. It is this council of companies that created the Payment Card Industry (PCI) Data Security Standards (DSS).
PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The scope of the PCI DSS includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.
Google Cloud undergoes an annual third-party audit to certify individual products against the PCI DSS.
The Cloud Security Alliance is a non-profit organization whose mission is to “promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
The CSA’s Security, Trust & Assurance Registry Program (CSA STAR) is designed to help customers assess and select a Cloud Service Provider through a three-step program of self-assessment, third-party audit, and continuous monitoring.
Google Cloud has achieved the third-party assessment-based certification (CSA STAR Level 2: Attestation) for Google Cloud Platform (GCP) and Google Workspace, resulting in a CSA Star SOC2+ report.
Google is also a CSA sponsor and a member of CSA’s International Standardization Council (ISC), and a founding member of the CSA GDPR Center of Excellence.
Our application is a custom built service powered by Google Cloud Platform. While we establish our services for you and seek security certifications, we focus on the security of the HereToday web application.
Our systems and processes address:
- Data encryption and tokenization – all data is encrypted in transit and at rest.
- Advanced malware prevention.
- Data loss prevention – we are implementing an automated DLP filter.
- Proxy-based real-time detection – we are implementing IDS/IPS within our VPCs.
- Offline repository inspection – all CI/CD processes include automated security and vulnerability inspection.
- IAM (Identity and Access Management) – we follow Google Cloud Platform’s IAM best practices.
- Password policy creation – we mandate password complexity.
- Two-factor authentication (2FA) usage – 2FA is available for all customers.
- Access controls implementation – we enforce Mandatory Access Control (MAC) and other OWASP guidelines.
- Privileged access management – we implement access management controls and regularly test our application.
- Logging and monitoring controls – we love logging, and everything is logged.
To be informed about our path to certified compliance, or to know more, contact our support team.
Administrative Access to your Information
HereToday can never see any document you upload.
Our guarantee to you: At no time will a HereToday employee or administrator gain access to your account, except in limited circumstances. Limited access examples could include triggering a confirmation email, or restricting access to your account in urgent circumstances, such as removing an executor or Life Guard’s access.
We log and regularly audit all access to your account, whether by you or a professional services administrator. Examples of an administrator could include an attorney, life insurance agent, or financial planner.
Two Factor Authentication
Enabling Two Factor Authentication (2FA) protects access to your account. Whenever you sign into HereToday from a new computer, device, or browser, we will send a unique code to your phone that you must input as part of your login.
All communications between HereToday and you are encrypted using SSL.
Securing Your Data
HereToday stores your data using bank grade encryption with a uniquely derived key for each user. This practice is recommended by NIST Special Publication 800-132.
If you’re worried about the security of your account or information, we can help:
- Report suspicious activity on your account.
- Find out how to report a suspicious email or scam message.
- Find out more about our security policies and how we keep your data safe.
- Contact us at any time if you have any security concern.