Hudl’s Approach to Security

Hudl follows a role-based access control (RBAC) scheme, supplemented by the principles of least privilege and need to know. User and group management is centralized using single sign-on where possible. Access to Hudl networks and systems is restricted to Hudl personnel through the use of unique user IDs, strong passwords, and multi-factor authentication.

Hudl requires authentication for access to all Hudl resources, except for those intended to be public. By default, customers are required to utilize a unique email address and strong password. Upon request, Hudl can provide additional security options—such as multi-factor authentication or federated single sign-on—for customers that wish to enhance the security around their accounts. Authentication credentials for Hudl services are encrypted in transit, and passwords are salted and hashed using industry standard techniques. 

Hudl’s infrastructure is designed to minimize service interruption due to hardware failure, natural disasters or other catastrophes. Hudl maintains business continuity processes including, but not limited to:

• Dynamic rerouting of traffic and load balancing to minimize potential downtimes. 
• Conducting periodic failover and load tests to validate recovery capabilities.
• Maintaining multiple availability zones to provide redundancy in operations.
• Replicating data across multiple data centers to ensure availability.
• Conducting daily and weekly backups, which are tested regularly. 

These processes are designed to minimize the impact of potential threats to business operations. If an outage occurs, Hudl customers can view updates at https://status.hudl.com.

Due to the nature of a SaaS product and supporting environment, Hudl treats all customer data as sensitive information. Therefore, all data that is processed by, transmitted to or from, and stored within Hudl services is encrypted using the latest industry standards. 

Data stored within Hudl services is only accessible by authorized users, unless it has been made public by a customer. Hudl retains customer data until the data is deleted by the customer using the Hudl services or, if the customer is unable to do so on their own, the customer requests such data be deleted. Upon request, Hudl will securely erase or destroy all media that contains customer data using industry-standard procedures, such as NIST SP 800-88.

Hudl employs a defense-in-depth strategy for endpoint security that’s designed to block access to known malicious sites and applications, as well as monitor for indicators of compromise. All endpoints are: 

• Centrally managed and configured through mobile device management to ensure compliance with established baseline configurations. 
• Configured with full-disk encryption and have an anti-malware endpoint detection and response solution installed.

Hudl has implemented formal processes for monitoring the security and availability of its services. All systems generate security and operational logs, which are forwarded to a centralized logging system and monitored for anomalous activity. Alerts are configured to notify appropriate teams to take action according to standard procedures. 

In the event of a suspected incident and reasonably suspected breach, Hudl will use commercially reasonable efforts to contain, mitigate and resolve the incident, then put in place additional controls to prevent further incidents of a similar type. Hudl will notify customers without undue delay (typically within 72 hours or sooner), once an incident has been confirmed.

Hudl employs a defense-in-depth, zero-trust aligned strategy for network security that includes: 

• Utilizing host-based and web application firewalls to filter incoming and outgoing traffic.
• Segregating development, test and production environments to eliminate various security risks.
• Implementing access control lists and security groups between virtual private clouds (VPC) to allow specific connections and deny-by-default.

Hudl’s follows an Agile Scrum software development lifecycle (SDLC), which enables continuous monitoring and improvements for Hudl services using applicable OWASP standards. Our SDLC includes the following activities intended to foster security: 

• Defining security requirements early in the development cycle.
• Conducting design reviews to identify potential risks.
• Conducting threat modeling and analysis to identify and address potential vulnerabilities and risks.
• Peer reviewing and testing code prior to production merges.
• Utilizing static and dynamic application security testing (S/DAST) tools to identify vulnerabilities. 
• Scanning build artifacts and third-party libraries or dependencies for known vulnerabilities.