Our product websites have more detail on their specific security. This page provides brief answers to the most commonly asked security questions.
Where is my data stored?
Data is held across multiple data centre locations for resilience. For our Software as a Service products, data is stored in the UK by default, but where a customer requires alternative data homing this is available as part of our Enterprise offering. This includes hosting data in either the US, Canada, Australia or Ireland (EU).
The geographically dispersed datacenters comply with key industry standards including ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. There is a layered approach to physical security and all have extensive layers of protection including access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. Fences, video monitoring and security patrols protect the external perimeter. Inside, movement is controlled by two-factor authentication with biometric controls.
How is my data secured?
Data is encrypted during transport and at rest. That means that all data is secured between users’ browsers and our servers using TLS (Transport Level Security). Data is encrypted while stored on servers (encryption at rest). There are a wide range of technical measures used, including multiple firewall technologies and intrusion prevention and intrusion detection measures as well as monitoring and alerting. Our products implement role-based access control to ensure that data access is restricted to specific users, for specific purposes.
Will I be notified if there is a breach?
Both UK GDPR and EU GDPR require notification within 72 hours of becoming aware of a breach, where feasible. We have processes to ensure that we meet this requirement, should this ever be required, and our internal SLA is to notify customers within 24 hours. We also have a Responsible Vulnerability Disclosure Policy.
SocialOptic holds a Whole Organisation Cyber Essentials Plus certification and a published NHS Data Security and Protection Toolkit assessment based on the UK National Data Guardian’s 10 data security standards – https://dsptoolkit.nhs.uk/OrganisationSearch/Z7I7E. This means that our security is audited by an external assessor. In addition, regular security scans and periodic Penetration Tests (“Pen Tests”) are carried out on our infrastructure. SocialOptic is registered with the ICO in the UK – ZA092349.