All data is encrypted over HTTPS using Transport Layer Security (TLS v1.2) protocols with minimum 128-bit keys and using SHA256 certificates, meaning that our users always have a secure connection from their browsers to our service.
We use the latest, strong ciphers for encryption, message authentication and key exchange mechanism.
In addition, user passwords are stored in our database via a one-way cryptographic hashing function with salt (random data). Passwords are not stored in plaintext and it’s not possible to reverse engineer the stored value equivalent.
We run a continual patching cycle to ensure operating systems, applications and network infrastructure are kept up to date to mitigate any exposure to vulnerabilities.
The application runs inside a secured and hardened architecture environment, engineered for security to help minimize vulnerabilities according to industry standard guidelines.
Our application is penetration tested at least once a year by an independent, external certified supplier. This testing blends the identification of technical exposure with business logic flaws that could lead to a breach in security. All testing is completed by experienced testers. This ensures that the tester not only possesses the technical ability to find security weaknesses and vulnerabilities, but also has the skills to ensure findings are presented in a clear, concise and understandable manner. Methodologies are based upon industry recognized standards such as, but not limited to, Open Web Application Security (OWASP), ISECOM (the Institute for Security and Open Methodologies), The National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) and utilizes both manual testing and automated tooling to provide coverage.
Our staff are vetted prior to employment. Checks include Proof of Identity, Proof of Right to Work and Proof of Residency.
We also maintain a suite of internal information security policies, procedures and guidelines, including incident response plans, which all staff, contractors and third parties must follow. These are reviewed at least annually.
- Only employees with the necessary rights and roles have access to our underlying data. We use strong password policies managed through an enterprise password manager, coupled with two-factor authentication, where available.
- Customer data is accessed on an as-needed only basis, and only when approved by the customer (i.e. as part of a support incident), or by operational staff to provide necessary support and maintenance.
- Regular audits are performed and the whole process is reviewed by management to ensure only the right people have access to the necessary data and systems on an ongoing basis.