Security & Backup Policy - Gold-Vision CRM

Overview

This policy is designed to provide an overview of the procedures that we have in place to ensure that your systems are available and your confidential information is secure. It covers the information about your business and processes that you share with us, and your data that you maintain on our hosted environment.

You should read this policy in conjunction with our Software Licence & Support Agreement.

Additional detailed quality process policies and documents may be requested for review, but do not form part of this policy or our legal agreement.

Administration of network access
Employee network access
Customer project data security
Support data security
Risk register
Asset register

Our organisation and people

ISO 27001

We have achieved ISO 27001 certification, supported by strong processes, documentation and culture. Datacentres used by us are also ISO 27001 accredited.

National Cyber Security Centre

We are qualified under the Cyber Essentials scheme.

People

Esteiro does not employ sub-contractors, and employees are subject to careful reference checking on employment.

For all new starters the following checks are made:

References – a minimum of two are taken up including employment reference
Copies are taken of passport (Nationality and Immigration status) and driving license
Unspent criminal convictions – by declaration

Many of our employees have successfully undertaken additional background security checks when working on sensitive projects. We have an extremely low staff turnover.

One of our key customer processes is our helpdesk which is manned by a combination of dedicated support, technical and project team members. Whilst this expands the team with potential access to customer data, there is an individual user login.

Facilities

Our offices are not shared and we have physical visitor controls and records. Our own internal systems are located either in our datacentres, or in a server room with re-enforced walls, locks and doors. We run a virtually paperless office with clear desks. Information security processes and policies are published to employees and we run periodic sessions to highlight core and changed processes. We have designated roles and responsibilities to ensure that our policies are effective.

System access and availability

We have an enviable record of system uptime – overall at 99.98%.

Over 800 active PRTG sensors monitor server performance for potential issues which alert team members.

Backup and disaster recovery

On-Premises installations

If Gold-Vision is installed on your infrastructure the responsibility for backup and data recovery rests with you. We will be delighted to provide general guidance and advice during the implementation. We can assist in setting up the initial SQL backup schedule, but we are not in a position to provide the ongoing testing and validation that you would require.

Cloud Gold-Vision instances

Introduction

We understand that your organisation values the proven benefits of cloud computing. Organisations are concerned by the lack of personal service or communication associated with cloud computing. When critical business systems are unavailable there is simply a service page and an SLA to rely on. Although our availability times are class leading, in the rare event of issues, Gold-Vision customers can speak with our support team as well as check on the service page at: https://help.gold-vision.com/service-status/.

We also find that organisations want to understand exactly where their data is, not just which continent or economic area, and the resilience and security of the environment. Gold-Vision is hosted either on our equipment in top datacentres or on the Azure platform in known datacentres. Typically, we can host your solution in the country of your choice to meet your regulatory requirements. Our primary UK datacentre is a highly secure and well-provisioned tier 4 (banking grade), with an additional 2 highly secure datacentres for additional capacity and disaster recovery purposes. Further detailed information is available on request.

Data Backup

Gold-Vision instances are separate Microsoft SQL databases which are continually streamed between live servers and backup servers. The equipment is owned and maintained by Esteiro and is located in its own separate rack cage.

In the event of a data problem, we can offer the following options:

In the case of quickly identified issues, we are potentially able to “roll back” your solution from the backup server which would typically be running an hour behind your live environment.
Where issues have not been evident immediately, we are able to restore previous overnight database backup copies, which are retained for up to 28 days. Document backups are maintained for the previous 7 days.

Additionally, we recommend that customers periodically extract key data for safekeeping using the Gold-Vision reporting tools. We can also potentially provide an additional periodic backup copy of your SQL database in your document location which you can then choose to download at your convenience. Please note that there is a small charge for providing this service, and the backup file will count towards your file storage allowances.

Disaster Recovery

Our disaster recovery plan is designed to protect against the unavailability or destruction of the existing datacentre(s). Overnight encrypted copies of the server images are copied to a separate secure environment in the EEA. This provides not only commercial protection from one supplier commercial failure but independence of hosted platforms. We also manage a backup DNS server in this environment, allowing us to rebuild a complete environment in a target time of 48 hours.

Data safeguards

Access & Cyber Security Controls

Gold-Vision may be installed either;

on your own corporate network either on-premises, or in your private cloud
on our hosted platform as a cloud application

If Gold-Vision is installed in your own network or private cloud, you are undertaking the responsibility for access and data security. This scenario is ideal for organisations with particularly sensitive data requirements.

Gold-Vision employs 2 Factor authentication for users by default, and is the recommended setting. No default passwords are used.

In our “Cloud” or SaaS environment Gold-Vision uses discrete sandboxed MS SQLServer databases, unlike most SaaS solutions. Each application to database access is via a different service user which has no access rights over other customer data. The database servers are not accessible to the internet except through the Gold-Vision application and Remote desktop restricted to Esteiro, which uses secure processes to request data.

For data transmission security, the Gold-Vision CRM web application uses SHA2 (256bit) https access and encryption protocols. The Connect marketing application is currently being upgraded to the same standard. Our storage and backup data is encrypted with 32 character salted.

The datacentre employs technology to isolate and protect against denial of service attacks (DoS). Our infrastructure and firewalls sit behind the Datacentre protection.

Whilst we believe the service provision is secure, and we have no evidence of lapses, we continually review potential vulnerabilities as a part of the ISO 27001 certification process, and have a vulnerability reporting process.

Project processes

We recognise that we are in the trusted position of handling commercially sensitive and confidential personal information. This is dealt with in a detailed policy which we will be delighted to discuss or provide you with, but in summary, we have procedures in place for the management of client data, and for the removal of data at the end of client projects.

Data retention

Terminated client instances are typically held on our main environment for 30 days unless there is prior agreement. The database and files will then be deleted but will be held in the backup environments until the backup cycle is refreshed.

Gold-Vision development controls

Product Development processes are regulated by our ISO 27001 certification, which are enforced by training and peer review, and tested by external penetration and scan testing.

Data integration is limited to our API which runs through a common layer where security and data validation occurs. Protection is enforced against attacks such as code or SQL injection through malicious data entry.

Third party component use is limited to mainstream industry providers and sources, and is regularly reviewed. Third-party components are kept updated, with easy to implement updates of assured provenance (for example, through the use of cryptographic hashes that can be verified before installation) released to supported customers in a timely manner.

Our own software is frequently updated; for SaaS customers this process is automatic. For the minority of on-premise customers they do have the option to control updates. Updates are built and delivered by industry-standard tools. Our software platforms are updated in line with vendor recommendations on a regular monitored cycle.

Application Security and Controls

A key aspect of data security is access to data by legitimate users. Access to objects and Account records can be administered via the Administration Console. Access can be set dependent on the user’s primary team as well as a security field at the account level. Below are the various options available, and also apply to Opportunities and Project items.

Object Level

Access – ability to view the record
Edit – ability to view and modify the record
Delete – ability to remove the record

Account, Opportunity, Project Record Level (and related sub-records)

Public – all users will be able to access the record.
Team – the Account Manager, other team members of the Account Managers team, plus assigned manager, executive or administer groups will be able to access the record.
Private – the record will only be visible to the Account Manager and Gold-Vision Administrators.

Field Level

Most field security levels can be set to user or team security options individually.
The above allows for data access to be controlled however you must satisfy yourself that sensitive data is protected. We are happy to test this with you.

Data input into the system by users is controllable in terms of the type and formatting of data that can be entered (such as specifying data types to text, numeric, Boolean for example)

Bulk export

There are 2 ways to export bulk records from Gold-Vision; Outlook contact export and reporting. Should you want to remove this capability to team members, this is managed from the Administration Console.

EBS 08.2021.1.0

Cookie	Duration	Description
__lc_cid	2 years	This is an essential cookie for the website live chat box to function properly.
__lc_cst	2 years	This cookie is used for the website live chat box to function properly.
__oauth_redirect_detector	past	This cookie is used to recognize the visitors using live chat at different times inorder to optimize the chat-box functionality.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_JQKSVHGM6D	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjTLDTest	session	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
mf_user	never	Mouseflow sets this cookie to identify whether a visitor is new or returning.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_dc_gtm_UA-41710420-1	1 minute	No description
_hjSession_1791705	30 minutes	No description
_hjSessionUser_1791705	1 year	No description
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description