Security and Reliability Statement
Confidential – do not duplicate or distribute without written permission from Utegra, a division of SurveyShack (SSL) Ltd.
This document describes the security environment and data management culture and processes of Utegra.
We constantly strive to ensure the information contained herein is always accurate but because our security and data management processes evolve and adapt continuously to constantly changing conditions, this document may not always reflect our exact architecture and may therefore not always be error free. We reserve the right to modify this information at any time.
Questions or comments, please contact us on: email@example.com
Utegra acquires and manages data on two levels:
- Data acquired and managed in support of running our business (e.g. our own accounting, sales and marketing activities)
- Data acquired and managed on behalf of our customers (e.g. our customer’s mailing lists and survey data)
As an organisation therefore we act as both a data controller and a data processor.
1.1 Protection and Security of Data
Good information handling makes good business sense and as both a data controller and a data processor, Utegra takes our data security and protection responsibilities very seriously.
As has been described throughout this document, our responses to the ICO (Information Commissioner’s Office) data protection checklist below confirms our sound knowledge and understanding of the requirements for data protection, as follows:
- Do we have a record of what personal and/or business data we hold and do we know what we use it for? YES
- Do our customers know we have their personal and/or business data and understand how we use it? YES
- Do we only collect the personal and/or business data we need? YES
- Do we only keep personal data and/or business for as long as it is needed? YES
- Do we keep personal and/or business data accurate and up to date? YES
- Do we keep personal and/or business data secure? YES
- Do we have a way for people to exercise their rights regarding the personal and/or business data we hold? YES
- Do all of our staff know our data protection responsibilities? YES
Utegra, a division of SurveyShack (SSL) Ltd is a ICO registered data controller (reg no: ZA288963).
1.3 Data Classification and Ownership
- As a data controller, all data acquired on behalf of our customers belongs to them. Our customers have complete and exclusive control over how their data is acquired, stored, shared and deleted.
- As a data processor, any data acquired and used as part of the running of our business is managed strictly in accordance with all relevant legislation and guidelines.
1.4 Security Control Policies and Procedures
All aspects of our system and data security processes and policies are documented and practised by all staff, subcontractors and stakeholders. Related policies include:
- General Terms and Conditions: https://utegra.co.uk/terms-and-conditions/
1.5 Staff, Subcontractors and Third Parties
- All employees are subject to background verification checks prior to confirmation of their employment
- All staff, subcontractors and where necessary, third parties are required to sign a NDA or Confidentiality Agreement as a condition of employment or engagement to protect Utegra and/or customer information
- All staff and relevant subcontractors are trained, tested and regularly re-tested on their understanding of Utegra’s policies and procedures to ensure they will always act in compliance with these
- All staff and subcontractors are immediately updated with all new/updated policy and procedural documentation
- All staff and subcontractors are aware of their responsibilities for leaving unattended equipment in a secure manner at all times
- Upon termination, all company-owned equipment is recovered and all access to company and/or client data is immediately revoked via centrally administered login access controls
1.6 Data Loss/Leakage
Any suspected or known loss or leakage of data is immediately reported to our data compliance manager. Where the significance of the issue warrants, this is reported to the client and if required also, the ICO, within the required maximum period of 72 hours.
1.7 Data Encryption
In all instances, any data transmitted electronically via the internet, via any transfer means (email or system user interface), is fully encrypted by means of SSL with 128 bit encryption (High) or RSA with 1024 bit exchange.
1.8 Network Security
As an organisation, Utegra does not utilise any form of organisational network. All business process related connections to the internet are made via unique local device browser sessions under strictly, centrally controlled username and password policy. All devices and connections made therefore follow DCHP IP address rules.
1.9 Business Continuity
Wherever possible, Utegra utilises proven, reliable internet cloud-based business process tools to administer and store all data and code. This ensures that all business-critical information and systems are:
- able to be accessed via multiple channels from any location worldwide
- available on a constant and permanent basis
- centrally managed and administered by the required authorised staff
- protected by best-in-practice security processes
- fully backed up and recoverable
- compliant with all relevant data protection and privacy requirements
As there is no dependence on any form of dedicated network, hardware or unique software to maintain business continuity, should it ever be required that any business-critical and/or client data may need to be recovered in the event of disaster or any form of unforeseen circumstance, this can be achieved virtually instantaneously. All members of the senior management team have been trained and are able to access all of our systems and processes at any time.
1.10 Disaster Recovery
See 1.9, 2.7 and 2.11
1.11 Disposal of Hardware
Should it ever be necessary to dispose of hardware which is capable of storing, and which may have ever stored personal and/or business related data, this is disposed of in accordance with environmental policy having first undergone permanent physical destruction of the storage media contained within the hardware unit.
2 Online Solutions Security
Utegra develops, builds and hosts online multi-tenant software-as-a-service (SaaS) systems.
In all instances, system and data security, and reliability is the lifeblood of our business which we therefore take extremely seriously. The following should describe and reassure on our relentless pursuit of the best-practice approach to ensuring our systems are always as secure and reliable as is technically and humanly possible.
Utegra’s online solutions are based on the tried and true LAMP (Linux, Apache, MySQL and PHP) combination of web-based development components. PHP code is written within the Laravel framework to ensure our tools keep pace with the latest in development methods, system security and version control, and to allow for the widest possible development tools integration options.
2.2 Cloud Infrastructure
All Unix (Linux) cloud servers are established strictly within the EU and are based on either a Ubunto or Debian OS. Apache service provides for webserver domain control.
2.3 Identity and Access Management
Access to server and the database is only possible via secure SSH (hashed) and centrally revocable keys which are placed on individual devices authorised to access the server only. It is not possible to gain access via the root at all.
2.4 Application Security
As well as strict server and database access control, Encryption of all movement of data within the database/code relationship of the system is provided for by PHP Data Objects (PDO) within the Laravel framework to mitigate against SQL injection risks.
2.5 Client User Password and IP Restriction Security
All client system user passwords are fully encrypted and set by users only. Very clear and strict password rules are applied including regular automatic password expiry and resets, long and detailed passwords, etc. In some instances, IP restrictions have been applied at server level permitting only IPs authorised by the client themselves to access the applications.
2.6 Anti Malware
Multiple security and malware detection, alerting, quarantining and reporting applications are in permanent use.
2.7 Change Control and Configuration Management
All code is repository-based (Bitbucket) which provides for effective version control, ease of update and rapid restoration if required
2.8 Penetration Testing
Penetration testing is able to be carried out upon request and at the client’s expense
2.9 Physical Security
The Utegra server farm is hosted with a leading European Cloud service host in a locked cage-type environment where access to the server is restricted by secure appointment and photo ID security card access.
2.10 Host Security
Hosting is on a UNIX platform which has been hardened against attack by the following means:
- All currently available patches for OS, web servers and databases are constantly updated as soon as they are released
- Passwords for access to the server must follow these rules:
- Must be a minimum of 8 characters long
- Must have at least 1 English capital letter, 1 English lower case letter, 1 number and 1 alpha-numeric or “special” character o May not contain any full part of any employees email address, or full name
- Must be changed at least every 45 days
- Must not be the same as any of the past eight passwords used
- Must not contain any common word in the dictionary or slang.
2.11 System and data Back-up
All databases and data are backed up on and off-server on an hourly (retained for 24hours), daily (kept for 24 hours) and weekly basis. See 2.7 above for a description of code version control and restoration.
3 Online Solutions Performance and Reliability
Our target uptime is 99.9% which when excluding planned downtime and unplanned external internet failures beyond our control, we have been able to achieve consistently to date.
3.2 System User Support
All Utegra systems and services benefit from UK-based email user support during normal working hours. All incoming support requests are immediately logged, acknowledged and prioritised as follows:
- Low: Resolution as soon as possible
- Normal: Resolution within 24 hrs wherever possible
- High: Resolution within the same 12hr day wherever possible
- Urgent: Resolution within 2 hrs or sooner
User support can be requested using the ‘Help’ option provided for within most of our online solutions, or directly via our firstname.lastname@example.org email address.