Platform Security Overview

Date: 10 April 2017

We take security very seriously here at CybSafe. And for good reason: every person and team using our product expects their data to be protected and secure. We understand how important the responsibility of safeguarding this data is to our customers, and we are proud to exceed the industry standard when it comes to protecting your organization.

We combine enterprise-class security features with comprehensive audits and penetration tests of our platform to ensure customer and business data is always protected. And our customers rest easy knowing their information is safe, their interactions are secure, and their businesses are protected.

 


 

We achieve this through ensuring that:

  • We use recognised frameworks with strong security credentials and follow strong security practices. 
  • We only gather minimal personal identifiable information (restricted to user’s name, company, department and email address).
  • Our servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities.
  • Our business is about putting security first. As such, our clients’ data is our most important asset and our IT systems are built with this in mind.
  • We employ third-party security experts to perform detailed penetration tests on different applications within our platform to ensure the safety of our customer data.
  • We operate an approach that is fully compliant with the UK’s Data Protection Act and the upcoming EU GDPR.

 


 

Some of the key security measures that are in place on the website and server infrastructure are:

 

Data centre and network security

We ensure the confidentiality and integrity of your data with industry best practices. CybSafe servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Data transfer uses strong SSL encryption (rated A+ by Qualisys Labs)

 

Application security

We take steps to securely develop and test against security threats to ensure the safety of our customer data. 

In addition, CybSafe employs third-party security experts, who are Information Systems Security Professionals (CISSP, GIAC, IISP, TOGAF 9 certified), to perform detailed penetration tests on our platform.

 

Product security features

We make it seamless for customers to manage access and sharing policies with authentication and single-sign on (SSO) options. All communications with CybSafe servers are encrypted using industry standard HTTPS over public networks, meaning the traffic between you and CybSafe is secure. 

 

Codebase

• Uses recognised frameworks with strong security credentials

• Follows strong security practices - e.g. login lockouts, password hashing with modern algorithms, protection against common attacks (CSRF, SQL injection, form tampering etc), data sanitisation, input validation

• Centralised access control lists restrict sensitive information to users that have permission to access it

• Minimal Personal Identifiable Information stored for site users (restricted to user’s name, company, department and email address)

• Data transfer uses strong SSL encryption (rated A+ by Qualisys Labs)

• Codebase integrity maintained through Git version control and rigorous testing

 

Infrastructure

• All data hosted on dedicated servers by UK Fast - the data centres are ISO 27001 certified, PCI-compliant and secured to UK government IL4 standards. UKFast data centre is based in Manchester

 

Storage

  • All data hosted on dedicated servers by UK Fast - the data centres are ISO 27001 certified, PCI-compliant and secured to UK government IL4 standards
  • UK Fast certifications include:
    • Hardware firewall (CISCO ASA range) protects kit from outside access
    • Server access via SSH key pairs

 

Backup

Database content is backed up nightly, encrypted and stored remotely. Encrypted remote backups stored in Amazon S3 cloud (Ireland data centre). Remote backups are encrypted using a 256bit-rijndael cipher. We apply a backup regime that means we can recover all CybSafe data at short notice should we need to. No data leaves the EU.

 

Business and IT Security Accreditations

We implement security best practices to meet not just industry-based compliance, but the most stringent requirements. Our hosting facilities maintain the following accreditations:

Screen Shot 2017-07-07 at 16.16.12.png