The Compliance Space is a tool developed for our clients to maintain a robust data privacy and data protection operating model. We recognise that information security is a key pillar for all organisations. At The Compliance Space, we take the privacy and security of our clients data very seriously. This Security Centre has been developed to be transparent on our operation and develop trust with our clients.
At The Compliance Space we operate robust organisational processes and policies in alignment with the ISO 270001 standard and the Data Protection Act 2018. This includes internal audits by our dedicated information security personnel.
Our staff are granted access to client’s data on a need to know basis as appropriate to their role. All staff are required to have and maintain a high level of awareness for data privacy and security.
All staff are vetted for suitability for their roles with appropriate security checks completed where necessary.
The Compliance Space has a dedicated Data Protection Officer who is responsible for both Information Security and Data Privacy.
All staff are equipped with physical assets such as laptops and mobile phones that meet the Minimum Security Measures, these are:
Up-to-date Operating Systems
Up-to date Antivirus software
Mobile Device Management
- Office Security
The Compliance Space operate as a team from UK based office locations that meet stringent physical security controls to protect our data and that of our clients. These controls include as a minimum:
Door entry systems
Physical lockable stores
- Data Centre Security
All services for The Compliance Space platform are hosted within the Amazon Web Services (AWS) data centre estate. The platform benefits from multi-zone failover across the EU region. AWS adhere to stringent security regulations and controls that meet our baseline controls, this includes physical and logical security with more detail available here: https://aws.amazon.com/compliance/data-center/controls/
- Network Security
The Compliance Space platform is an internet facing platform with the internet being delivered by the AWS network. In combination with the base level controls that exist on this network and the architected network infrastructure of The Compliance Space we protect our platform using:
Dynamic Denial of Service (DDoS)
Front end / back end separation
Hardened operating system instances
- Secure Development
The introduction of change to The Compliance Space platform is goverened by a strict Change Management Policy and a principles based Secure Development policy. This includes code quality assurance, code versioning and testing through stages. The code is periodically tested for quality, repeatition and vulnerabilities by an independent organisation.
- Data Security
The security of our clients data is our top priority. As such we have implemented a number of controls to ensure the Confidentiality, Integrity and Availability of this data. This includes:
Multi-zone data replication for high availability
Local and offsite encrypted backups
Database AES based encryption
Encryption in transit for user connections as well as between the front-end and back-end instances
Tokenized user passwords with a minimum complexity requirement
Admin access via IP whitelisted networks and bastion hosts
- Data Retention and Destruction
We recognise that the data with our platform belongs to our clients and we have a duty of care to ensure that this data is retained only for as long as necessary in alignment with our retention periods (https://www.thecompliancespace.com/privacy-notice) and that it is destroyed appropriately
The destruction of data from The Compliance Space is based on database data removal through the functions of the platform, such as the deletion of a user or the full deletion of data at the end of the clients contract term. This data is fully available as machine and human readable downloads from the platform itself.
- Penetration Testing
As The Compliance Space is an internet facing platform, it is appropriate to perform external testing for any vulnerabilities. Penetration Testing is completed annually on The Compliance Space by an external organisation. The testing criteria includes the top vulnerabilities as identified by the Open Source Foundation for Application Security (OWASP).
- Incident Response
The response to security incidents is governed by a robust process which includes triage, assessment, remediation and lessons learnt phases. All security incidents are recorded. To report a security incident please email us directly on firstname.lastname@example.org.
- Personal Data Breach
As a business The Compliance Space and as part of our platform we process personal data in accordance with our data privacy notice. As a result we have a robust and appropriate Personal Data Breach Response process. This process includes phases to triage, assess and discover the data as part of the breach. We take this responsibility seriously and conclude the process by remediating the breach and communicating with data subjects and the Information Commissioners Office (ICO) as appropriate.