fbpx

Information Security Policy

Effective: May 25th, 2018

Information Security Policy

1.        Overview

We take information security seriously. This policy serves as a guide to let you know the steps we take to ensure the privacy of your data.

 

2.        Data Centre Security

2.1. Sure Will Writer – Professional Will Suite, developed by WillSuite Ltd runs on the DigitalOcean platform with data hosted by the platform Amazon Web Services (AWS) in nondescript housed facilities. Our data centers are located in London.

2.2. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

2.3. More information relating to security of data centers can be found in the AWS Security Whitepaper and DigitalOcean security disclaimers available here: https://aws.amazon.com/whitepapers/overview-of-security-processes/ https://digitalocean.com/security/

 

3.        Server Security

3.1. Our server network can only be accessed via SSH with public key authentication or via Two-factor Authentication over Public keys are removed from servers where access is no longer required.

3.2. Operating system security patches are checked on a nightly.

 

4.        Third Party Penetration Tests

4.1. In addition to extensive internal scanning and testing, WillSuite work with CREST-accredited third-party security experts to perform a broad penetration test across the WillSuite platform to validate and improve on the security of our software.

 

5.         Ongoing Security Monitoring

5.1. Servers are checked for security patches on a nightly

5.2. Automated application checks are ran against the PHP Security Advisories Database (https://security.sensiolabs.org/) every 24 hours. WillSuite are alerted if there are any packages included within the system which require action.

5.3. WillSuite are notified when suspicious account activity is In some cases access to the system may be automatically restricted until manual intervention by WillSuite employees.

 

6.         Encryption of Data

6.1. Communications between you and WillSuite servers are encrypted via industry best-practice HTTPS and Transport Layer Security (TLS) by

6.2. At rest, data is encrypted on our AWS platform with AES-256

 

7.         Data backup and redundancy

7.1. WillSuite’s strict backup regime ensures customer data is backed up on an hourly

7.2. Before being purged;

       7.2.1. Hourly backups are held for a period of 7

       7.2.2. Daily backups are held for a period of 16

       7.2.3. Weekly backups are held for a period of 8

       7.2.4. Monthly backups are held for a period of 3

 

8.         Data Retention

8.1. Customer data is retained for as long as you remain a customer and until impractical, your data will remain in the WillSuite system indefinitely. Former customers’ core data is removed from live databases upon a customer’s written request or after an established period following the termination of the customer agreement. In general, former customers’ data is purged 90 days after all customer relationships are

8.2. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. WillSuite reserves the right to alter the data pruning period and process at its discretion in order to address technical, compliance, or statutory

 

9.         Framework level security

9.1. We use tools and techniques to protect against common security vulnerabilities. This includes escaping user-inputted data which is rendered to reduce the threat of Cross Site Scripting (XSS), CSRF tokens are used to minimize the risk Cross Site Request Forgery (CSRF), and use of PDO across the system to minimize the risk of SQL

9.2. Protection against the above attack vectors is evaluated as part of our third-party security

 

10.        Data Access

10.1. Customer Support, Services, and other customer engagement staff with a need-to-know may request access to customer services on a time-limited basis. Requests for access are limited to their work responsibilities associated with supporting and servicing our customers. The requests are limited to just-in-time access to a specific customer’s service for a 24 hour period.

10.2. All access requests, logins, queries, page views and similar information are logged. Employee access is subject to daily review and at least semi-annual recertification to ensure authorized systems are within limits of employees’ current

 

11.        Employee

11.1. All employees are subject to pre-employment checks including, but not limited to, reference checks of previous employment (or where not applicable from educators / apprenticeship programs).

 

12.        Security Training

12.1. All employees receive security and incident response processes training within the first month of employment as part of the WillSuite security program along with role-specific follow-up training. All employees must comply with Non-Disclosure Agreements and Acceptable Use Policies before access to production networks and data.

12.2. Employees are tested on their knowledge of different common attack vectors used within web applications and given training on risk minimization before and during development on the code

 

13.        Product Security Features

     13.1. Two Factor Authentication

Two Factor authentication is available for users of the system to protect their account in the event their password is comprised.

     13.2.       Password Policy

We enforce a password policy restricting complexity and uniqueness of passwords.

     13.3.       Unobtainable authentication data

Passwords are one-way hashed and salted using bcrypt, the recommended industry standard in one-way hashing. Passwords cannot be retrieved by any party.

     13.4.       Communication Encryption

Web traffic to our platform is forced over encrypted HTTPS and is authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_256_GCM (a strong cipher).

     13.5.       Role-based Access

Role-based user access, allowing administrators to restrict application and data access for certain users dependent on their role.