Security Policy

1.1 Human resource security
A comprehensive awareness training program is delivered on an ongoing basis to all
Problem Free Limited employees to emphasise the need to protect customer cloud data
appropriately. We also require our contractors to provide appropriate awareness
training to all relevant employees.
1.2 Encryption
Transactions between the user (including administrators) and the cloud environment
are encrypted using TLS by default. The older SSL protocol has been deprecated. If
removed from the production environment Customer data will always be encrypted at
rest. Any data sent between our production servers (such as to a database) will only be
communicated via their own private network, private virtual LAN or through an
encrypted channel.
1.3 Physical security
Our primary database and web servers are located at specialist data centres in France
(EU). Data centres such as this have 24/7 monitoring and access control via RF key
cards to track employees as they move through the installation. The data centre holds
ISO/IEC 27001, ISO 27002 and ISO 27005, SOC 1 Type II and SOC 2 Type II
certifications. Encrypted backups are stored on the Amazon S3 cloud in the Ireland
(EU) and our PDF export server in the Netherlands (EU). These data centres also have
appropriate physical security in place.
1.4 Access Control and logging
We use the “authentication everywhere” principle for all internal admin systems.
Employees are only given access to systems and personal data if it is required for the
performance of their role. We record audit logs of any access to customer accounts
(including our own staff), as well as important operations that take place on their
accounts for legal and security purposes. Employee access to company systems will be
revoked within 24 hours of termination. Complex password policies are enforced.
1.5 Asset management
All company hard drives are encrypted with full disk encryption. Only devices properly
secured by the company will be able to access company networks. Employee PC’s all
have anti-malware software and firewalls installed as standard. We also employ highly
restrictive “process white-list” and “anti-exploit” software where it is sensible to do so.
1.6 Development
Our service is built on the enterprise grade Microsoft .NET MVC platform and uses an
ORM to interact with the customer database. This prevents many of the most common
security venerability’s (such as SQL injection) We do not use a traditional CMS since
these are regularly found to have security problems and instead build all of our
marketing sites (blog, news and knowledge base) using a static site generator. Code is
stored on a distributed source control system and peer reviewed and tested on our
staging system before going live.
1.7 Vulnerability testing and patch management
We will periodically perform venerability scanning on our servers to identify any relevant
issues. Security patches are reviewed regularly and applied to our servers where
appropriate.
1.8 Web application firewall and security proxy
Our servers are protected by CloudFlare who provide expert defence against DDOS
attacks, a web application firewall to filter suspicious or dangerous activity, block known
“bad IP addresses/users” and offer various cryptographic enhancements. We also pay
for their premium Argo routing system to increase performance for users who’re located
at a notable distance from Europe.
1.9 Information security incident management
Where we believe it’s appropriate to inform the customer of an information security
event (before it has been determined if it should be treated as an incident), it will be
relayed to the nominated customer administrator. Similarly, the customer may report
security events to our support desk where they will be logged, and an appropriate
action will be decided on. Information about the progress of such events may be
obtained from the support desk. We will report information security incidents to the
customer where we believe that the customer service or data has or will be affected.
We will do this to the nominated customer administrator or deputy as soon as
reasonably possible, and will share as much information about the impact and
investigation of the incident as we believe to be appropriate for its effective and timely
resolution. An incident manager will be appointed in each case who will act as the
Problem Free Limited point of contact for the incident, including matters related to the
capture and preservation of digital evidence if required. We prioritise incident
management activities to ensure that the timescale requirements of the GDPR, for
notification of breaches affecting personal data, are met.
1.10 Information Security Aspects of Business
Continuity Management
Our production data centres are distributed across multiple cities to provide redundancy
in the event of a widespread outage. Database transaction log backups are scheduled
for every 15 minutes and are automatically encrypted and transferred to the remote
Amazon S3 storage cloud. Additional full and differential backups are taken periodically
and similarly transferred to the same safe location.