Do you carry out penetration tests? What are the results?
We have regularly scheduled tests that we conduct to ensure security across our systems.
It is our policy not to release the results of these tests as they may contain sensitive information that is confidential and therefore treated on a "need-to-know" basis.
Requests to access the results of our tests are reviewed on a case by case basis.
Critical and high vulnerabilities are addressed in the next sprint (7 days). Medium and Lows are triaged according to the reviewed threat.
See these related articles on our vulnerability disclosure process and the service level agreement.
"Please provide evidence of auditing and testing carried out in the last year, and on-site inspections carried out by independent third parties
“Please demonstrate compatibility with current good industry operational practices (as, for example, described in the NCSC's 'Implementing the Cloud Security Principles, the UK Government’s ‘Cyber Essentials’ scheme
We have been audited by several independent data security organisations:
- Third-party audit by Risk X - gap analysis on GDPR, ISO 27001 (2017)
- Completed DfE’s Cloud Service Providers Self Certification (2017)
- Indelible Data - Cyber Essentials and Cyber Essentials Plus (April 2022)
- Experis (https://experis.co.il/cyber) - On behalf of the Israeli Government, conducted penetration and vulnerability tests alongside thorough data and security systems review which now enables us to work with the Israeli Government. (2019)
It is not our policy to routinely release the results of our Audits. Requests to access the results of our audits are reviewed on a case by case basis.
Further information on our data security policies can be found here
Are there controls (such as Data Leakage Prevention) in place that monitor the appropriateness of data leaving the network?
We have strict controls in place to ensure customer data cannot be exported by staff.
Is any of our data stored or replicated for Business Continuity or Disaster Recovery purposes?
Do you have a stated Recovery point objective (RPO)?
Do you have a stated Recovery Time objective (RTO)?
The following mitigations are in place:
- System is modular, elements can fail without interruption to other services
- If instances of our front-end application become unhealthy, they are automatically replaced
- Applications are stored as redeployable images
- Images have redundancy
- Software revisions are stored using version control allowing for rebuilding of images
- Snapshots of customer data are taken hourly
- Backups are stored on multiple devices across 3 availability zones
- Any lost redundancy is automatically detected, repaired and verified using checksums
- System recovery is tested at least annually
- Systems are monitored with multiple tools, configured to notify of any issues.
- RTO levels:
- Small: Automatically repaired (no downtime)
- Med: A service has failed and needs to be relaunched (max 1 hour)
- High: System needs to be restored from backups (Max 1 day)
- Our system is cloud-based, an incident at our primary location will not affect service delivery.
For further information see:
Does the system allow for audit trails/logging and monitoring, so we can see who has uploaded what, who it was shared with, viewed by and then deleted by etc.
Organisation admins can see each reflection created, by whom, and when. Depending on your privacy settings you can see a preview of the videos or have full access to the reflection. You can also access a comprehensive log of which users have accessed the reflection and when. Further information on safeguarding tools can be found here.
Where is this stored, for how long, for what purpose?
The platform stores user activity logs for facilitating system development, providing customers with usage data and managing platform and data security. Logged data is stored on Amazon AWS. It does include PII (IP address, email address, name), but this is sanitised for ex-clients. Further details of this can be found in our privacy notice.
Is the service compatible with modern browsers, and does it use HTML5 and TLS 1.2 for the delivery of web pages?
Yes IRIS Connect recommends Chrome or Edge
IRIS Connect uses HTML5 and TLS 1.2
For UK customers where is their data stored?
We are a UK based processor using an EU based sub-processor.
Currently, we store our customer's data in Dublin, Ireland using Amazon AWS infrastructure.
Based on the information from the ICO
On 28 June 2021 the EU Commission adopted decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate. This means that most data can continue to flow from the EU and the EEA without the need for additional safeguards.
We have made every preparation to be able to move our data to within the UK in the event of any unexpected complications. However, our current advice is that this is unnecessary as is demonstrated in a statement from the company that provides our data hosting: https://aws.amazon.com/compliance/gdpr-center/brexit/
If this advice from the UK Government were to change we would meet any new requirements. We are monitoring this situation and have already got a number of measures in place.
How is our data logically separated/Segregated from other organisations’ data?
Our system is built with privacy by design principles at its core. As such access to data is strictly controlled by both the user interfaces to our system and the data model on which it is built. Each user owns all media and data associated with them, and the user belongs to an organization. This means that all data is logically separated in the database.
Have you experienced any cybersecurity incidents in the past? If so how often, what was the severity of those incidents and the quality of the response?
We have had no breaches
We have a Data Breach and Notification Response procedure which can be found here alongside an incident register that is kept up to date. The disaster recovery process is regularly updated and tested.
Do you have an emergency response process for dealing with serious security incidents and attacks?
We have a Response Unit comprising of senior and chief engineers, the Director of Technology and the Head of Operations who form the dedicated resource for dealing with any serious incidents. Further information can be found in the Disaster Recovery Plan.
Do you have agreed procedures in place with your third party suppliers with regard to reporting data security breaches within an agreed timeframe?
Amazon has a security incident monitoring and data breach notification process in place and will support and inform customers and APN Partners of any confirmed breach of AWS systems. Further details are available here
Are there sufficient and appropriately trained personnel to protect the data and/or service at issue and respond to incidents?
All data is stored at Amazon AWS servers which have world class protections. Both digitally and physically.
Within IRIS Connect our staff are regularly GDPR trained and informed who to identify and report any data or service incidents. We exercise access control restrictions to ensure only the staff who are specifically trained and need to, have access to customer data.
You can find more information about our security measures and controls here
What are your human resources practices, particularly background screening employees, cybersecurity training, and the handling of terminations?
For those who have access to data, we ensure screening is carried out through BPSS Security Clearance checks.
Training is provided per department in line with each team's specific needs.
Terminations are managed through our policies specified in our Security Procedures for the IT Department to ensure account access is effectively managed and restricted.
What access controls are in place that restricts access to information and uniquely identifies users such that access attempts can be monitored and reviewed?
Access controls and logging are in place to ensure high levels of data security are met, ensuring only those members of staff who need to, to do their jobs, have access to the data.
What is your change control management for the deployment of software updates and maintenance?
See the Service Level Agreement (SLA) , Maintenance and Software Updates article.
What backups/procedures are in place to recover data?
See Security Measures and Controls article