Security & Privacy in Herd

At Herd, we take security and privacy seriously. This guide outlines the security features built into the platform and the privacy measures we take to protect your data.

Security Architecture

Herd is built with security at its core:

End-to-End Encryption

All communication between your browsers and the Herd platform is encrypted end-to-end:

• Transport Layer Security (TLS): All API requests and responses use TLS 1.3.
• WebRTC Encryption: Remote control sessions use WebRTC with DTLS-SRTP encryption.
• Secure WebSockets: Real-time communication uses encrypted WebSocket connections.
• NATS: All communication between your browser and the code you run is encrypted end-to-end using a NATS-based PKI infrastructure and we do not intercept or inspect the content of the communication.

Authentication & Authorization

Multiple layers of security protect access to your account and devices:

• Multi-factor Authentication: Optional 2FA for account access
• Device Registration Codes: One-time codes for connecting browsers
• Session Management: Automatic timeouts and the ability to revoke sessions
• Role-Based Access Control: Granular permissions for team members

Infrastructure Security

Our platform infrastructure implements industry best practices:

• Regular Security Audits: Third-party security audits of our systems
• Vulnerability Scanning: Continuous monitoring for vulnerabilities
• Secure Development: Strict coding practices and security reviews
• Cloud Security: Leveraging secure cloud infrastructure with isolation between customers

Privacy Features

Herd includes several features to protect your privacy:

Data Minimization

We only collect the data necessary for the platform to function:

• Selective Access: You control which browsers are connected and which data is shared
• No Unnecessary Telemetry: Limited data collection focused on service performance
• Automatic Data Expiry: Logs and temporary data are automatically purged after set periods

User Control

You maintain control over your data and connections:

• Connection Visibility: Clear indicators when a browser is being monitored or controlled
• Permission Prompts: Optional prompts before remote control is initiated
• Incognito Mode Handling: Special handling of private browsing sessions
• Activity Logs: Transparent logs of all remote control activities

Compliance Features

For organizations with specific compliance requirements:

• Data Residency Options: Select where your data is stored (Enterprise plan)
• Compliance Reporting: Generate reports for audit purposes
• Custom Retention Policies: Set data retention periods to match your policies
• Privacy Mode: Additional restrictions for sensitive environments

Security Best Practices

To maximize security when using Herd:

Account Security

• Use strong, unique passwords for your Herd account
• Enable two-factor authentication
• Regularly review active sessions and revoke any suspicious ones
• Limit account access to necessary team members only

Device Security

• Register devices with descriptive names for easy identification
• Regularly review connected devices and remove unused ones
• Use device tagging to organize and manage access
• Consider network-level restrictions for sensitive devices

Remote Control Security

• Always end remote control sessions when not in use
• Use view-only mode when full control isn’t necessary
• Be cautious about what information is visible during remote sessions
• Consider scheduling remote sessions in advance when possible

Privacy Policy

Herd’s formal privacy policy can be found at monitoro.co/privacy. Key points include:

• We do not sell your data to third parties
• We only process your data to provide the Herd service
• You retain ownership of all content viewed or managed through Herd
• We implement strong security measures to protect your data
• We are transparent about any data breaches or security incidents

Security Updates

We continuously improve our security and privacy features:

• Security updates are automatically applied to the platform
• Extension updates are released regularly with security improvements
• Follow our blog for detailed information on security enhancements

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

1. Email security@herd.garden with details of the vulnerability
2. Include steps to reproduce if possible
3. Allow time for us to address the issue before public disclosure

Note: We unfortunately do not offer a bug bounty program as we are a small team and our resources are limited. We do appreciate your responsible disclosure and help keeping the internet a safer place.