Hardware provider and data centres
We partner with DigitalOcean in the UK. They have some great customers – the likes of HP, Salesforce and Xerox, as well as thousands of medium sized and smaller businesses.
They have 12 data centres across the globe, customers in 195 countries and 78 million active server instances. Customers enjoy a 99.99% uptime SLA, and 40GbE – the best-in-class network connectivity for speed and throughput.
The esphr websites, applications and databases are hosted in their London data centre (http://www.equinix.co.uk) which is used by large online businesses like Box, Priceline, Foursquare and trivago. It is fully accredited to ISO 27001, the international standard that describes best practice for an ISMS (information security management system). Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether data is adequately protected.
The data centre is also Payment Card Industry Data Security Standards (PCI-DSS) compliant – although our specific application does not handle or store financial details.
Network, backup and email
Connection to our servers is solely via SSH (secure shell) using public and private keys to prevent unauthorised access, and data moving to and from the servers is fully encrypted.
Application email communication is securely handled by a trusted partner – SendGrid – an industry standard mail delivery and tracking platform used by the likes of Uber, Spotify and AirBnB.
Data and site content/files are securely backed up daily via SSH to the Amazon S3 storage service based in the EU region to comply with EU data protection laws. Even if our production hardware failed catastrophically, we could be up and running again within a few hours.
All front end web pages are secured with an SSL certificate (https://) to ensure data cannot be intercepted by a third party.
Application and data security
Our case management stand-alone application (where we store sensitive customer employee data) takes advantage of the following security features:
- User account details and passwords are independent of the core esphr application.
- All user passwords are one way hashed using up to date encryption methods with random salt.
- Sensitive portions of the database are fully encrypted (using AES encryption).
- SSL encryption of web pages and API/JSON calls.
- Forced password update (6 monthly) with strength criteria (at least 8 characters, one number, one uppercase) on both the core (esphr) application and the Call Reporting application.
- All inactive archived matters (and supporting notes) are automatically deleted after 7 years of their archived date.
- Most recent Ubuntu 20.04.3 LTS (Long term support) version of the Ubuntu operating system – with security patching and support guaranteed until April 2021.
- PHP 8.0.x – the most recent major version release.
- MySQL 8.0.x – the most recent stable release.
- 2 Factor authentication mandatory for all users, securing the login with SMS/email security codes.
- Server security hardening including
- disabed root a/c,
- log in only by SSH private key,
- unattended security upgrades,
- Firewall blocking all ports except 80, 443, 22
- Recent penetration tests performed by a 3rd party.