Platform
We used Google Cloud with our servers based in the UK as standard. We are able to store data in other countries on request and even offer custom managed servers for just your organisation at extra cost.
Access
Access is recorded through access tokens.
Passwords are 8 alpha numeric chars. 30-50 bits of entropy.
Encrypted with a salt using a one way hash, that is also then encrypted at rest.
We support SSO as a no cost option for managed clients and highly recommend this for additional security and ease of access.
Backups
Our servers are backedup daily, these are encrypted using AES-256 with symmetric keys
Encryption and segregation
All data is encrypted in transit and at rest, can’t be access or viewed by anyone internally or externally without login access.
Platform is segregated by organisation, using unique IDs per org that are never exposed.
Fully separate, custom servers are available at extra cost.
Testing
We use three levels of testing: Unit, feature and system testing (E2E).
There is 3 stage continuous integration pipeline where individual branches are tested in isolation. Then peer reviewed, merged in to Dev pipeline. Reviewed by product owners then released in to production environment.
At all 3 stages before any deployment or merge all automated tests are executed.
Any failures result in pipeline terminating and previous state restored.
Incident management
We have never had an incident but our incident response and management policy is one of total transparency and a commitment of securing any breach and alerting customers of any incidents within 24 hours.
If needed we would back up and shut the platform down rather than risk any further breach.
PCI data
We do not handle any PCI or payment related data except for how much and when moneys are due or via invoicing - Our online payments are achieved through a Stripe integration.
GDPR
We only handle the minimum of client data for our own purposes.
This includes contact name, email and company address.
Any customer feedback is kept within our own secure platform and anonymised.Our licence includes a mutual NDA meaning that our clients can talk to us or share data of a confidential nature and be assured that we will handle that in the upmost confidence.
Sub-processing and sharing data
We do not record or share information with any third party. As part of our terms of service we ask customers not to record confidential personal data on our platform:
1.8 The Company undertakes that it will not upload any content or data to the Platform comprising “personal data” (as defined in article 4(1) of Regulation (EU) 2016/679 (the General Data Protection Regulation)) such that the Company would be rendered a processor as defined under such legislation.
