Effective: May 25th, 2018
Information Security Policy
We take information security seriously. This policy serves as a guide to let you know the steps we take to ensure the privacy of your data.
2.1. Sure Will Writer – Professional Will Suite, developed by WillSuite Ltd runs on the DigitalOcean platform with data hosted by the platform Amazon Web Services (AWS) in nondescript housed facilities. Our data centers are located in London.
2.2. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
2.3. More information relating to security of data centers can be found in the AWS Security Whitepaper and DigitalOcean security disclaimers available here: https://aws.amazon.com/whitepapers/overview-of-security-processes/ https://digitalocean.com/security/
3.1. Our server network can only be accessed via SSH with public key authentication or via Two-factor Authentication over Public keys are removed from servers where access is no longer required.
3.2. Operating system security patches are checked on a nightly.
4.1. In addition to extensive internal scanning and testing, WillSuite work with CREST-accredited third-party security experts to perform a broad penetration test across the WillSuite platform to validate and improve on the security of our software.
5.1. Servers are checked for security patches on a nightly
5.2. Automated application checks are ran against the PHP Security Advisories Database (https://security.sensiolabs.org/) every 24 hours. WillSuite are alerted if there are any packages included within the system which require action.
5.3. WillSuite are notified when suspicious account activity is In some cases access to the system may be automatically restricted until manual intervention by WillSuite employees.
6.1. Communications between you and WillSuite servers are encrypted via industry best-practice HTTPS and Transport Layer Security (TLS) by
6.2. At rest, data is encrypted on our AWS platform with AES-256
7.1. WillSuite’s strict backup regime ensures customer data is backed up on an hourly
7.2. Before being purged;
7.2.1. Hourly backups are held for a period of 7
7.2.2. Daily backups are held for a period of 16
7.2.3. Weekly backups are held for a period of 8
7.2.4. Monthly backups are held for a period of 3
8.1. Customer data is retained for as long as you remain a customer and until impractical, your data will remain in the WillSuite system indefinitely. Former customers’ core data is removed from live databases upon a customer’s written request or after an established period following the termination of the customer agreement. In general, former customers’ data is purged 90 days after all customer relationships are
8.2. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. WillSuite reserves the right to alter the data pruning period and process at its discretion in order to address technical, compliance, or statutory
9.1. We use tools and techniques to protect against common security vulnerabilities. This includes escaping user-inputted data which is rendered to reduce the threat of Cross Site Scripting (XSS), CSRF tokens are used to minimize the risk Cross Site Request Forgery (CSRF), and use of PDO across the system to minimize the risk of SQL
9.2. Protection against the above attack vectors is evaluated as part of our third-party security
10.1. Customer Support, Services, and other customer engagement staff with a need-to-know may request access to customer services on a time-limited basis. Requests for access are limited to their work responsibilities associated with supporting and servicing our customers. The requests are limited to just-in-time access to a specific customer’s service for a 24 hour period.
10.2. All access requests, logins, queries, page views and similar information are logged. Employee access is subject to daily review and at least semi-annual recertification to ensure authorized systems are within limits of employees’ current
11.1. All employees are subject to pre-employment checks including, but not limited to, reference checks of previous employment (or where not applicable from educators / apprenticeship programs).
12.1. All employees receive security and incident response processes training within the first month of employment as part of the WillSuite security program along with role-specific follow-up training. All employees must comply with Non-Disclosure Agreements and Acceptable Use Policies before access to production networks and data.
12.2. Employees are tested on their knowledge of different common attack vectors used within web applications and given training on risk minimization before and during development on the code
13.1. Two Factor Authentication
Two Factor authentication is available for users of the system to protect their account in the event their password is comprised.
13.2. Password Policy
We enforce a password policy restricting complexity and uniqueness of passwords.
13.3. Unobtainable authentication data
Passwords are one-way hashed and salted using bcrypt, the recommended industry standard in one-way hashing. Passwords cannot be retrieved by any party.
13.4. Communication Encryption
Web traffic to our platform is forced over encrypted HTTPS and is authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_256_GCM (a strong cipher).
13.5. Role-based Access
Role-based user access, allowing administrators to restrict application and data access for certain users dependent on their role.