SSO & User Provisioning
SAML Single Sign-on (SSO) allows the authentication of users via third party identity providers (IdP) without requiring them to enter additional login credentials on .
Two Factor Authentication (2FA)
2-factor authentication (2FA) can be enabled for an additional layer of security. 2FA operates via email or using a Mobile Authentication app.
User Roles and Groups
User permission control is available within the software to ensure that the correct level of access can be applied to the relevant users. Users can also be segmented into Groups. Permissions are customised when creating Roles in the software and assigned to users, providing different levels of access.
Strong passwords are enforced and encrypted using Bcrypt.
Users have a responsibility to keep their passwords protected at all times and not shared with other users. We recommend that each user updates their own password every 60 days and does not leave their account logged in when their desktop / laptop is unattended.
uptime target is 99.9% or higher, 24/7.
Network and datacenter security
Hosting and storage
services and data are hosted within our own Virtual private cloud on the Google cloud platform in the London (europe-west2) region across multiple zones for high availability.
For Google cloud compliance see https://cloud.google.com/security/compliance/
Media files are hosted in Rackspace cloud files.
For Rackspace compliance see https://www.rackspace.com/en-gb/compliance
Recovery / backup
databases have high availability enabled, meaning that in the event of a zonal outage within the London region or when an instance runs out of memory, data will still be available and services will continue to operate.
In the event of a database corruption or loss of data,databases have point in time recovery enabled, which allows us to restore the database to its previous state before the error.
Media file backups are uploaded to our rackspace cloud files which moves the backup files into 3 different storage locations within the UK Datacenter for redundancy.
Access to customer data is limited to authorised employees only. These employees require this level of access to do their job sufficiently.
runs a zero trust corporate network, with strong rules in place to prevent unauthorised access to data. This ensures there are no additional privileges or resources available by just being on the embed signage corporate network.
enforces the use of SSO, MFA and strong password policies on our network, Github, Google cloud platform and to ensure access is protected.
Network, system and application logs including audit logs are sent to our SIEM tool for analysis.
All servers and endpoints have agents installed to continuously monitor for any malicious activity or vulnerabilities and a vulnerability management program is in place to ensure patches to software are applied as quickly as possible.
is served entirely over HTTPS and all data sent to and from is encrypted in transit using 256 bit encryption. TLS 1.2 minimum. scores “A” rating on the Qualys SSL labs test.
We only use the strongest cipher suites and all data is encrypted at rest using AES-256 encryption.
has processes in place to deal with any security incidents. All employees are informed of these processes and policies.