Compliance & Data Privacy | Honeycomb

Compliance & Data Privacy

Honeycomb is committed to maintaining best practices for ensuring security, availability, and confidentiality, so we maintain and meet the requirements for multiple compliance frameworks and certifications.

Our product and services are vetted by independent security professionals, and we give our customers the right to audit. To learn more, visit our Terms of Service on honeycomb.io. For enterprise customers, we also provide audit logging, which allows you to see who or what caused changes to specific resource configurations.

To view a full list of certifications and compliance, visit Application & Data Security at honeycomb.io.

Regulatory Frameworks 

Honeycomb complies with various regulatory frameworks that exist on national and international levels.

GDPR 

Honeycomb is GDPR compliant, and we offer a standard data processing agreement through our Terms of Service. For enterprise customers who have compliance requirements under GDPR, we will also enter into a more comprehensive data processing agreement.

Customers may choose a US-based or an EU-based location where Honeycomb will store the data they send. Customers can access the US data location via https://ui.honeycomb.io (for the UI) and https://api.honeycomb.io (for the API). Customers can access the EU location at https://ui.eu1.honeycomb.io (for the UI) and https://api.eu1.honeycomb.io (for the API).

Unlike some other vendors, Honeycomb only has access to the telemetry data that customers send. To learn how to avoid sending PII via OpenTelemetry, visit Scrubbing Sensitive Information. To learn how to mask PII using the OpenTelemetry Collector, visit Securing the OpenTelemetry Collector.

If you would like to learn more about what type of data we collect, why we collect data, and how we use the data we collect, visit the Honeycomb Privacy Policy on honeycomb.io.

To learn about our subprocessors, visit Honeycomb Subprocessors on honeycomb.io.

To make a GDPR rights request, email support@honeycomb.io.

To learn more about GDPR, visit General Data Protection Regulation on gdpr-info.eu.

HIPAA/HITECH 

As defined by the US HIPAA and HITECH legislation, Honeycomb is considered a Business Associate. We will sign a Business Associate Agreement (BAA) with Pro/Enterprise customers who have compliance requirements under HIPAA/HITECH.

Honeycomb security controls are specifically designed for customers dealing with sensitive data like PHI. To reduce PHI transfer, we also strongly encourage customers to replace names and emails with an obfuscated external ID number.

To learn more about HIPAA, visit Health Information Privacy on hhs.gov. To learn more about HITECH, visit HITECH Act Enforcement Final Rules on hhs.gov.

PCI DSS 

Although Honeycomb as a service is not intended to process payment card information for customers, we use a well-known payment processor and complete a Self Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC) biannually.

Compliance Frameworks 

Honeycomb voluntarily conforms to additional compliance frameworks to ensure we evolve robust processes and establish a strong security posture.

SOC 2 Type II 

Every year, Honeycomb ungergoes an independent audit for our SOC 2 Type II report, which verifies our consistent application of the AICPA trust principles. We can provide a copy of our SOC 2 report upon request to customers who have agreed to our Terms of Service.

As part of our SOC 2 program, we regularly undergo penetration testing by an independent security firm and can provide a summary to customers as required.

To learn more about SOC 2 Type II, visit SOC 2® - SOC for Service Organizations: Trust Services Criteria on aicpa-cima.com.

CSA STAR Level 1 

Honeycomb completes a CSA Consensus Assessments Initiative Questionnaire (CAIQ) annually and can provide a copy of our CAIQ to Pro/Enterprise users upon request.

To learn more about CSA Star, visit Security, Trust, Assurance and Risk (STAR) at cloudsecurityalliance.org.

ISO/IEC 27001 

Honeycomb provides its services in ISO/IEC 27001 certified environments, including Amazon Web Services (AWS) and Google Cloud Platform (GCP). Honeycomb reviews Amazon and GCP on an annual basis to confirm their ongoing adherence to ISO/IEC 27001 controls. To see details of AWS’s ISO/IEC 27001 certification, visit ISO/IEC 27001:2013 on aws.amazon.com. To see details about GCP’s ISO/IEC 27001 certification, visit ISO/IEC 27001 at cloud.google.com.

To learn more about ISO 27001, visit ISO/IEC 27001 on iso.org.

Amazon Web Services (AWS) Foundational Technical Review 

As an Amazon Web Services (AWS) Partner, Honeycomb conducts a self-service review every two years to guarantee that we reduce risks around security, reliability, and operational excellence by following AWS best practices specific to our product.