IT Due Diligence and Data Security

Introduction

This document will cover the IT Due Diligence within ScheduleLeave and where ScheduleLeave is hosted.

Architecture

We configure the SaaS Solution in accordance with the following specification:

  • OS: Ubuntu (Latest)
  • Hosting Provider: DigitalOcean (See hosting environment below)
  • Scripting languages and frameworks: PHP (Latest 7.3.X), Lumen (Latest 5.X) and VueJS (Latest 2.5.X)
  • Database Server: MariaDB 10.X
  • Browsers Requirements: Modern Web Browsers (Recommended IE 11.0+, Chrome & Firefox)

Encryption

All access to ScheduleLeave is protected by Transport Secure Socket Layer Security (TLS1) providing both server authentication and SHA2 RSA 256-bit data encryption. This ensures that your data is safe and available only to registered users in your organisation, with relevant permissions. ScheduleLeave provides each user with a unique username and password that must be entered each time a user logs on.

Hosting Environment

ISO/IEC 27001:2013 Certification

DigitalOcean is certified in the international standard ISO/IEC 27001:2013. By achieving compliance with this globally recognized information security controls framework, audited by a third-party, DigitalOcean has demonstrated a commitment to protecting sensitive customer and company information. That commitment doesn’t end with a compliance framework, but is necessary baseline for security. Our ISO/IEC 27001:2013 certificate can be viewed here.

EU-U.S. and Swiss-U.S. Privacy Shield Certification

DigitalOcean are an active participate in and comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce and the European Commission. The framework provides DigitalOcean a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
You can find more information about DigitalOcean's commitment to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks in their Privacy Policy. DigitalOcean's active participation and certification in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks can be viewed on their website located here.

Hosting Location

All data with the exception of profile images is hosted within a London (UK) data centre. Profile pictures are hosted from Amsterdam (Netherlands).

Hosting Data Security (DigitalOcean)

For specifics about the hosting provider in terms of access and security please view their site here.

Application Security

ScheduleLeave servers are hosted behind sophisticated firewalls, with a protected perimeter. DigitalOcean carry out penetration testing on a regular basis and have had formal penetration testing commissioned, on several occasions, by third parties. In addition to this, ScheduleLeave ensure the following:

  • Un-validated input - We validate and check data submitted via forms or web requests.
  • Broken Access Control - For each page we check that the user is allowed to access the page, including the admin area
  • Broken Authentication and Session Management - All sessions are encrypted and validated against a local database of valid sessions
  • Cross Site Scripting (XSS) Flaws - All data entry is validated for standard XSS attacks
  • Injection Flaws - All data entry is checked against such attacks
  • Improper Error Handling - The site has been set to not display any system information when an error occurs
  • Insecure Storage - All passwords are encrypted within the local database

Payment Details are not Stored on ScheduleLeave

All of the payments made for ScheduleLeave are processed through Stripe. Stripe are a PCI Service Provider Level 1 organisation which is the most stringent certification level available in the payment industry.
As ScheduleLeave uses Stripe, it means we don't need to store any payment card details, they are sent encrypted direct to Stripe, we don't store them anywhere. For more information about Stripe security please refer to their security page here.

Data Backup

All ScheduleLeave servers are backed up nightly and backups are retained for two weeks. A copy of data is taken of the data every 3 hours and stored for two weeks.

Monitoring

As part of hosting on DigitalOcean, all ScheduleLeave servers have monitoring in place to warn and alert in the event of any issues with the servers used as part of hosting the application. Because of this, any actions, if required can take place as soon as possible.

Privacy Policy

See our Privacy Policy.

Still need help? Contact Us Contact Us