Application security features
Invitation only access
Membership is by invitation only and all distributed invitations expire.
Can be defined by the client including length, expiry and characters.
One-way encryption algorithm used and passwords stored as a salted hash.
All access and every action in the system is logged. There is brute force attack prevention.
Any data gathering is under the control of the user and happens with their express consent.
The system uses secure session domain cookies containing a session ID only, no user identifiable information is stored in that cookie.
Operational security features
- Client data is hosted in an ISO 27001 certified data centre - currently Rackspace UK in Hayes, London
- The data centre facilities are protected with a redundant pair of dedicated firewalls, building a DMZ to separate Web-accessible Servers from the Database Servers.
- Access to our SaaS is encrypted and authenticated by a SSL 3.0 128-Bit Certificate. HTTPs is enforced and any http query is redirected to https before processing
- All passwords are stored encrypted. The entire database can be encrypted on demand using AES128,196, 256 or Triple DES encryption.
- Security testing - We have regular penetration tests on our hosted infrastructure
- Restore/Backup Policy - Daily incremental backups are made on-site. Full backup is made every Friday at 01.00 hours. Bi-weekly full backups of client’s data are taken offsite. Backups are encrypted using AES encryption.