Skip to content
Attend the AI Skills Tech & Talent Summit at The Plaza, New York City. Express interest
The 2024 Developer Skills Report is here! Read now
Discover the universities with top developer talent. Based on 860,000 student technical assessments. Download Now

Technical and Organizational Measures

HackerRank implements the following technical and organizational measures to maintain the security of its services and the personal data it processes in connection with use of its services:

Anonymization.

  • HackerRank anonymizes customer personal data on request by substituting all tables in scope containing personal data to random or dummy data so that data subjects are no longer identifiable.

End-to-End Encryption

  • Encryption in Transit: Data in transit is encrypted using FIPS-compliant TLS/SSL protocols via HTTPS. HackerRank uses the 2048-bit asymmetric key for the SSL/TLS handshake and the AES-256 bit or AES-128 bit key depending on the client browser. We use the SHA-256 cipher on the SSL/TLS session to ensure the integrity of encrypted data.
  • Encryption at Rest: Data at rest is encrypted using 256-bit AES encryption. HackerRank uses Amazon Relational Database Service (RDS) for encryption of data at rest. Amazon RDS-encrypted instances use industry standard AES-256 encryption algorithm. Once encrypted, Amazon RDS handles authentication of access and decryption of data transparently. Encryption keys are stored in a separate Amazon Key Management System (KMS). Only specified users can access the KMS, and the encryption keys do not persist anywhere in the storage layer.

Ongoing Confidentiality, Integrity, Availability, and Resiliency

  • Cloud Platform: The HackerRank platform is built on a secure cloud services platform and includes multi-tiered architecture, which offers enhanced security and avoids a single point of failure. Each tier has its own Access Control List and rule set to restrict access and allow secure communication. Data is logically segregated. All access is done through certificate-based authentication.
  • Anti-Virus: We implement industry standard anti-virus/malware software operating in real time on all servers, laptops, and desktops.
  • Defense: We implement defense and proactive security procedures, such as perimeter defense, network security monitoring, and intrusion detection systems. We use industry standard firewalls to protect our application environment and associated data from the Internet and untrusted networks. We keep server, firewall, and other security-related configurations updated in accordance with industry standards. Firewall events are monitored to detect potential security events.
  • Access: We limit access to personal data on a “least privilege” basis to the minimum number of personnel who require access to maintain our systems and provide services to our customers.
  • Confidentiality: HackerRank employees sign a comprehensive confidentiality agreement when accepting an employment offer. Any contractor who accesses HackerRank facilities or customer data must also sign a confidentiality agreement protective of customer data. HackerRank employees are required to complete security and privacy training as part of their onboarding process and annually thereafter; employee training includes information security policies, security best practices, and privacy protections.
  • InfoSec Team: Our Information Security team approves all HackerRank applications accessible from the Internet prior to launch or implementation. Inbound and outbound connections are denied unless expressly allowed.

Regular Testing, Assessing and Evaluating Effectiveness

  • Security Testing: At least once per year we engage an independent third party security expert to conduct an internal and external network, system, and application vulnerability assessments, including automated and manual application security testing, SSL server tests, penetration testing, and continuous risk monitoring of all HackerRank properties and third-party applications.
  • Software Scanning: We use commercially available virus checking software to scan its software for, and remove from its software, any malicious components (e.g., computer virus, worm, time bomb, or otherwise) that could, in any material way, damage any software, firmware or hardware of our customers. We use commercially reasonable efforts to reduce or eliminate the effects of the virus or item and mitigate and restore any loss of data or operational efficiency.

Ensuring Ability to Restore Availability and Access to Personal Data

  • Business Continuity: We maintain a formal Business Continuity Plan to be implemented in the event of a disaster or other potential discontinuation of business.
  • Backups: We perform regular backups of our system and customer data and provide data recovery and archiving in accordance with HackerRank’s policies and procedures, which may include leveraging Multi Availability Zones. In case there is a failover condition from HackerRank’s primary data location, we have the ability to engage a secondary location from which to provide our services.

User Identification and Authorization

  • Employee Access: Employees with access to production environments are required to use SSH private keys to securely log in. To access our systems remotely, employees must use a VPN with two-factor authentication. Passwords are changed regularly. Employees do not share their username or password with others or allow other employees to use their username or password to perform. HackerRank timely revokes access to all customer data and all HackerRank systems upon employee termination or resignation. We regularly monitor company servers and devices to track access and look for indications of suspicious or unauthorized activity.
  • Platform Access: HackerRank limits platform access to only privileged users by authenticating access through email and password or single sign-on (SSO). We use SSO via our partners or a customer’s preferred SAML 2.0-compliant solution for authentication purposes. Logical or network access to infrastructure storing customer data is restricted; access is allowed only on a need-to-know basis. Access requests are documented and approved based on need. Access rights are permissions-based and reviewed on a periodic basis.

Physical Security

  • Serverless Environment: HackerRank operates a primarily serverless environment, entirely hosted in the cloud and using the shared cloud security model. Equipment hosting customer data is located in physically secured data centers maintained by Amazon or Google.
  • Remote Workforce: We maintain a fully remote workforce without a physical office. Physical access to infrastructure housing customer data is restricted, with access being allowed only based on a need-to-know basis and only on company-owned equipment.

Events Logging and Monitoring

  • HackerRank maintains a security logging and monitoring process which identifies potential security violations in near-real time. Logs are regularly (at periods commensurate with risk) reviewed by HackerRank either manually or using log parsing tools. HackerRank uses automated alerts to detect security events and security alerts are communicated to authorized personnel to appropriately handle alerts. HackerRank assigns employee engineers to monitor, investigate, and remediate as necessary any events and alerts.
  • We log any events impacting platform security, including, but not limited to, login failures, use of privileged accounts, or changes to access models or file permissions, installed software or operating system, user permissions, privileges, or use of privileged system functions. We utilize APIs to retrieve audit logs of all actions taken by any user(s).

System Configuration

  • We have implemented an Agile Software Development Lifecycle followed by a multi-stage review which enables us to deploy new features and fixes efficiently with the industry standard best practices. We isolate Development, Quality Assurance, Staging, and Production environments to reduce the risk of unintended changes and maintain environment integrity and availability. Baseline systems with hardened security configuration and vulnerability fixes are used in the Production environment.
  • System configuration is applied and maintained by software tools that ensure the system configurations do not differ from the default specifications.

IT Security Governance and Management

  • Device Encryption: All employee devices are encrypted and managed through an MDM solution. Employees undergo routine security training and self-assessment. HackerRank assigns roles and responsibilities within and among departments to ensure proper segregation of duties.
  • Privacy Officers: HackerRank appoints a CISO who ensures that data and platform security, availability, integrity, confidentiality, and privacy is continually maintained and a Data Protection Officer to ensure our data protection and processing is compliant with applicable data protection laws.

Certifications

  • HackerRank is ISO27001-certified.  HackerRank maintains SOC 2 Type 2 Service Organization Controls. We conduct an annual SOC 2 Type 2 audit.

Data Minimization

  • Limited Processing: Use of the HackerRank services requires processing of only the limited personal data necessary to provide the services to our customers or as otherwise agreed upon with a customer.
  • Retention: HackerRank retains personal data for the limited time provided by the applicable customer agreement. Periodic assessments are conducted to evaluate the necessity of storing each instance of personal data.

Data Quality

  • Customer Control: Our services allow customers to perform data creation, reading, updating, and deletion operations within the HackerRank services. Customers maintain control over their customer data within our services. Customers may export their data directly from the services and retrieve or delete/erase customer data from the services by submitting a request within our services.
  • Segregation: Each customer’s data is logically segregated from that of other customers, using a unique ID associated with each customer, which persists throughout the data lifecycle and is enforced at each layer of our platform.

Limited Data Retention, Portability, Erasure

  • Retention and Backup: Personal data is retained in accordance with the terms agreed upon by HackerRank and the customer or as otherwise required by law. Customer data is routinely and frequently backed up and made available to the respective customer on demand.

Accountability

  • Audit Logging: HackerRank maintains an audit log tab within our services, which records all the CRUD operations on the customer account with the details including name, email, timestamp, IP, action performed which is immutable. Logging and Monitoring is enabled within the HackerRank infrastructure to provide for event/incident investigation.