Any responsible software provider will be taking every possible precaution to safeguard your data, treating your data as if it were their own. Data security cannot afford to be an afterthought, and we take our responsibilities very seriously in this regard, since your trust and both your business and ultimately our own business depends on it.
Curo Software Limited is registered with the UK Information Commissioner's Office (registration number ZA234264), and conforms to the legal obligations laid out in the Data Protection Act 1998 and the Privacy, the Electronic Communications Regulations 2003, and now the GDPR. This governs everything relating to the physical storage and security of your data, as well as how this data is used.
We consider the following areas:
- Encryption
- Data protection by design
- Server infrastructure
- Vulnerability scanning
Encryption
We consider encryption of all data both in transit and at rest, i.e. preventing hackers from intercepting and reading data when it is being sent over the Internet, and also preventing anyone from accessing it while it is being stored over time in the database
The server itself has a Secure Sockets Layer (SSL) digital certificate installed, which is indicated by the trusted padlock in the browser address bar. This means that all data transmitted between your browser and our servers is encrypted "on the wire" while the data is in transit over the Internet.
Once data gets to our server itself, all data transfer between the various servers in our platform are encrypted using SSL technology also.
User passwords which must be provided when logging into our system are encrypted using a one-way algorithm which means that they cannot be reversed and recovered, even by ourselves.
All sensitive data such as bank account details is also stored in a securely encrypted format within the database, so that without the appropriate decryption key and matching decryption software these details cannot be read by anyone who might manage to hack in deep enough to snoop into the database directly.
Data protection by design
A key part of the GDPR is ensuring that data security is considered right from the outset in the design stage, to ensure maximum security throughout the application.
Our platform is based on a dedicated application server hosted by Big Wet Fish Hosting in a secure data-centre facility.
On top of that we have built our application code, which powers the logic of the system. We have considered encryption as outlined above, and restrict access to various data and functionality depending on user roles which are configurable within the system by admin users.
We also consider the typical hacking approaches commonly adopted by individuals who may seek to gain unauthorised access to servers with ill intent, and conduct vulnerability scanning to validate our countermeasures for these types of intrusion.
Server infrastructure
The Affinity servers are located within the Hetzner facility in Falkenstein, Germany. It's an ISO27001 certified facility and you can find details about the data centre here.
Vulnerability scanning
We conduct regular vulnerability scanning within our development workflows, and we also employ the services of a well regarded cybersecurity company to perform penetration testing on the live system to find any weak points which may be exploited by hackers.
With the even more stringent standards being demanded now with GDPR, this is an area we plan on devoting increased resources towards in the near future to bolster our confidence in our system security, and your confidence in turn.
Comments
0 comments
Please sign in to leave a comment.