Data Security / GDPR
Overview
We consider the security of our customer data a top priority. We have implemented industry-standard security practices, including encryption at rest and in transit, to prevent unauthorized access to customer data. We also have a dedicated security team that works to ensure that our security practices are up to date and effective.
This page is intended to provide an overview of our security practices. If you have any questions, please contact us.
Physical Infrastructure
We use Amazon Web Services (AWS) as our hosting partner. AWS is compliant with ISO 27001, PCI DSS and SOC 2. We are hosted within the European Union (EU) region in eu-west-1, which is near Dublin, Ireland.
Our servers are hosted in a secure facility with 24/7 monitoring and surveillance. Access to the facility is strictly controlled and monitored. The facility is staffed 24/7 by trained security guards, and access is authorized strictly on a least-privilege basis. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
You can learn more on the AWS website, including their data center controls and compliance certifications.We do not have physical access to the environment.
Development Process
We follow industry-standard best practices for software development, including:
- Code reviews - All changes to the application go through both review from other members of the development team, but also automated review through code analysis tools looking for potential security issues.
- Automated testing - We have a suite of automated tests that run on every change to the application. These tests ensure that the application is working as expected.
- Automated deployments - Development staff have no access to the production environment and all deployments are done through automated pipelines for consistency and security.
- Isolated Environments - Development and Production are completely isolated from each other. This ensures that no production data is used for development or testing.
All staff also go through:
- Background checks - All staff are required to pass a background criminality check before being hired.
- Annual Security Awareness Training - This includes training on handling Personally Identifiable Information (PII), security best practices, phishing, and social engineering. For developers this also includes secure coding guidelines, including how to avoid OWASP common vulnerabilities.
- Confidentiality Agreement - All staff are required to sign a confidentiality agreement, including non-disclosure.
- Access Control Checks - All staff are required to use multi-factor authentication (MFA) to access any systems and are limited to what access they have based on their job function. This access is checked regularly to ensure it is still correct.
Data Security
We take full advantage of AWS Managed Services in order to limit our access to customer data and lean on their expertise in security and compliance:
- Container-Based - Our application runs in Docker containers on AWS Fargate, which is a managed container service. This means that we do not have access to the underlying operating system, and do not run any application servers.
- Encryption - All data is encrypted at rest and in transit. We use AWS Key Management Service (KMS) to manage encryption keys. Data is encrypted at rest in both S3 buckets and our database using AES256. All transmission between services and the internet is done via HTTPS/TLS, with a minimum of TLS1.2.
- Network Security - We use AWS VPC to isolate our application from the internet and other AWS customers, with all application containers running within a private subnet. We use AWS Security Groups to control access to our application, and only open necessary ports. No insecure protocols are used, nor do we use management services like SSH.
- Database Backups - We use AWS RDS for our database, which is a managed database service. This means that we do not have access to the underlying operating system. We use automated backups to keep 5 weeks of data in case of disaster.
- Logging and Monitoring - We use AWS CloudWatch to store our logs. We also use AWS CloudTrail to log all API calls to our application. These logs are stored in S3 buckets and are encrypted at rest. AWS tools like GuardDuty, Config and Security Hub monitor these logs for unusual activity.
- Data Access - Our support team do not have access to any production data. Only our limited systems team have access to production data for managing our database, and all access requires multi-factor authentication and is logged.
Third-Party Services
Beyond AWS, we also use the following third-party services:
- Bunny CDN - We use Bunny CDN to serve static assets, including images and JavaScript, including those uploaded to our Knowledge Base product. This is a content delivery network (CDN) that caches these assets around the world to improve performance. Learn more at bunny.net.
GDPR
We also act as a data processor on behalf of the businesses (our customers) who use our service, who act as data controllers for the data they collect on behalf of their customers while using our service.
Our customers are responsible for ensuring that they have the necessary consent to collect and process data from their customers. We provide tools to help our customers comply with GDPR, including:
- Consent - Our customers may add a consent checkbox to their public forms which links to their privacy policy and terms.
- Accuracy - Our customers can edit all the data stored about the people in their system to ensure it is accurate, or to remove information.
- Data Removal - Our customers can remove people from their system permanently, which will remove it from our database.
For security purposes, we will store the IP addresses and country of origin of users logging into a ticket hub. This is to help our customers identify suspicious activity on their account.