IT Due Diligence and Data Security
This document will cover the IT Due Diligence within ScheduleLeave and where ScheduleLeave is hosted.
We configure the SaaS Solution in accordance with the following specification:
- OS: Ubuntu (Latest)
- Hosting Provider: DigitalOcean (See hosting environment below)
- Scripting languages and frameworks: PHP (Latest 7.4.X), Lumen (Latest 7.X) and VueJS (Latest 2.6.X)
- Database Server: MariaDB 10.X
- Browsers Requirements: Modern Web Browsers (Recommended IE 11.0+, Chrome & Firefox)
All access to ScheduleLeave is protected by Transport Secure Socket Layer Security (TLS1) providing both server authentication and SHA2 RSA 256-bit data encryption. This ensures that your data is safe and available only to registered users in your organisation, with relevant permissions. ScheduleLeave provides each user with a unique username and password that must be entered each time a user logs on.
ISO/IEC 27001:2013 Certification
DigitalOcean is certified in the international standard ISO/IEC 27001:2013. By achieving compliance with this globally recognized information security controls framework, audited by a third-party, DigitalOcean has demonstrated a commitment to protecting sensitive customer and company information. That commitment doesn’t end with a compliance framework, but is necessary baseline for security. Our ISO/IEC 27001:2013 certificate can be viewed here.
EU-U.S. and Swiss-U.S. Privacy Shield Certification
Hosting Data Security (DigitalOcean)
ScheduleLeave servers are hosted behind sophisticated firewalls, with a protected perimeter. DigitalOcean carry out penetration testing on a regular basis and have had formal penetration testing commissioned, on several occasions, by third parties. In addition to this, ScheduleLeave ensure the following:
- Un-validated input - We validate and check data submitted via forms or web requests.
- Broken Access Control - For each page we check that the user is allowed to access the page, including the admin area
- Broken Authentication and Session Management - All sessions are encrypted and validated against a local database of valid sessions
- Cross Site Scripting (XSS) Flaws - All data entry is validated for standard XSS attacks
- Injection Flaws - All data entry is checked against such attacks
- Improper Error Handling - The site has been set to not display any system information when an error occurs
- Insecure Storage - All passwords are encrypted within the local database
Payment Details are not Stored on ScheduleLeave
All ScheduleLeave servers are backed up nightly and backups are retained for two weeks. A copy of data is taken of the data every 3 hours and stored for two weeks.
As part of hosting on DigitalOcean, all ScheduleLeave servers have monitoring in place to warn and alert in the event of any issues with the servers used as part of hosting the application. Because of this, any actions, if required can take place as soon as possible.