www.staffcircle.com

SecurityPolicy

Revision1.2b

2018

• HostedinUKbasedMicrosoftdatacentres(UKSouthandUKWest)• DatacentrescomplianttoISO27001,ISO9001,HIPAA, FedRAMP, SOC 1 and SOC 2 • Europeandatacentrelocationsalsoavailable• Jurisdictionrestrictedprocessing• Highlysecurecloud-basedSaaSoffering

• Multi-layertenantdatasegregation• Eachtenantrunsonseparatedomain• Customermaintainscontrolovertheirtenant

• Role-basedpermissionsviaAdminDashboard• OptionalIntegrationwithyourexistingIdentityManagement–example:ActiveDirectory• SAML2.0interfacetoSingleSign-On&ActiveDirectory• AccessControlReportingbuiltintoplatform

• MobileandWebappdataencryption• UsesAES256andTLS1.2encryption• Dataisencryptedinrestandintransit• VPNonlyaccesstoproductionsystems• RegularThird-PartyPenetrationtestshelppreventvulnerabilities

• UKDataProtectionAct• GeneralDataProtectionRegulation(GDPR)• DataProtectionAgreementwithcustomers• InhouseDataProtectionOfficer

• Highlyavailableclusteredplatformwithplanet-widescalingability.• Contractuallybinding99.9%availabilitywithservicecredits.• Ourplatformavailabilityismonitoredbyathirdpartyfromoutsideournetwork.

AZURECLOUDPLATFORM

MULTI-TENANCY

CUSTOMERCONTROLSACCESS

FULLENCRYPTION&SECURITY

REGULATORYCOMPLIANCE

HIGHAVAILABILITYANDSCALABILITY

• IntrusiondetectionandpreventionprocessesareperformedbyourhostingprovidersMicrosoftAzuretoensurethemaximumsecurityoftheStaffCircleplatform.DistributedDenialofservice(DDoS)ismitigatedbyourhostingproviderMicrosoftAzuretoensurethemaximumuptimeoftheStaffCircleplatform.

• LogicalaccesstotheStaffCircleproductionsystemsarerestrictedtoourcoreoperationsteamandwelogandmonitoraccesstothesystemsonaregularbasis.OursystemsareprotectedbyvariouslayersofsecurityincludingVPNaccessgatewaysandauthorisedpersonnelaregrantedaccessonlyusing2-factorauthentication.

• PhysicalaccesstoourplatformsacrossthetwoAzureData-centrelocationsarestrictlycontrolledbyMicrosoftAzuresecurityteams.

• AllStaffCircleCustomersareguaranteeda99.9%uptimeofStaffCircleplatformservices

• PlatformservicesincludeMobile,WebandPCaccesstoplatformservicesforendusersandadministrators.

• Platformserviceavailabilitytomonitoredbyexternalautomatedsystemsandreportedatourserviceportalonhttps://status.staffcircle.com

• Ourcoresystemsareredundantmeaningifonecomponentsystemfailsthereisalwaysanotheroneavailabletotakeover.Thisisachievedusingeitherclusteringorfailoverstrategies.Eachcorecomponentonourplatformisbuildusingthesestrategieswhichminimisestheimpactofanysuchfailure.

• Ourplatformsarebacked-uptoanoff-sitelocationaminimumofthreetimesper24hours.Intheextremelyunlikelyeventofacatastrophicsystemfailureorcompletefailureofthestoragelayersorlossofanentiredata-centrewewilltriggerourdisasterrecoveryprocedureswhichinvolveloadingupourDRclusterandre-importingback-updatafromoneofthethreedailybackups.

• ApplicationandPlatformisexternallytested(PenTested)withannualcertification.• Ourcodebasehasahighlevelofunittestingandweconductpeer-reviewsoncodechanges.• Weseparateourdevelopment,test,uat(useracceptancetesting)andproductionenvironments.• Weimplementautomatedbuildsandcontinuousintegration.• WeoperateinanAgileScrumdevelopmentenvironment.• Wepioneered“SecureField”technologyenablingtwo-factorauthenticationonindividualfields.

• WeadherestrictlytorelevantUKandEuropeandataprotectionlawsincludingGDPR.• Allemployeessignaconfidentialityagreementtoprotectcustomerdata.• Wedonotshareanyclientdatawithany3rdparty.

INTRUSIONDETECTIONANDDDOSMITIGATION

LOGICALANDPHYSICALACCESSTOPLATORM

AVAILABILITY,RECOVERYANDSURVIVABILITY

APPLICATIONSECURITYANDDEVELOPMENTQUALITY

DATAPROTECTIONANDCONFIDENTIALITY