Our Online Environment

Human Made has a boatload of online resources and tools that we use to manage the company and do our work.

This document is a living description and overview of our online environment, how we’ve configured it for security, and how they’re used. Keep in mind that these tools contain various levels of sensitive information that we shouldn’t leak outside of the company; our data inventory contains a full list of these services and their data classification as well.

This document only covers our online tools; for device based security, consult the security policy instead.

General security rules

Unless otherwise noted, we implement single sign-on (SSO) on these tools, so you can log in with your HM Google account.

For the services that we don’t use SSO on, these have security rules implemented, and are monitored by the people team for onboarding and offboarding. The authoritative list of these is in the data inventory.

Generally, these tools do not require the use of the VPN, as they’re all secured by TLS and user-based authentication. Per our secure engineering policy, no tools assume that you are “inside” the network based on IP alone.

Permissions across all tools implement role-based access controls, and the scope for these are outlined in the data inventory.

Discussions live on H2 and Slack

Our main communication tools day-to-day are Slack (for instant communication) and H2s (for larger discussions).

Both Slack and H2 support SSO as well as username/password accounts for HM addresses.

H2 is a system we’ve built and host on Altis (which we run), and we follow the secure engineering policy for all of these systems. Altis is pen-tested annually.

Emails, meetings, and documents live in Google Workspace

We use Google Workspace for our emails, meetings, documents, and as our SSO provider.

Google Workspace enforces the use of MFA for all accounts, and users are onboarded by the people team.

Documents we create and work with generally live in our Google Drive. Data classification and restriction here is on a per-drive basis as documented in the handbook page.

If you need to share a Google Doc outside of HM, ensure it’s labelled correctly with the data classification if needed; there are templates in the Google Doc category you can use for this.

Meetings and calls happen on Google Meet, Slack, and Zoom

For video and audio calls, we use Google Meet, Slack Huddles, and Zoom. (We’re phasing out our usage of Zoom.)

Google Meet is managed through our Google Workspace account. Slack Huddles are managed through our Slack account.

Passwords are stored in 1Password

We provide 1Password accounts for every user, although we use SSO for services where we can.

Users have their own accounts for 1Password, but we enforce the use of MFA (secret key + password). Users are added to both the Company vault, as well as any relevant team-based vaults.

Each user is responsible for their own usernames and passwords within their 1Password private vault.

Development happens on GitHub and Jira, mostly

For engineers, most of their development work will take place on GitHub, using repos under either the humanmade organisation or customer organisations. During onboarding, we add users to our GitHub organisation, which requires the use of MFA on their accounts.

Issues related to projects live either on GitHub or in Jira, again using either our organisation or customers’. Both contain a mixture of our own internal data and customer data, depending on the specific project. (We also occasionally use ZenHub, which integrates with the GitHub authentication.)

GitHub only supports SSO on Enterprise accounts, so we don’t use this; we instead enforce the MFA policy through our regular organisational controls.

Users can log in to Jira via SSO or their own Jira specific username and password.

Engineers may also work on projects provided by customers in tools including GitHub, Bitbucket, Jira, and other customer-supplied tools. As the data within these tools are owned by customers, the responsibility for data security lives with them.

Employee data lives in Bob and Culture Amp

Across the company, we record data about employees in Bob, our HR system. This is generally Restricted data, since it’s about our people, and contains things like passport and employment information.

Team-specific tools

Each team will have its own team-specific tools as well. You should consult with your teams specifically on these.

Team-managed tools must follow the Tools and Services Policy, particularly for onboarding and offboarding.

We use Cledara to manage other tools, which can be accessed via SSO. See the detailed documentation for more information.