Security Governance

  1. Governance / Audits
    1. Do you have a security policy, is this policy enforced?
    2. Do you perform yearly compliance audits?
    3. Do you perform routine pentests?
    4. Did you already suffer security breaches / data loss?
    5. What's your internal notification / escalation procedure in case of breach? How would we be informed and how long would it take?
    6. Would a third party be allowed to perform a functional or technical security audit of your service?
  2. Reversibility
    1. Does the contract describe a reversibility plan/ handover plan/ step in rights?

Do you have a security policy, is this policy enforced?

We follow all the rules of secure development. Including things such as:

  • User HTTPS for domain entries
  • Using only current encryption and hashing algorithms
  • Not allowing for directory listing
  • Not storing sensitive data inside cookies
  • Strong password policy
  • Not storing sensitive information in a form’s hidden fields
  • Verify file upload functionality
  • Setting secure response headers
  • Make sure third party libraries are secured
  • Hide web server information.
  • Basically as much as we can do.

Do you perform yearly compliance audits?

Information can be found here for our Rackspace web hosting: 

Do you perform routine pentests?

For pentests on the system we run detectify.com as frequently as daily to check for vulnerabilities. Detectify strive to be the very bleeding edge of web application security. They perform automatic penetration tests against web applications, based on the OWASP Top 10 specifications, seemingly magic fingerprinting of content management systems, and the very latest trends in vulnerability research. More information can be found on their website: https://detectify.com

Staffwise has the lowest possible threat score of 0, and a perfect 10/10 for the OWASP Top 10:

If you are not familiar with the OWASP Top 10, click here to find out more: OWASP Top 10

Did you already suffer security breaches / data loss?

No

What's your internal notification / escalation procedure in case of breach? How would we be informed and how long would it take?

We are using Rackspace Managed Security and Snort.org. See more information here https://www.rackspace.com/en-gb/managed-security-services and here https://www.snort.org/ 

We would be alerted by either system and once we have assessed the situation we would then notify any customers affected and GDPR within 72 hours.

Would a third party be allowed to perform a functional or technical security audit of your service?

Yes

Does the contract describe a reversibility plan/ handover plan/ step in rights?

You would have constant 24 hour access to the web portal to view and retreive your data in real time as data is being submitted via the tablet or mobile devices. You can download as CSV or XLSX at any time.