Security
Audits
We contract with independent specialist security companies to conduct 3rd party audits and penetration tests to improve security controls and processes.
Our service was last audited in Nov, 2023
For security reasons, each audit is not publicly accessible however, an assessment is available upon request.
Security assessments commissioned by clients are permitted, however, due to the different types of security assessments, we would require a test plan and scope before approving.
Training
We provide security training to all staff, contractors and other people working on behalf of to help them understand their responsibilities when handling data.
Information Security Policy
Our information security policy is continuously reviewed and approved by executive management.
The information protection policy contains confidential data, for this reason the document is not publicly accessible.
Security Updates
Security updates are applied to protect your data from known vulnerabilities.
Updates are tested in a separate test environment before release to assess compatibility.
Our software is periodically checked to ensure security updates are applied in a timely manner.
Further information can be found in our Updates Policy.
Access
Remote access to production application systems is only provided to our support and engineering teams.
Access is restricted by IP and valid login credentials are required.
Incidents
The Computer Security Incident Response Team (CSIRT) objective is to minimise and control the damage resulting from incidents, provide effective guidance for response and recovery activities, and work to prevent future incidents from happening.
In the event of a 'personal data breach', we will notify the ICO within 72 hours of becoming aware and anyone affected.
Physical Security
Our service is hosted in the cloud with Microsoft Azure between two data centres based in the UK, designed to run continuously and employs various measures to help protect operations from physical intrusion.
These data centres comply with industry standards such as ISO 27001.
Only authorised Microsoft personnel are allowed to access the data centres.
For a detailed list of all data centre security measures please see our Hosting Specification.
Firewalls
Physical and software firewalls are in place to control incoming and outgoing network traffic.
Antivirus
Antivirus software is installed to ensure any malicious files are removed when detected.
Virus definitions are automatically updated every 24 hours.
Scanning configuration:
- Files are scanned on access.
- Critical areas are scanned daily.
- Full scans run weekly.
Denial of Service (DoS) Attacks
Our environment has a defence system in place to block network attacks, including port scanning, denial-of-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and services working with the network.Encryption
protects your data to help you to meet your organisational security and compliance commitments.
All data at rest is encrypted using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
All data in transit (between the service and end user) is SHA256 - RSA encrypted.
Our encryption was last assessed in January, 2024. The assessment analyses the certificate, protocol support, key exchange and cipher strength. The overall rating was classified as grade A by Qualys, Inc.
Protocols and ciphers are continuously reviewed to ensure those with known vulnerabilities are removed from the environment.
The service can be configured to work with a custom domain. Since SSL is required to run the service securely, you'll also need an SSL certificate for your domain. For more information please contact sales@.
Encryption Key Management
All data is encrypted and managed with Microsoft-managed keys.
Key rotation responsibility and key control is managed by Microsoft.
Sessions
The application supports session timeout and the default timeout is 40 minutes.
The application manages sessions client and server side.
Single Sign-On (SSO)
SSO is supported and may be included in your package. If not please contact sales@
Personnel Screening
When working in a secure environment it's essential that professional integrity is not compromised by recruiting unsuitable personnel. We follow recommendations from The Home Office Baseline Personnel Security Screening (BPSS) standard for pre-employment screening.
Certification
are Cyber Essentials certified, a UK government-backed scheme managed by the National Cyber Security Centre and a part of GCHQ.
 |
Certificate number: 3e31e3e9-a608-4046-a89b-784fede929b2 |
We intend to become ISO/IEC 27001 Information Security Management System (ISMS) compliant as we continue to review our security procedures and best practices.