1.1 Human resource security
A comprehensive awareness training program is delivered on an ongoing basis to all Problem Free Limited employees to emphasise the need to protect customer cloud data appropriately. We also require our contractors to provide appropriate awareness training to all relevant employees.
Transactions between the user (including administrators) and the cloud environment are encrypted using TLS by default. The older SSL protocol has been deprecated. If removed from the production environment Customer data will always be encrypted at rest. Any data sent between our production servers (such as to a database) will only be communicated via their own private network, private virtual LAN or through an encrypted channel.
1.3 Physical security
Our primary database and web servers are located at specialist data centres in France (EU). Data centres such as this have 24/7 monitoring and access control via RF key cards to track employees as they move through the installation. The data centre holds ISO/IEC 27001, ISO 27002 and ISO 27005, SOC 1 Type II and SOC 2 Type II certifications. Encrypted backups are stored on the Amazon S3 cloud in the Ireland (EU) and our PDF export server in the Netherlands (EU). These data centres also have appropriate physical security in place.
1.4 Access Control and logging
We use the “authentication everywhere” principle for all internal admin systems. Employees are only given access to systems and personal data if it is required for the performance of their role. We record audit logs of any access to customer accounts (including our own staff), as well as important operations that take place on their accounts for legal and security purposes. Employee access to company systems will be revoked within 24 hours of termination. Complex password policies are enforced.
1.5 Asset management
All company hard drives are encrypted with full disk encryption. Only devices properly secured by the company will be able to access company networks. Employee PC’s all have anti-malware software and firewalls installed as standard. We also employ highly restrictive “process white-list” and “anti-exploit” software where it is sensible to do so.
Our service is built on the enterprise grade Microsoft .NET MVC platform and uses an ORM to interact with the customer database. This prevents many of the most common security venerability’s (such as SQL injection) We do not use a traditional CMS since these are regularly found to have security problems and instead build all of our marketing sites (blog, news and knowledge base) using a static site generator. Code is stored on a distributed source control system and peer reviewed and tested on our staging system before going live.
1.7 Vulnerability testing and patch management
We will periodically perform venerability scanning on our servers to identify any relevant issues. Security patches are reviewed regularly and applied to our servers where appropriate.
1.8 Web application firewall and security proxy
Our servers are protected by CloudFlare who provide expert defence against DDOS attacks, a web application firewall to filter suspicious or dangerous activity, block known “bad IP addresses/users” and offer various cryptographic enhancements. We also pay for their premium Argo routing system to increase performance for users who’re located at a notable distance from Europe.
1.9 Information security incident management
Where we believe it’s appropriate to inform the customer of an information security event (before it has been determined if it should be treated as an incident), it will be relayed to the nominated customer administrator. Similarly, the customer may report security events to our support desk where they will be logged, and an appropriate action will be decided on. Information about the progress of such events may be obtained from the support desk. We will report information security incidents to the customer where we believe that the customer service or data has or will be affected. We will do this to the nominated customer administrator or deputy as soon as reasonably possible, and will share as much information about the impact and investigation of the incident as we believe to be appropriate for its effective and timely resolution. An incident manager will be appointed in each case who will act as the Problem Free Limited point of contact for the incident, including matters related to the capture and preservation of digital evidence if required. We prioritise incident management activities to ensure that the timescale requirements of the GDPR, for notification of breaches affecting personal data, are met.
1.10 Information Security Aspects of Business Continuity Management
Our production data centres are distributed across multiple cities to provide redundancy in the event of a widespread outage. Database transaction log backups are scheduled for every 15 minutes and are automatically encrypted and transferred to the remote Amazon S3 storage cloud. Additional full and differential backups are taken periodically and similarly transferred to the same safe location.