This article outlines our technical and organisational security measures and should be read in conjunction with our articles: Security Measures & Data Backups and Technical and Organisational Security Measures.
Website data is hosted by Wildfire Internet on IONOS cloud in a Tier IV certified data centre managed by Fasthosts. Please refer to the Fasthosts DPA and the IONOS DPA for further information on their Data Processing Agreements and responsibilities.
1. Entrance Control
Entrance to the Tier IV certified data centre is controlled by IONOS.
2. System Access Control
We control our access to our website systems via industry standard encrypted SSH keys held by authorised and trained personnel. Additional password entry is then required to add/change/remove access.
3. Data Access Control
We control our access to website data via industry standard encrypted SSH keys held by authorised and trained personnel.
4. Transmission Control
We recommend implementing HTTPS on websites to securely encrypt data during transmission over the internet, ideally 'Strict' mode & with Secure & SameSite Cookies enabled
We implement a robust SSL configuration rated A+ on Qualys SSL Labs.
We recommend implementing Content Security Policy (CSP) violation error capture using our HTTPS Reporter tool (read how to set up CSP in your REC+ site here) and also to crawl your site for mixed content using our HTTPS Checker tool.
We recommend implementing Cloudflare's Content Delivery Network (CDN) for an additional security layer. Contact us for advice on this and you can read about changing DNS settings here.
5. Data Entry Control
The Data Controller (i.e. the website owner / administrators) will ensure they have mapped their overall data entry points for both administrators and website users and who can access data, and thereby will identify which points take place on their website.
For website users, this will typically be via user forms, newsletter signups and checkout processes. Refer to our GDPR section for articles on users rights to Access, Rectification, Erasure.
Administrators entering or accessing data on the website are controlled via system login and User Access Control permissions with auditing available for key activities.
We use rate limiting to stop malicious brute force attacks and allow administrators to be whitelisted by IP address
6. Data Processing Control
Refer to our GDPR section for articles on users rights to Restricted Processing, Right To Object, Data Portability, Deleting Form Data.
Within our software development cycle we follow privacy-by-design and default in relation to the GDPR.
7. Availability Control
Website data is hosted by Fasthosts / IONOS under a signed support agreement and regularly backed up, with test restores in place. See also our article on Website Data Storage & Security concerning our own measures at an REC+ application level and admin access by our support staff.
We run tools that monitor site availability, server and application performance, SSL availability, domain availability, SPF records, data storage, bandwidth usage and volumes of emails sent, DNS blacklist checks
8. Separation Control
The system architecture achieves separation of personal data and software from one and any other customer.
Our websites sit on our own dedicated servers and do not use "shared servers".
Customers can access their own data as detailed in the article The Right Of Access (User Login To View Their Data).
Data collected for different purposes, such as forms and orders, is stored and accessed separately within the system.