Certifications and Compliance
We conform to NCSC C.E. requirements and our datacentres meet industry standards for information management systems and physical security.
This certification is filled annually for review and covers the following broad topics and is a basic requirement for obtaining UK government contracts.
- Firewalls
- Secure configuration
- Encryption policy
- Enforcing security policy
- User access control
- Principle of least privilege
- Password policy
- Physical security
- Malware protection
- Security update management
- Data logging and backup
Our security policies are designed to meet or exceed the requirements of the above data privacy laws and should be read in conjunction with our other privacy and data retention documents.
Suppliers are vetted to ensure they offer suitable levels of security.
The company is based and registered in the UK, England, and is therefore legally required to implement the data protections for all users globally, not simply those within the UK/EU/California.
Core security
The most commonly requested information
Our primary and standby data centres (where our web application and database servers operate) are located in different parts of the United Kingdom.
All data centres will have the appropriate certifications including ISO 27001:2013, and provide physical security barriers, 24/7 security, access cards, and CCTV. Both have Backup generators and backup cooling. Other cloud services we use will meet these specifications (SOC type I/II is also acceptable).
We use only strong encryption (minimum of TLS 1.2+, AES 128+) when transmitting data. Bitlocker (encryption at rest) is enforced by MDM policy for staff devices and flash drives.
Any sensitive data transferred from production servers for backup purposes will be encrypted before transfer as an additional security measure.
Our servers and office network is protected by Next Generation (NG) firewalls and enterprise-grade malware/security suites. NG firewalls include Deep Packet Inspection capabilities that allow us to detect and block malicious behaviours in the traffic which might be caused by malware or strange device activity such as attempts to contact Russian/Chinese servers, P2P connections, and more.
As expected all devices have antivirus/anti-malware installed.
Business continuity
In 2021 our primary datacentre (OVH) burnt to the ground after a backup generator exploded incinerating our equipment. This followed the New York floods a few years prior which also destroyed everything.
Neither event significantly affected our customers, as like Homer Simpson, we always have an emergency plan B (a spare datacentre, not Alaska.)
A second hot-standby server is running 24/7, not just in a different data centre, but supplied by under an entirely different provider to ensure there is always a rapid alternative in the event of a fire, flood, data centre insolvency, or cloud provider major outage.
We take incremental database backups every 15 mins which are pre-encrypted and shipped to Amazon AWS in Ireland for storage. We automatically restore these backups to verify that they will work when needed – an important and often forgotten step!
We use Cloudflare’s commercial offerings to protect our servers against the largest DDOS attacks.
We have no debt and have traded profitably every year since incorporation.
Application security
Continuous integration, delivery and deployment are modern approaches to the building, testing and deployment of IT systems.
We use modern, well supported frameworks provided by Microsoft, Google and the open source community. These frameworks protect against common OWASP Top 10 security risks such as Cross Site Scripting (XSS), Buffer Overflows and Cross Site Request Forgery (CSRF), incorrect Authentication and Session handling and more.
Database access is via an ORM (Object Relational Mapper) which significantly limits, if not eliminates the risk of SQLi (SQL Injection).
As per NCSC guidance, developers use a virtualised OS to separate their coding from their day-to-day environments. This means that email, browsing, and most security credentials can be accessed within the same restrictive environment as any other employee whilst still allowing them to access their coding IDE and toolchain from the isolated environment.
Our staging environments are always separated from production. Only anonymised data is used for testing and validation.
We leverage the Cloudflare WAP (Web Application Firewall) to help protect our service’s APIs. Some other uses include:
- Core OWASP rules block familiar “Top 10” attack techniques.
- Zero-day vulnerability protection.
- API rate limiting.
Zero trust and network security
Trust nobody, authenticate everywhere.
Zero trust has become trendy in recent years, especially during COVID, but we’ve worked this way since 2001!
Zero Trust is a security framework requiring all users, whether in or outside the organisation’s network, to be authenticated, authorised, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
Zero trust implementation is an ongoing process that will continue to evolve and change within the company for years to come.
Though Zero trust makes VPNs mostly redundant, we still use them as an additional layer of security where appropriate to protect against protocol-level vulnerabilities.
Our staging environments are always separated from production. Only anonymised data is used for testing and validation.
Staff use a single 2-factor protected SSO account to access web-based resources where supported. This means that when a member of staff leaves the company we can disable access to all company resources from one place.
Employees are allocated the lowest security level required to perform their jobs. Nobody, including administrators, accesses their day-to-day devices with admin-level access.
As we work towards a passwordless future, employees are given a phishing-resistant FIDO hardware key for access to critical services that support it as well as Windows Hello, biometrics or TOTP 2FA.
We use Microsoft Intune to monitor device health and when possible block access to company resources. This is an ongoing project.
Our network is protected by a combination of hardware and software Deep Packet Inspection/ IDS/IDP powered by next-gen hardware firewalls and enterprise-grade IDS software.
OS and 3rd party updates are applied weekly either automatically or manually after patch testing. We use patch management software to verify this.
Our security posture is based on the recommended Microsoft Baseline Security Policies which are enforced via Microsoft Intune MDM.
As a best practice and to meet compliance, important server logs are shipped in near real-time to an external storage provider to ensure that there is always a copy if the originals are destroyed.
We also maintain audit-level logs to record access to your application data. This is backed up as normal.
Organisational security
Continuous integration, delivery and deployment are modern approaches to the building, testing and deployment of IT systems.
All employees sign a confidentiality agreement when onboarding.
All staff are required to complete the NCSC cyber security training and assessment.
Importantly as a technology company, our small team is highly technically proficient.
We use secure team messaging services almost exclusively within the company.
Whilst not impossible this makes spear-phishing attempts much more difficult to launch as Emails or text messages imitating staff members would be unusual and therefore treated with maximum suspicion.
We maintain a set of policies, standards, procedures, and guidelines covering information security, GDPR and data protection, employee responsibilities, and more.
We believe these live and regularly updated documents show our commitment to competent business management at all levels of the organisation.