Security

Audits

We contract with independent specialist security companies to conduct 3rd party audits and penetration tests to improve security controls and processes.

For security reasons, each audit is not publicly accessible however, an assessment is available upon request.

Security assessments commissioned by clients are permitted, however, due to the different types of security assessments, we would require a test plan and scope before approving.

Training

We provide security training to all staff, contractors and other people working on behalf of to help them understand their responsibilities when handling data.

Information Security Policy

Our information security policy is continuously reviewed and approved by executive management.

The information protection policy contains confidential data, for this reason the document is not publicly accessible.

Security Updates

Security updates are applied to protect your data from known vulnerabilities.

Updates are tested in a separate test environment before release to assess compatibility.

Our software is periodically checked to ensure security updates are applied in a timely manner.

Further information can be found in our Updates Policy.

Access

Remote access to production application systems is only provided to our support and engineering teams.

Access is restricted by IP and valid login credentials are required.

Incidents

The Computer Security Incident Response Team (CSIRT) objective is to minimise and control the damage resulting from incidents, provide effective guidance for response and recovery activities, and work to prevent future incidents from happening.

In the event of a 'personal data breach', we will notify the ICO within 72 hours of becoming aware and anyone affected.

Physical Security

Our service is hosted in the cloud with Microsoft Azure between two data centres based in the UK, designed to run continuously and employs various measures to help protect operations from physical intrusion.

These data centres comply with industry standards such as ISO 27001.

Only authorised Microsoft personnel are allowed to access the data centres.

For a detailed list of all data centre security measures please see our Hosting Specification.

Firewalls

Physical and software firewalls are in place to control incoming and outgoing network traffic.

Antivirus

Antivirus software is installed to ensure any malicious files are removed when detected.

Virus definitions are automatically updated every 24 hours.

Scanning configuration:

Denial of Service (DoS) Attacks

Our environment has a defence system in place to block network attacks, including port scanning, denial-of-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and services working with the network.

Encryption

protects your data to help you to meet your organisational security and compliance commitments.

All data at rest is encrypted using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.

All data in transit (between the service and end user) is SHA256 - RSA encrypted.

Our encryption was last assessed in November, 2019. The assessment analyses the certificate, protocol support, key exchange and cipher strength. The overall rating was classified as grade A by Qualys, Inc.

Protocols and ciphers are continuously reviewed to ensure those with known vulnerabilities are removed from the environment.

The service can be configured to work with a custom domain. Since SSL is required to run the service securely, you'll also need an SSL certificate for your domain. For more information please contact [email protected].

Encryption Key Management

All data is encrypted and managed with Microsoft-managed keys.

Key rotation responsibility and key control is managed by Microsoft.

Sessions

The application supports session timeout and the default timeout is 40 minutes.

The application manages sessions client and server side.

Single Sign-On (SSO)

SSO is supported and may be included in your package. If not please contact [email protected]

Personnel Screening

When working in a secure environment it's essential that professional integrity is not compromised by recruiting unsuitable personnel. We follow recommendations from The Home Office Baseline Personnel Security Screening (BPSS) standard for pre-employment screening.

Certification

are Cyber Essentials certified, a UK government-backed scheme managed by the National Cyber Security Centre and a part of GCHQ.

Certificate number: IASME-CE-005986
Date issued: 05/10/2020

We intend to become ISO/IEC 27001 Information Security Management System (ISMS) compliant as we continue to review our security procedures and best practices.