Security Policy

Version 1, 18th January 2023

  1. Measures of pseudonymisation and encryption of personal data

    Encryption at Rest

    Encryption at rest is present on all virtual machines operated by Wazoku. This consists of an AES-256 encrypted LUKS filesystem device which contains all sensitive or potentially sensitive data, including customer data, our source code, log data (that could be used to track users) and configuration files that could contain access secrets. Key management of the filesystem is handled by Azure’s FIPS 140-2 Level 2-validated KeyVault service

    Encryption in Transit

    All Traffic into every Wazoku Environment is encrypted using TLS. We specifically block the less secure SSL3 protocol and operate a modern set of cypher suites. We regularly review the cypher suites and protocols that are in use and always aim to have an A+ rating on the SSL Labs security test2.
  2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

    Protection of Personal Information is accounted for and incorporated into the design by the following:

    • When designing the UI, considerations are made regarding personal information. Eg. Login error messages should be designed carefully to not reveal data. The platform supports various authorisation roles and design choices should reflect the visibility of the content based on the user role.
    • Development Team members are trained regarding Top 10 OWASP security vulnerabilities and those standards are considered when designing data models and applications views.
    • Encryption protocols will be used for Personal Information such as the below:
      • Our platform can be accessed only over TLS/HTTPS which protects and encrypts any data being transferred from a user
      • All confidential and sensitive data such as passwords are encrypted and stored using the default password hasher algorithms provided by Django used in our technology stack.
  3. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

    We have a comprehensive security testing process including:

    • An annual third-party penetration test of the application, infrastructure, mobile app and Open API. In the event a significant change is made to any of the above, we may conduct additional third-party penetration tests on all or some of the elements as required.
    • Generate weekly internal security reports containing infrastructure security scans, software upgrades and security fixes.
    • With each software release, all code is peer reviewed, including security assessments. In addition, during the acceptance testing phase we conduct additional testing to confirm all access control and permission rules are properly enforced.

    External Penetration Testing

    We conduct an independent third-party Penetration Test against our (1) infrastructure, (2) web application, (3) native Idea App and (4) Open API at least annually. Based on the results of this test we make appropriate adjustments. Results of the annual pen test are available on request.

    If a Customer wishes to run their own penetration test, the Customer must email this request to at least 7 days before running the test. The Information Security team will then give written content to perform the penetration test.

    Alongside the penetration tests discussed above, we also run a Bug Bounty program. This allows individuals to receive compensation for reporting security exploits and vulnerabilities to us.

  4. Measures for user identification and authorisation

    Wazoku requires each user on the platform to have their own, unique account. We recommend using one of our supported Single Sign On (SSO) implementations as this provides the best balance of ease of use and security.

    The supported authentication options, which can be used in a hybrid manner, include:

    • SAML2 compliant SSO service
    • Username and password
    • Identity federation with existing providers (i.e. Microsoft 365, Google, Twitter, LinkedIn, Facebook)
  5. Measures for the protection of data during transmission

    We use standard TLS 1.2+ encryption for all data ingressing and egressing our datacentres.

  6. Measures for ensuring physical security of locations at which personal data are processed

    • Using appropriate methods, all the organisation’s operating facilities must be secured at all times to prevent unauthorised access.
    • All operating facilities must be protected by an intruder alarm system that is remotely monitored by Building Security.
    • All external windows and doors must be kept shut and locked at all times unless authorised by the Building security.
  7. Measures for ensuring events logging

    We store all web server and application logs as well as access, update and syslog’s from all our servers across environments. These are aggregated by our Logstash service and presented in searchable form through Kibana. This allows us a high-level interface through which we can query all log data with drill-down capability. These services also allow us to create automated dashboards using log data to be able to view trends in usage and pro-actively deal with any issues.

    We maintain a searchable record of system logs for a minimum of 12 months.

  8. Measures for ensuring system configuration, including default configuration

    • Configuration-as-code (Github-based git repository) is used to persist system configuration changes.
    • Code is peer-reviewed and linting checks run to ensure code consistency and quality. Hardened OS images are used as the default configuration on all infrastructure VMs.
  9. Measures for internal IT and IT security governance and management

    • Protect personal and company devices with strict password requirements, AV software, security updates forced within 14 days, company accounts logged into via SSO or password security manager
    • New hires and all staff are issued with company devices with disk encryption, password management tool, installation of DNS filtration and AV software
    • Keeping emails safe – with Darktrace to remove suspicious links and emails
    • Password and key management policies in place where no repeat passwords are allowed and passwords are securely stored in a password manager
    • New hire & bi-annual security training for all contractors and employees with 100% pass requirements
    • Monthly phishing and security simulations for all employees and contractors and upon failure employees must complete additional security training courses
    • Security Taskforce in place for notification of a data breach or suspicious activity, monthly meetings to review risk register and create corrective action and regular review of security policies and procedures
  10. Measures for certification/assurance of processes and products

    • ISO27001 Certified
    • Cyber Essentials Plus Certified
  11. Measures for ensuring data minimisation

    Well formulated feature proposals (where data capture and audit requirements are specified and discussed) also bolster data quality.

  12. Measures for ensuring data quality

    Database schema integrity and application input validation & sanitisation can guarantee a certain degree of data quality. Well formulated feature proposals (when data capture and audit requirements are specified) also bolster data quality. Peer reviews of code changes (both application changes and infrastructure-as-code changes) can identify holes in security or other data quality issues.

  13. Measures for ensuring limited data retention

    Data, Documents and Backups are stored on encrypted file systems located in the same geographic region. All customer information is retained for the duration of their contract and purged on termination. Upon contract termination customer data can be requested within 30 days of cancelation and will then be removed from the Wazoku servers, unless otherwise required by law. Database backups are held for one year.

    Access to customer’s data is primarily provided through the web application, however there are other avenues such as Mobile applications and a Public API.

  14. Measures for ensuring accountability

    Application audit logs are stored within the database to provide in-app data-accountability. System logs record system administration access, application access and system process audit trails. These logs are sent to an aggregator service (ELK) for indexing and searching. A Jenkins server is used by staff to perform actions / run scripts against our infrastructure and it records audit information around who performed these jobs.

  15. Measures for allowing data portability and ensuring erasure

    User data, such as name, will continue to be stored and displayed against any user generated content (i.e. idea, comment, evaluation) that a user entered while they were active in the platform to guarantee continuity of information in the system. When deactivating a user, System Admins can elect to hide name detail from non-Admin users.

    If a deactivated user requests that their personal data be removed, their identifying information will be removed (i.e. name) but the other content (i.e. idea, comment, evaluation) will be retained to guarantee continuity of information in the system.

  16. For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

    Within AWS, data is encrypted on our systems before being sent to the sub-processor for storage.

    Within Azure, Encryption at Rest prevents the sub-processor from gaining access to the underlying application data.