This document is designed to provide an overview of the procedures that we have in place to ensure that your systems are available and your confidential information is secure. It covers the information about your business and processes that you share with us, and your data that you maintain on our hosted environment.
You should read this policy in conjunction with our Software Licence & Support Agreement.
Additional detailed quality process policies and documents may be requested for review, but do not form part of this policy or our legal agreement.
- Administration of network access
- Employee network access
- Customer project data security
- Support data security
- Risk register
- Asset register
Our organisation and people
We have achieved ISO 27001 certification, supported by strong processes, documentation and culture. Datacentres used by us are also ISO 27001 accredited.
Esteiro does not employ sub-contractors, and employees are subject to careful reference checking on employment.
For all new starters the following checks are made:
- References – a minimum of two are taken up including employment reference
- Copies are taken of passport (Nationality and Immigration status) and driving license
- Unspent criminal convictions – by declaration
Many of our employees have successfully undertaken additional background security checks when working on sensitive projects. We have an extremely low staff turnover.
One of our key customer processes is our helpdesk which is manned by a combination of dedicated support, technical and project team members. Whilst this expands the team with potential access to customer data, there is an individual user login.
Our offices are not shared and we have physical visitor controls and records. Our own internal systems are located in a server room with re-enforced walls, locks and doors. We run a virtually paperless office with clear desks. Information security processes and policies are published to employees and we run periodic sessions to highlight core and changed processes. We have designated roles and responsibilities to ensure that our policies are effective.
System access and availability
We have an enviable record of system uptime – overall at 99.98%
Over 500 active PRTG sensors monitor server performance for potential issues which alert team members.
Backup and disaster recovery
If Gold-Vision is installed on your infrastructure the responsibility for backup and data recovery rests with you. We will be delighted to provide general guidance and advice during the implementation. We can assist in setting up the initial SQL backup schedule, but we are not in a position to provide the ongoing testing and validation that you would require.
Hosted Gold-Vision instances
The Gold-Vision hosted infrastructure is maintained in a private cage at the IceColo Data Centre in Manchester, UK. Key information is reproduced in Appendix A, but for a full understanding, please see http://www.m247.com/about-m247/manchester-data-centre
Gold-Vision instances are separate Microsoft SQL databases which are continually streamed between live servers and backup servers. The equipment is owned and maintained by Esteiro and is located in its own separate rack cage.
In the event of a data problem, we can offer the following options:
- In the case of quickly identified issues, we are potentially able to “roll back” your solution from the backup server which would typically be running 30-40 minutes behind your live environment.
- Where issues have not been evident immediately, we are able to restore previous overnight database backup copies, which are retained for up to 28 days. Document backups are maintained for the previous 7 days.
Additionally, we recommend that customers periodically extract key data for safekeeping using the Gold-Vision reporting tools. We can also potentially provide an additional periodic backup copy of your SQL database in your document location which you can then choose to download at your convenience. Please note that there is a small charge for providing this service, and the backup file will count towards your file storage allowances
Our disaster recovery plan is designed to protect against the unavailability or destruction of the existing datacentre(s). Overnight encrypted copies of the server images are copied to a Microsoft Azure data centre in the EEA. This provides not only commercial protection from one supplier commercial failure but independence of hosted platforms. We also manage a backup DNS server in this environment, allowing us to rebuild a complete environment in a target time of 48 hours.
Gold-Vision may be installed either;
- on your own corporate network either on-premises, or in your private cloud
- on our hosted platform as a cloud application
If Gold-Vision is installed in your own network or private cloud, you are undertaking the responsibility for access and data security. This scenario is ideal for organisations with particularly sensitive data requirements.
In our “Cloud” or SaaS environment Gold-Vision uses discrete sandboxed MS SQLServer databases, unlike most SaaS solutions. Each application to database access is via a different service user which has no access rights over other customer data. The database servers are not accessible to the internet except through the Gold-Vision application and Remote desktop restricted to Esteiro, which uses secure processes to request data.
For data transmission security, the Gold-Vision CRM web application uses SHA2 (256bit) https access and encryption protocols. The Connect marketing application is currently being upgraded to the same standard.
Our storage and backup data is encrypted with 32 character salted.
Data is accessible via the G-V user interface to support personnel, and we do have Remote Desktop access to the servers. Support personnel have individual logins with tailored access rights, but certain key support functions (e.g. IIS management) require local admin rights.
The datacentre employs technology to isolate and protect against denial of service attacks (DoS). Our infrastructure and firewalls sit behind the M247 protection. There have been 1 or 2 attempted DoS attacks on the M247 environment in the last 5 years, but these have not been successful. We review firewall logs periodically, but this is not a frequent exercise.
Whilst we believe the service provision is secure, and we have no evidence of lapses, we are in the process of reviewing our vulnerabilities as a part of the ISO 27001 certification process.
Please note that we are unable to offer ultimate guarantees over data security.
We recognise that we are in the trusted position of handling commercially sensitive and confidential personal information. This is dealt with in a detailed policy which we will be delighted to discuss or provide you with, but in summary, we have procedures in place for the management of client data, and for the removal of data at the end of client projects.
Terminated client instances are typically held on our main environment for 30 days unless there is prior agreement. The database and files will then be deleted but will be held in the backup environments until the backup cycle is refreshed.
Gold-Vision application controls
A key aspect of data security is access to data by legitimate users. Access to objects and Account records can be administered via the Administration Console. Access can be set dependent on the user’s primary team as well as a security field at the account level. Below are the various options available, and also apply to Opportunities and Project items.
Access – ability to view the record
Edit – ability to view and modify the record
Delete – ability to remove the record
Account, Opportunity, Project Record Level (and related sub-records)
Public – all users will be able to access the record.
Team – the Account Manager, other team members of the Account Managers team, plus assigned manager, executive or administer groups will be able to access the record.
Private – the record will only be visible to the Account Manager and Gold-Vision Administrators.
Most field security levels can be set to user or team security options individually.
The above allows for data access to be controlled however you must satisfy yourself that sensitive data is protected. We are happy to test this with you.
There are 2 ways to export bulk records from Gold-Vision; Outlook contact export and reporting. Should you want to remove this capability to team members, this is managed from the Administration Console.
M247 IceColo Datacentre, Manchester UK
- Two dedicated detached buildings housing state-of-the-art data centres
- Privately owned operation based in Trafford Park, Manchester
- Large and expanding 500 rack capacity
- Carrier neutral propositions
- 24/7/365 physical access for customers
- Overhead data cable distribution
- Committed R&D programme and test laboratory
- 24x7x365 onsite engineering support
- Full UKAS accreditation for ISO 9001:2008 Quality Management System
- One of Europe’s most energy efficient facilities PUE <1.2 (granular records available)
- Advanced cold-aisle containment system
- World class low carbon footprint climate control system
- Recycling policy
- Continuous planned upgrades to improve efficiency
- High-power-density configurations
- Shared rooms, secure cages, safes, private rooms and suites
- Remote hands-and-eyes and 24×7 engineering installation and maintenance
- Connectivity and Network Capacity
- Multiple diverse and redundant optical fibre entry points
- 80-gigabits of live Internet connectivity
- Cost effective IP transit available
- Cost effective Layer2 Ethernet circuits
- Astra Satellite feeds available
- NHS N3 connectivity
- Extensive and expanding advanced 10 / 20 Gbps IP and MPLS network connected directly to 7 of the world’s largest and most important Internet exchanges
- Resilient European network ring spanning Manchester, London, Amsterdam, Frankfurt, Paris and Belgium with a full M247 London bypass
- Direct peering relationships with 70% of all the European ISPs
- Range of national network operators on-site, including BT, Virgin Media, Cable & Wireless and KCOM
- ISO 27001 Accredited
- Located in secure fenced and gated compound
- Multiple physical security layers
- Manned 24/7/365 by expert staff
- CCTV surveillance cameras
- Advanced VESDA laser smoke detection
- FM200 Fire Suppression gas discharge with fully trained staff
- Access controlled maglock internal doors
- Locked cabinet, cages and safes available