Our Security Measures
We are committed to protecting the confidentiality, integrity and availability of our information systems and our customers' data. We are constantly improving our security controls and analysing their effectiveness to give you confidence in our solution. We are a Cyber Essentials accredited business.
Here we provide an overview of some of the security controls in place to protect your data.
Data Center Physical Security
Facilities
We use IONOS for data center hosting. IONOS data centers are certified as ISO 27001 compliant by the Technical Inspection Association (TÜV).
IONOS employs robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection, suppression equipment, and secure device destruction amongst others.
On-Site Security
IONOS implements layered physical security controls to ensure on-site security including, vetted security guards, fencing, video monitoring, intrusion detection technology and more.
Network Security
Threat Detection
Our Platform leverages threat detection services within IONOS to continuously monitor for malicious and unauthorised activity.
Vulnerability Scanning
We perform regular internal scans for vulnerability of infrastructure. Where issues are identified these are tracked until remediation.
DDoS Mitigation
The Platform uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilise IONOS’s DDoS protection to safeguard our site from incoming attacks, as well as application specific mitigation techniques.
Access Control
Access is limited to least privilege model required for our staff to carry out their jobs. This is subject to frequent internal audit, technical enforcement and monitoring to ensure compliance. MFA is required for all production systems.
Encryption
In Transit
Communication with the Security Awareness Platform is encrypted with TLS 1.2 or higher over public networks. We monitor community testing & research in this area and continue to adopt best practices in terms of Cipher adoption and TLS configuration.
At Rest
Platform data is encrypted at rest with industry standard AES-256 encryption. By default we encrypt at the asset or object level.
Credentials Encryption
Credentials for the production database are regularly rotated to ensure access restriction.
Availability and Continuity
Uptime
The Security Awareness Platform is deployed on public cloud infrastructure. Thanks to multiple redundant connections to major Internet hubs, IONOS can offer close to 100% availability. Our services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load. Simulated load tests and API response time tests are incorporated into our release and testing cycle.
Disaster Recovery
Our services are deployed in parallel at two separate data centres. In the event of a problem at one data centre, the system automatically switches to the second, ensuring our site remains available.
Database Recovery
Our database has point-in-time recovery for up to four days, and is manually backed up everyday for a maximum of 30 backups.
UPS Power Supply
IONOS data centres maintain uninterruptible power supply (UPS) due to emergency diesel generators and VRLA batteries.
Application Security
Quality Assurance
Our Quality Assurance team reviews and tests code based on a per pod basis. The security team has resources to investigate and recommend remediation of security vulnerabilities within code.
Environment Segregation
Testing, staging and production environments are logically separated from one another. No customer data is used in any development or test environment.
Application Scanning
Site Scan from SiteLock is used to protect our site from hackers, malware, and unauthorised access.
Endpoint Security
Anti-Virus
We implement endpoint Antivirus and run daily scans on our machines.
Password Policy
We maintain a hard password policy on all servers, personal computers and laptops. All passwords must be at least seven characters long, and include one capital letter and one number.
SPAM Checks
All incoming emails are filtered for SPAM and quarantined for checking before they are delivered onto the network.
Remote Working
We operate a 100% remote working international team. Our remote working policy requires that staff may not undertake work on personal computers (unless prior agreement has been stated).
Personal Security
Security Awareness
Our company delivers a robust Security Awareness Training programme which is delivered within 30 days of new hires and continuously for all employees. In addition, we roll out quarterly focused training to key departments including Secure Coding, Data Legislation and Compliance obligations.
Information Security Program
We have a comprehensive set of information security policies covering a range of topics. These are disseminated to all employees and contractors and acknowledgement tracked on key policies such as Acceptable Use, Information Security Policy and our Employee Handbook.
Employee Background Checks
All our employees undergo a background check prior to employment which covers 5 years criminal history, where legal, and 5 years employment verification.
Confidentiality Agreements
All employees are required to sign Non-Disclosure and Confidentiality agreements.
Access Controls
Access to systems and network devices is based upon a documented, approved request process. Logical access to platform servers and management systems requires multi-factor authentication. Access is further restricted by system permissions using a least privilege methodology and all permissions require documented business need. Exceptions identified during the verification process are remediated. Business need revalidation is performed on a quarterly basis to determine that access is commensurate with the users job function. Exceptions identified during the revalidation process are remediated. User access is revoked upon termination of employment or change of job role.
Data Privacy
Here is some key information on how we securely store your data.
What we're storing
We store only necessary information, as collected by you. We never store any of your users' credentials that are compromised during a phishing simulation. By design, our phishing simulation landing pages do not have any functionality to capture the data entered on the phishing landing pages, meaning that whatever data they enter will not be tracked or stored in any way. The landing page will only ever track that the user failed the data entry portion of the test.
How we're storing it
We encrypt your data both at rest and in transit, and our site and storage processes are designed for security.
Who can access it
We have extensive internal access controls and regulations for our Team, who only have access to data under limited conditions. You are able to restrict admin access to sensitive materials.
Our core standards
Our core compliance with the act means that:
- We have full awareness of where any of your data is being held & when outside of the EU, ensuring appropriate compliance is in place.
- We ensure that only those who require access to your data are able to & we have the highest level of protection against unauthorised access.
- We ensure you have the right to view, amend, export or delete any information that we hold on your behalf, including anything held by 3rd party services.
- We ensure that consent is given during the sign up process for all that use our Platform and allow you to withdraw at any time.
Privacy Policy
Our privacy policy, which describes how we handle data input into the Security Awareness Platform, can be found at Privacy Policy. For privacy questions or concerns, please contact info@goldphish.com.
Third Party Security
Vendor Management
We understand the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. Selected vendors are then monitored and reassessed on an ongoing basis, taking into account relevant changes.