To ensure compliance and transparency with our customers, we have provided answers to our most frequently asked compliance questions below. If you require additional information, please direct questions to your account manager or firstname.lastname@example.org.
- Do we hold independent certifications and independent reports e.g. ISO27001, SOC, CSA STAR, PCI DSS, Cyber Essentials etc.
Our hosting platform where our all services are provided are certified and accredited to the highest operating level: https://cloudhelix.io/accreditations
- Who is our underlying hosting provider and do they have any security certifications?
We use CloudHelix and Amazon Web services (AWS) as as our service partners. All infrastructure components are hosted within Telehouse - one of the UK’s leading data centre providers. AWS, CloudHelix and Telehouse adhere to strict compliance requirements which include:
ISO/IEC 27001:2013 (Information Security Management)
ISO 22301:2012 (Business Continuity Management)
PCI-DSS (Payment Card Industry Data Security Standard)
ISO 9001:2015 (Quality Management System)
ISO 14001:2015 (Environmental Management)
ISO 50001:2011 (Energy Management)
BS OHSAS 18001:2007 (Occupational Health and Safety Management)
Cyber Essentials Plus
- Where do we host our services?
We have various systems hosted in different geographical regions. For a detailed report on these systems, please contact email@example.com. For transparency, our core service regions are as follows:
datajar.mobi - UK
Auto-Update for Jamf - UK
Backup services - EU
Helpdesk - US (Privacy Shield)
CRM - US (Privacy Shield)
- Do we use network boundary security, monitoring and intrusion detection/prevention systems?
We use multiple firewalls to secure our cloud platform. Perimeter firewalls are enabled with IDS and IPS. All services are monitored using multiple systems in different regions. Administrative access to infrastructure is secured via unique user IDs, SSL VPN and MFA.
- What strategies and/or technical steps do we have in place to ensure high-availability?
We use the very latest in virtualisation and containerisation technology to ensure hardware failures of compute nodes do not impact our services. We also have multiple network links to our platform and services for redundancy.
- What is our SLA on platform services?
We guarantee 99.9% availability in a 30 day period for datajar.mobi services, which includes connect, compute, storage and replication software. Please note that our customer support request SLA is as follows:
Severity 1 – within 2 hours
Severity 2 – within 4 hours
Severity 3 – within 8 hours
Severity 4 – within 16 hours
All times given in hours and refer to hours and during 9am-5pm GMT Monday to Friday (excluding bank holidays). Please also review our Fair Usage Policy on support services.
- Do we have a disaster recovery plan?
We have contractual agreements with our hosting and service partners. A snapshot copy of all data is replicated off site at a frequency that will facilitate a restore point objective defined below:
Critical platform services: 24/7/365 - Synchronous
Priority platform services: 24/7/365 - Every 30 mins
Standard platform services: 24/7/365 - Every day
- Do we have an Information Security policy/processes/procedures (e.g. InfoSec policy, AUP, Data Classification and Handling)?
Yes, we can supply our information policy upon request to firstname.lastname@example.org
- Do we conduct regular penetration testing?
External tests take place on all infrastructure elements hosted by CloudHelix. These tests are required in order for CloudHelix to maintain their accreditations and certifications. Any on-premise virtual appliances supplied by dataJAR are also supplied CIS hardened.
- What datasets are transferred and/or hosted on our network?
If you have questions or queries on how we handle data, please contact email@example.com
- What data do we back up, how frequently and what security is used?
Our entire platform has snapshots taken at regular inivals and are encrypted at rest on separate infrastructure. Additionally, databases are backed up to Amazon Web Services (Ireland) every 4 hours, with a 30 day rentention and AES-256 encryption applied at rest. All data is encrypted over public networks using SSL/TLS or VPN.
- Who is responsible for data deletion when the data is at the end of its lifecycle?
- What access controls do we use with regards to sensitive data and how do we ensure all access rights are removed when employees leave the organisation?
We use a centralised IdP with MFA on all services. We use automated provisioning and de-provisioning of users using HR-as-a-master.
- How do we prevent sensitive/confidential data leaving our organisation?
All employee managed devices are examined on a forensic level using DLP software and behavioral analysis.
- What background checks are performed on our staff?
All staff are subject to DBS Advanced and right-to-work in the UK checks.
- How do we prevent malware being introduced deliberately or accidentally into systems?
All of our employee systems run dataJAR Defend for detection and remediation of threats.
- How do we log actions performed by individuals based on User IDs.
All authentication and authorisation events are captured via our centralised IdP.
- How are platform updates tested and applied?
Service mainenance is carried out monthly or by-monthly depending on the CVE. Maintenance windows are communicated via email to account owners, via our status page and the Simplified Management app.