Data Security

“The service meets a high level of security, and the transparency and engagement you have shown has been excellent.”

Graham Thomson, Chief Information Security Officer of Irwin Mitchell LLP recently reviewed the Platform’s security arrangements

The security and protection of clients’ data is our greatest priority.

For obvious reasons a detailed explanation of the security measures in place cannot be provided in order to protect the integrity of the data centre’s security.

In summary the following are covered by our security technologies and controls:

• Data encryption
• Network encryption
• Security information and asset management
• Trained cloud security professionals
• Instrusion detection and prevention
• Vulnerability assessment

Within these fields of activity we strive to protect our users' data as descibed in more detail below.

The General Data Protection Regulation (GDPR)

Together with colleagues in our partner organisations we have achieved compliance with the Data Protection Act, 2018 and the GDPR.

Our compliance actions are constantly evolving as we respond to developments in the regulatory environment and ever changing cyber threats.

It is important for users to recognise, accept and actively play their part in ensuring the data uploaded is as secure as, working together, we can make it.

Password safety

We urge our clients not to use the same password in multiple contexts as this will reduce the security of the data. We also ask them not to email passwords.

Passwords should be strong in formation i.e. at least 7 characters comprising a mixture of upper case and lower case letters, symbols and numbers.

Access to the platform is via a two stage gateway involving user name and password is required.

Some information about our data centre

1. The centre’s servers are regularly updated with security patches and fixes.
2. The Platform itself is written in terms that follow best practice for validating user input and protecting the database.
3. The servers sit behind firewalls and intrusion prevention systems which protect from internet based perimeter attacks.
4. The security of the Platform is under constant review in the light of reported hacks of well- known organisations.
5. No payment details are stored on the Platform.
6. Passwords are kept in an encrypted form on the database.
7. All data sent to and from the Platform including log on details are sent via SSL (encryption).
8. On site staffing 24 hours a day.
9. Multi-layered physical security including:
1. CCTV and recording
2. Data centres located in South East England enable site resilience for core services
3. All backup data is transmitted between the data centres’ sites via a military grade (AES-256) encryption key. It is then stored in UK data centres with this encryption. Environmental controls
4. Power resilience using multiple connections to the National Grid
5. Non-redundant capacity components (single up-link and servers) physically available on site.
6. Redundant capacity components physically available on site.
7. The centres are equipped with on-site generators with UPS and battery systems for transparent fail-over.
8. Fire threat detection and suppression.
9. Water leak detection
10. Multiple up-links in place.
11. All components are fully fault-tolerant including the up-links, storage facilities, chillers, HVAC systems and servers.

We host at Tier 3 data centres which meet the following standards: ISO 9001 and PCI DSS 3.0.

These measures enable the data centre to guarantee the availability of data from the hardware for 99.982% of operational time.

Encryption

Unlike other e-mail systems such as Outlook, any emails sent via our platform use 3DES encryption as a minimum together with additional encryption measures making web communications and their attachments secure.