We take data security very seriously

SERVER SECURITY

Only UK and Ireland data centres

Only UK and Ireland data centres

User data and backups are only stored and processed in UK and Ireland data centres. All data is stored in accordance with the General Data Protection Regulation (GDPR) 2018. We are registered with the IoM Information Commissioner with registration reference R002884.

Multiple firewalls

Multiple firewalls

Servers sit behind multiple firewalls within a VPC. Only ports 80 and 443 are publicly accessible. The database server is not accessible outside the VPC and white-listed IP addresses.

Secure servers

Secure servers

All our servers and technology infrastructures are provided by Amazon Web Services. Only our lead developers and CTO have access to this environment. Servers are automatically updated on a weekly basis as security patches are released. Servers are all encrypted and the physical security is ensured by AWS.

DATA SECURITY

Encryption

Encryption

User data and backups are encrypted at rest and in transit using 256-bit SSL/TLS1.3 protocols. In addition sensitive data such as passwords are hashed and can never be decrypted.

Database backups

Database backups

Backups are made daily with a retention period of 31 days automatically. Database logging and monitoring enabled.

File backups

File backups

Photos, videos, documents uploaded to our platform are encrypted and stored on AWS. Our storage gives files 99.999999999% durability, and we store all files within the UK region.

CYBER SECURITY

Layered access security

Layered access security

Administrators have limited access to student data, and only when strictly necessary. We use user-type appropriate password rules regarding password length, complexity, age, number of allowed failed logins and 2-step authentication.

Vulnerability assessments

Vulnerability assessments

Vulnerability assessments are performed regularly and at least annually, both manually and automatically by our developers. The platform has undergone Penetration Testing by an independent Cyber Security Consultancy.

CSP, Clickjacking and XSS

CSP, Clickjacking and XSS

The platform uses a strong Content Security Policy (CSP) to help prevent Cross-Site Scripting (XSS), clickjacking and other attacks resulting from code injection. We recommend using a modern, up to date browser that supports the latest CSP specifications.

Cookies

Cookies

On our platform we use ‘strictly necessary’ cookies that contain no tracking or personally identifiable information to enable the even load balancing of our servers. We only use cookies to enable users to remain logged into their account. When users sign in for the first time they agree to our terms, which explains in detail what cookies we use.

User passwords

User passwords

We insist on all our users having a strong password by including a mixture of uppercase, lowercase, numbers and special characters with a minimum of 8 characters.

Accounts lock out

Accounts lock out

Users are automatically logged out after a period of inactivity. Accounts are also disabled following 10 failed login attempts.

BUSINESS SECURITY

Lost data

Lost data

If users delete their account by accident, we can restore the account back again as long as we are alerted within one month.

Sharing profiles

Sharing profiles

Users are able to retain control over sharing their profile with others. Shared links can be invalidated and users can configure elements of their profile to remain private. Users can also hide their profile for a period of time if desired.

Ts&Cs

Ts&Cs

Our full Terms & Conditions along with our Privacy Policy are available on our website.

Business Continuity

Business Continuity

Our business continuity and disaster recovery plans are in place and are reviewed annually or a simulated exercise performed.

Accreditations

Accreditations

We are accredited with both Cyber Essentials and IASME Governance. We are also working towards achieving ISO27001.