We employ a number of technical and non technical measures to protect the data that flows through and is stored by our Platform.
Restricting who can access data
- Employee screening: Only UneeQ staff who have demonstrated honesty, integrity and discretion are eligible to have access to production systems and Personal Data.
- Training: We train and make staff aware of minimum security requirements as well as other relevant policies and laws concerning their access to production systems and Personal Data.
- Approval: Access to production systems and Personal Data requires manager approval and is granted on an as-needed basis only.
- Access review: We regularly review people who have access to production systems and Personal Data to ensure that access is only available to people who require it. Any extraneous access is removed.
Authenticating these people
- Unique credentials: Staff are required to authenticate to production systems and systems containing Personal Data using credentials that uniquely identify them.
- Complex passwords: We require that passwords meet minimum complexity requirements before accessing production systems and Personal Data.
- 2FA: Where available we require two factor authentication (2FA) or similar additional authentication steps.
- Account lockout: Where possible we automatically disable accounts where repeated invalid access attempts have occurred.
Technical ways we protect your data
- Backups: We have implemented technical architecture and processes to prevent the accidental destruction of Personal Data.
- Encryption: We use TLS encryption whenever Personal Data is transmitted over the public internet and encrypt Personal Data when it is persisted on disk.
- Malware and patching: We have implemented various measures to prevent malware infection and regularly ensures hosts and applications are kept up to date with the latest security patches.
- Network security: We have implemented a range of network security approaches to restrict access to production systems and other systems that contain Personal Data.
- Monitoring: We continuously monitor systems, event logs, notifications and alerts to identify any unusual Platform behaviour.
- Secure data centres: We utilise world class data centres facilities that employ robust physical security controls to prevent physical access to the servers they house. These controls include 24/7/365 monitoring and surveillance, on-site security staff and regular ongoing security audits.
Security response and testing
- 3rd party security tests: No less frequently than annually we commission independent security testing of the Platform and remediate significant findings.
- Incident response: We maintain a procedure for reporting, responding to, and managing security incidents including data security breaches or attempts. This includes procedures for informing Controllers and Privacy Authorities in the case of a security breach.