Security
Compliance
Product security
SSO & User Provisioning
SAML Single Sign-on (SSO) allows the authentication of users via third party identity providers (IdP) without requiring them to enter additional login credentials on .
User Provisioning provides the ability to add, manage and remove users and groups on an account via third party providers including Azure Active Directory and Okta.
Two Factor Authentication (2FA)
2-factor authentication (2FA) can be enabled for an additional layer of security. 2FA operates via email or using a Mobile Authentication app.
User Roles and Groups
User permission control is available within the software to ensure that the correct level of access can be applied to the relevant users. Users can also be segmented into Groups. Permissions are customised when creating Roles in the software and assigned to users, providing different levels of access.
Password Encryption
Strong passwords are enforced and encrypted using Bcrypt.
User Responsibility
Users have a responsibility to keep their passwords protected at all times and not shared with other users. We recommend that each user updates their own password every 60 days and does not leave their account logged in when their desktop / laptop is unattended.
Uptime
uptime target is 99.9% or higher, 24/7.
Network and datacenter security
Hosting and storage
services and data are hosted within our own Virtual private cloud on the Google cloud platform in the London (europe-west2) region across multiple zones for high availability.
For Google cloud compliance see https://cloud.google.com/security/compliance/
Media files are hosted in Rackspace cloud files.
For Rackspace compliance see https://www.rackspace.com/en-gb/compliance
Recovery / backup
databases have high availability enabled, meaning that in the event of a zonal outage within the London region or when an instance runs out of memory, data will still be available and services will continue to operate.
In the event of a database corruption or loss of data, databases have point in time recovery enabled, which allows us to restore the database to its previous state before the error.
Media file backups are uploaded to our rackspace cloud files which moves the backup files into 3 different storage locations within the UK Datacenter for redundancy.
Employee Access
Access to customer data is limited to authorised employees only. These employees require this level of access to do their job sufficiently.
runs a zero trust corporate network, with strong rules in place to prevent unauthorised access to data. This ensures there are no additional privileges or resources available by just being on the embed signage corporate network.
enforces the use of SSO, MFA and strong password policies on our network, Github, Google cloud platform and to ensure access is protected.
Monitoring
Network, system and application logs including audit logs are sent to our SIEM tool for analysis.
All servers and endpoints have agents installed to continuously monitor for any malicious activity or vulnerabilities and a vulnerability management program is in place to ensure patches to software are applied as quickly as possible.
Encryption
is served entirely over HTTPS and all data sent to and from is encrypted in transit using 256 bit encryption. TLS 1.2 minimum. scores “A” rating on the Qualys SSL labs test.
We only use the strongest cipher suites and all data is encrypted at rest using AES-256 encryption.
Incident Response
has processes in place to deal with any security incidents. All employees are informed of these processes and policies.
