Please read this article in conjunction with the article Technical and Organisational Security Measures.
Your website data is stored on our dedicated mirrored servers which are hosted by Bytemark at these locations. We do not used 'shared servers'.
Data is additionally backed up onto a separate backup system each night and is stored for a minimum 7 days and up to 6 months.
Website security and data protection is very important to us. Your data is protected by:
- Multiple layers of security being in place including physical access, network access and application access
- Hardware, operating systems, database software and packages being updated regularly to keep within supported versions and to apply security patches required on an ad hoc basis
- Obsolete or unnecessary software / packages being removed from the system
- The website application being regularly updated with the latest security updates, software maintenance patches and software feature enhancements as they become available, typically via a monitored daily overnight update
- Application software being under git version control and monitored for any changes that are pushed to validate they are authentic and not malicious
- Intrusion detection tools that alert us to intrusions and alterations of system files in order that we prevent data breaches and other malicious intent
- Security scanning both internally on the server (static analysis) and externally (dynamic analysis) via web vulnerability scanning tools and code analysis tools
- Separation control of data from one website to any other is built into the system architecture
- Separation control of user accessible areas from the core system, application programs and other protected files
- Locking down user uploadable files to exclude potentially harmful files being uploaded to the server, whether via the Admin Centre or FTPS
- Blocking running of program files in the user uploadable areas
- Enacting strong modern password hashing, rate-limiting and password strength controls
- Blocking spam email sending, as identified by our in-built security checks so only genuine emails are sent out
Our Admin Access
We take appropriate steps to ensure compliance with our security measures by our employees to the extent applicable to their scope of performance, including ensuring that all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Development Lifecycle - Secure & Private By Design
We follow a standardised development cycle which adheres to privacy-by-design and default and security-by-design.
This also follows our software development process which includes analysis, specification, development, impact on security / privacy / performance, code improvements, code review, integration and testing (including unit tests), acceptance, and deployment via continuous integration and version control, followed by post deployment monitoring, maintenance and disposal.