Service Compliance

To ensure compliance and transparency with our customers, we have provided answers to our most frequently asked compliance questions below. If you require additional information, please direct questions to your account manager or compliance@datajar.co.uk.

1. Do we hold independent certifications and independent reports e.g. ISO27001, SOC, CSA STAR, PCI DSS, Cyber Essentials etc.
   
   Our hosting platform where our all services are provided are certified and accredited to the highest operating level: https://cloudhelix.io/accreditations
   
   
2. Who is our underlying hosting provider and do they have any security certifications?
   
   We use CloudHelix and Amazon Web services (AWS) as as our service partners. All infrastructure components are hosted within Telehouse - one of the UK’s leading data centre providers. AWS, CloudHelix and Telehouse adhere to strict compliance requirements which include:
   
   ISO/IEC 27001:2013 (Information Security Management)
   ISO 22301:2012 (Business Continuity Management)
   PCI-DSS (Payment Card Industry Data Security Standard)
   ISO 9001:2015 (Quality Management System)
   ISO 14001:2015 (Environmental Management)
   ISO 50001:2011 (Energy Management)
   BS OHSAS 18001:2007 (Occupational Health and Safety Management)
   CSA Star
   Cyber Essentials Plus
   
   Further information:
   CloudHelix: https://cloudhelix.io/accreditations
   AWS: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html
   Telehouse: https://www.telehouse.net/certificates/
   
   
3. Where do we host our services?
   
   We have various systems hosted in different geographical regions. For a detailed report on these systems, please contact compliance@datajar.co.uk. For transparency, our core service regions are as follows:
   
   datajar.mobi - UK
   Auto-Update for Jamf - UK
   Backup services - EU
   Helpdesk - US (Privacy Shield)
   CRM - US (Privacy Shield)
   
   
4. With regards to GDPR, are we a controller or processor?
   
   We are a processor and our Standard Contractual Clauses (SCC) provide further details on GDPR.
   
   

5. Do our services involve moving data between countries or accessing it from a different country in a way that might be regulated by data protection laws?
   
   All overseas suppliers are covered by the ICO's Standard Contractual Clauses (SCC).
   
   

6. Do we use network boundary security, monitoring and intrusion detection/prevention systems?
   
   We use multiple firewalls to secure our cloud platform. Perimeter firewalls are enabled with IDS and IPS. All services are monitored using multiple systems in different regions. Administrative access to infrastructure is secured via unique user IDs, SSL VPN and MFA.
   
   
7. What strategies and/or technical steps do we have in place to ensure high-availability?
   
   We use the very latest in virtualisation and containerisation technology to ensure hardware failures of compute nodes do not impact our services. We also have multiple network links to our platform and services for redundancy.
   
   
8. What is our SLA on platform services?
   
   We guarantee 99.9% availability in a 30 day period for datajar.mobi services, which includes connect, compute, storage and replication software. Please note that our customer support request SLA is as follows:
   
   Severity 1 – within 2 hours
   Severity 2 – within 4 hours
   Severity 3 – within 8 hours
   Severity 4 – within 16 hours
   
   All times given in hours and refer to hours and during 9am-5pm GMT Monday to Friday (excluding bank holidays). Please also review our Fair Usage Policy on support services. 
   
   
9. Do we have a disaster recovery plan?
   
   We have contractual agreements with our hosting and service partners. A snapshot copy of all data is replicated off site at a frequency that will facilitate a restore point objective defined below:
   
   Critical platform services: 24/7/365 - Synchronous
   Priority platform services: 24/7/365 - Every 30 mins
   Standard platform services: 24/7/365 - Every day
   
   
10. Do we have an Information Security policy/processes/procedures (e.g. InfoSec policy, AUP, Data Classification and Handling)?
    
    Yes, we can supply our information policy upon request to compliance@datajar.co.uk
    
    
11. Do we conduct regular penetration testing?
    
    External tests take place on all infrastructure elements hosted by CloudHelix. These tests are required in order for CloudHelix to maintain their accreditations and certifications. Any on-premise virtual appliances supplied by dataJAR are also supplied CIS hardened.
    
    

12. Is our production environment separated from our corporate environment?
    
    We use containerisation to keep data and systems separate. We use strict access controls to our cloud environment which are governed by our IdP, and SSL VPN with MFA and SSH keys. We have an internal Change Advisory Board for configuration changes. Platform changes are managed via a contract with our upstream provider, CloudHelix.
    
    

13. What datasets are transferred and/or hosted on our network?
    
    In general, all datasets are listed within our Privacy Policy. Some services, such as Auto-Update for Jamf use fewer data sets where little or no data is held. 
    
    If you have questions or queries on how we handle data, please contact compliance@datajar.co.uk
    
    
14. What data do we back up, how frequently and what security is used?
    
    Our entire platform has snapshots taken at regular inivals and are encrypted at rest on separate infrastructure. Additionally, databases are backed up to Amazon Web Services (Ireland) every 4 hours, with a 30 day rentention and AES-256 encryption applied at rest. All data is encrypted over public networks using SSL/TLS or VPN.
    
    
15. Who is responsible for data deletion when the data is at the end of its lifecycle?
    
    We use automated lifecycle policies on our storage buckets to purge data that is in line with our Privacy Policy.
    
    
16. What access controls do we use with regards to sensitive data and how do we ensure all access rights are removed when employees leave the organisation?
    
    We use a centralised IdP with MFA on all services. We use automated provisioning and de-provisioning of users using HR-as-a-master.
    
    
17. How do we prevent sensitive/confidential data leaving our organisation?
    
    All employee managed devices are examined on a forensic level using DLP software and behavioral analysis.
    
    

18. How do you manage encryption keys, passwords and secrets?
    
    Our device encryption keys are escrowed and stored in AES-265 encryption. All passwords are stored in AES-256 encryption. Authorised personnel with access to these passwords logged and audited.
    

19. Is data we provide to your service protected in transit and at rest?
    
    All data transferred throughout public networks is encrypted with TLS/SSL. Security passwords are stored in AES-256 encryption. Data backups are encrypted with AES-256 encryption.
    

20. What background checks are performed on our staff?
    
    All staff are subject to DBS and right-to-work in the UK checks.
    
    
21. How do we prevent malware being introduced deliberately or accidentally into systems?
    
    All of our employee systems run dataJAR Defend for detection and remediation of threats.
    
    
22. How do we log actions performed by individuals based on User IDs.
    
    All authentication and authorisation events are captured via our centralised IdP.
    
    
23. How are platform updates tested and applied?
    
    Service mainenance is carried out monthly or by-monthly depending on the CVE. Maintenance windows are communicated via email to account owners, via our status page and the Simplified Management app.
    

24. Are our customers able to audit the way we handle your data?
    
    We endeavour to work with our clients wherever possible to enable them to be confident in our information security. Requests can be submitted to compliance@datajar.co.uk are subject to review.
    

25. Do we have a formalised Software Development Lifecycle?
    
    We use GitHub to structure our software development and change cycle. This delivers version control with regards to any code that is generated by our developers. We maintain access security (via MFA) on key repositories to ensure that commits have first been tested then verified by senior members of our development team. We recognise the OWASP Top 10 and protect against vulnerabilities.
    
    

26. Do we have an established process to ensure that software dependencies are free of security issues?
    
    Our developers use Dependabot to check dependancies within our software for security issues.