At Asset Bank we take the security of your data seriously. This is why we are an ISO/IEC 27001:2013 (ISO 27001) certified supplier.
ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). Certification to ISO 27001 demonstrates a company is following information security best practice, backed by an independent, expert assessment of whether your data is properly protected.
To help you understand the measures that we have in place to keep your data secure we've put together the answers to some common questions here.
Where is my Asset Bank data hosted?
We currently have 6 data centers around the World. EU, US, Canada, Bahrain, Hong Kong and Australia. When purchasing Asset Bank, you would have been chosen a region. Our default region for EU customers is in the EU.
As well as the security provided by AWS itself, our own hosting infrastructure provides the additional security you would expect at the server and application level
How is the cloud-hosted infrastructure architected?
An EC2 server, in our Virtual Private Cloud, is used to host the application files and the database (user accounts and asset metadata) and S3 is used to store your digital assets. Unless you are using our dedicated hosting solution, there will be other instances of Asset Bank on the EC2 server.
Asset Bank uses system accounts to communicate with its database and S3. Each instance of Asset Bank has its own users and they only have permission to view their own database and assets, providing a layer of logical separation.
What technical security controls are in place for my data?
Because you access Asset Bank from your web browser, this is the only method of communication that is allowed between Asset Bank and the internet. Any time you use Asset Bank, you will see that the URL begins with https. This means that all information is encrypted, so that information like your login details are kept safe. When the Asset Bank needs to communicate with S3, we also use TLS (https) to encrypt any data in transit.
As well as encrypting data when it is in transit, we also encrypt it at rest. This means that all of your digital assets in the S3 bucket are encrypted, and we also encrypt your database to protect all of the information it contains.
To maintain a high standard of security, there are certain controls that we have in place. We run an industry leading (Qualys) penetration test against our servers and the Asset Bank application itself. We then assess those results and take any action necessary.
Monitoring and logging
To ensure that your Asset Bank continues to run smoothly and effectively, we have automated, real-time monitoring and logging about how the service is operating. This means that if there is an issue, our Infrastructure team are alerted immediately and can respond quickly.
Server access and specification
Our hosting environment is protected by strong access controls and firewalls, ensuring only those people that are authorised to can access your data. Access to your servers is restricted to our secure UK based office networks and such access is logged and performed under our own individual named accounts. All of our servers are designed to the same specification and benefit from the same, secure, support and infrastructure
Our developers follow industry best practices (OWASP) to ensure any changes to the application are secure. All changes to the application are subject to an end-to-end testing process and review before being released to any production environment.
How is my data backed up?
We always back up your data in the same region that your application is hosted. There are many levels of our backups to ensure that we can always restore your data.
Your digital assets are protected by versioning in S3 - this means that even when you delete an asset from Asset Bank, it will continue to exist in S3. We also copy every asset to an entirely separate location (a different bucket in S3) as soon as it is uploaded to Asset Bank.
Our EC2 application servers are backed up every night, giving us the ability to rewind the server to a previous state, or we can access them to retrieve particular pieces of data.
Finally, the application and database are also copied and sent to your S3 bucket every night, so we can access past versions of your application if necessary.
All of our backups are encrypted in transit and at rest.
If you were to stop using Asset Bank, all data will be deleted 90 days after that date, in a manner that makes it non-recoverable.
Do you have disaster recovery plans in place?
Yes. In the event of an issue that means we need to recover from a disaster, we are able to restore Asset Banks directly from our backups. We test all of our disaster recovery plans at least annually and the average time to restore an application, a server, or some assets is normally only a few hours.
What happens if there is a security or service incident?
Each of these types of incidents has their own, comprehensive process which is communicated across the business. To date we have never had a security incident affect our customers Asset Banks, however, we treat all potential security incidents with the highest priority. Our incident management process includes notification, resolution and mitigation procedures, with a focus on high levels of customer communication and speed to resolution.
Our incident management procedure has recently been updated to include notification requirements under GDPR. We treat all of our clients' data as potentially personal data under GDPR and so any security incident leading to a data breach would be notified to our customers under this procedure. This includes a commitment to notify our customers within 24 hours of becoming aware of the incident.