Platform Security Overview
Date: 1 November 2018
We take security very seriously here at CybSafe. And for good reason: every person and team using our product expects their data to be protected and secure. We understand how important the responsibility of safeguarding this data is to our customers, and we are proud to exceed the industry standard when it comes to protecting your organisation.
We combine enterprise-class security features with comprehensive audits and penetration tests of our platform to ensure customer and business data is always protected. And our customers rest easy knowing their information is safe, their interactions are secure, and their businesses are protected.
We achieve this through ensuring that:
- We use recognised frameworks with strong security credentials and follow strong security practices.
- We only gather minimal personal identifiable information (restricted to user’s name, company, department and email address).
- Our servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities.
- Our business is about putting security first. As such, our clients’ data is our most important asset and our IT systems are built with this in mind.
- We employ third-party security CREST approved experts to perform detailed penetration tests on different applications within our platform to ensure the safety of our customer data.
- We operate an approach that is fully compliant with the UK’s Data Protection Act and EU GDPR.
Some of the key security measures that are in place on the website and server infrastructure are:
Data centre and network security
We ensure the confidentiality and integrity of your data with industry best practices. CybSafe servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Data transfer uses strong SSL encryption (rated A+ by Qualisys Labs)
We take steps to securely develop and test against security threats to ensure the safety of our customer data.
In addition, CybSafe employs third-party security experts, who are Information Systems Security Professionals (CREST, CISSP, GIAC, IISP, TOGAF 9 certified), to perform detailed penetration tests on our platform.
Product security features
We make it seamless for customers to manage access and sharing policies with authentication and single-sign on (SSO) options. All communications with CybSafe servers are encrypted using industry standard HTTPS over public networks, meaning the traffic between you and CybSafe is secure.
- Uses recognised frameworks with strong security credentials
- Follows strong security practices – e.g. login lockouts, password hashing with modern algorithms, protection against common attacks (CSRF, SQL injection, form tampering etc), data sanitisation, input validation
- Centralised access control lists restrict sensitive information to users that have permission to access it
- Minimal Personal Identifiable Information stored for site users (restricted to user’s name, company, department and email address)
- Data transfer uses strong SSL encryption (rated A+ by Qualisys Labs)
- Codebase integrity maintained through Git version control and rigorous testing
- All data hosted on infrastructure from Amazon Web Services (AWS) – the data centres are ISO 27001, ISO 27017 and ISO 27018 certified, PCI-compliant. We utilise AWS regions Ireland and London (eu-west-1 and eu-west-2)
- CybSafe subscribes to the AWS Shared Responsibility Model
- CybSafe is an advocate of the Site Reliability Engineering discipline
- All data hosted on infrastructure from Amazon Web Services (AWS) – the data centres are ISO 27001, ISO 27017 and ISO 27018 certified, PCI-compliant.
- Amazons certifications include: https://aws.amazon.com/compliance/programs/
Database and persisted content is regularly backed up, encrypted and stored in different availability zones. Cybsafe uses database clustering technology over multiple availability zones to provide failover and meet SLA Commitments. Encrypted remote backups stored in Amazon S3 cloud (Ireland and London data centre). Remote backups are encrypted using a 256 bit-rijndael cipher. We apply a backup regime that means we can recover CybSafe data at short notice should we need to. No data leaves the EU.
Business and IT Security Accreditations
We implement security best practices to meet not just industry-based compliance, but the most stringent requirements. Our hosting facilities maintain the following accreditations.