Skip to content
Sign In Try Harvest Free
Get the mobile app:
iPhone Android
Menu
Menu
Sign In
illustration-sundial-large@2x

Security & Privacy

All data stored on Harvest and Forecast is safe, secure, and reliable. For us, it’s the only way to do business.

Download Security Whitepaper Share on Twitter Self-Assessment Questionnaire

1. We keep your data safe

All Harvest and Forecast accounts use SSL-encrypted connections by default—the same level of security used by online banks. You never send or receive sensitive information in plain-text. Additionally, industry-standard physical and remote security is administered at datacenter facilities.

2. Our focus is your privacy

Harvest cares deeply about protecting the privacy of the data entrusted to us by our customers. This is one of the core values at the heart of our business. Please review our Privacy Policy for specific details.

3. How we stay reliable

Harvest achieves an average 99.9% uptime. All data is protected by hardware RAID over multiple data storage units. Critical servers have redundant power supplies and components are deployed in (at least) redundant pairs. Any system related issues are reported, and updated in real-time at HarvestStatus.com.

4. Our Data Retention policy

We take our role as custodian of your data extremely seriously. Backups occur multiple times a day and are replicated to, at least, 2 physical data centers. Upon deletion we delete customer data immediately from our databases. Database backups are retained for 180 days and application logs (for assisting Harvest Support cases) are retained for 90 days. Customers’ activity logs are stored for 1 year.

5. Our industry standard security practices

Harvest systems and processes adhere to industry best practices in security. All our inter-server and inter-data center communications are encrypted. Access to servers and customer data is strictly controlled and we keep an immutable audit trail for support-related data access. Learn more about how Harvest ensures the security of your data in our Security FAQ

PCI-compliance

Harvest has a PCI-DSS Merchant Certificate, although we don’t store any payment info.

SOC 2

We rely on our server host’s audit, and they are SOC 2 certified.

Business Continuity Plan

We maintain a business continuity plan and a disaster recovery plan. Those documents are reviewed annually or if major changes occur within the business.

Incident Report Plan

We maintain a security incident response plan to provide a framework to ensure that potential computer security incidents are managed in an effective and consistent manner. This document is reviewed at least annually.

GDPR

We’re committed to our customers’ privacy. As a SaaS platform, we offer a number of tools that may assist our customers in meeting their obligations under the new GDPR regulations:

  • As we always have, we allow customers to access and modify personal information in their accounts, which helps them address data subject access or correction requests they may receive.
  • We allow customers to download the data from their account at any time during or at the end of their use of our services.
  • Our Privacy Policy gives customers information about how we collect, use, and protect information, which they can refer to in providing notice to their end users.
  • We offer a data processing agreement (DPA) which aims to help our customers meet their obligations under GDPR.

6. Our responsible security disclosure

Harvest maintains an active public program on HackerOne. We encourage all security reports to be made via our program on HackerOne. Alternatively, email a complete description of the issue to security@getharvest.com including code samples and as much detail as possible.