Frequently asked questions about due diligence
Here are some answers to questions we frequently get asked when filling in your due diligence forms for your insurers. Hopefully these answers will help, but get in touch with our Obsessive Support tm if your question isn't covered here.
- 1 Do you have a formal Business Continuity, Disaster Recovery and Information Security Statement?
- 2 Are you registered with the Information Commissioners Office (ICO)?
- 3 Where are the servers?
- 4 How are updates managed?
- 6 Do you have and enforce standards for different types of Internet traffic allowed in and out of SchemeServe?
- 7 Will you transmit our data to third parties?
- 8 Will you use strong encryption when transmitting our data outside of SchemeServe?
- 9 Is information containing payment card details (as defined in Payment Card Industry (PCI) information Security Standard) encrypted during storage and transmission?
- 10 How is our data kept separate from other client's data?
- 11 How often do you back-up your data?
- 12 How do you know your backups were successful?
- 13 How long do you retain your back-up information?
- 14 How often do you test restores of data?
- 15 How long does it take to recover your backup systems?
- 16 Do you have clustered / high availability features on the systems that will support our business?
- 17 What sort of antivirus protection do you have?
- 18 Do you have any network protection in place?
- 19 Can you provide make and model details of your firewalls and other equipment?
Do you have a formal Business Continuity, Disaster Recovery and Information Security Statement?
Yes, we do. You can download a copy here. We are certified under the Government backed Cyber Essentials Scheme. You can find our certification [here]
Are you registered with the Information Commissioners Office (ICO)?
Yes, our registration is Z8157921
Where are the servers?
We use Rackspace as hosting provider, and our software is hosted primarily at their London data centre. We have other servers, mainly as standby for disaster recovery, in Southern Ireland (Eire) and in the Netherlands.
Certifications for the UK Data Centre is at https://www.rackspace.com/en-gb/certifications and for the Eire and Netherlands Data Centre https://azure.microsoft.com/en-gb/support/trust-center/compliance/
How are updates managed?
Our servers are updated in line with schedules issued by the equipment or software provider, after testing in a controlled environment. For Microsoft servers, this is typically the 2nd Tuesday of the month (unofficially called Update Tuesday) We schedule the updates to happen in the middle of the night most of the time. Rarely, an important security issue requires us to make an update in an unscheduled manner, before the issue is published by the press.
Yes, SchemeServe will tell each visitor the first time that cookies are used to track the users' progress on the site. There are also cookies that are required for the operation of the site that do not need consent. You can read more about cookies and informing visitors about them on the Information Commissioners website.
Do you have and enforce standards for different types of Internet traffic allowed in and out of SchemeServe?
Yes. We use SSL encryption to keep your data safe when sending over the Internet and we enforce Strict Transport Security (HSTS). All other traffic types (anything other than HTTP and HTTPS) is explicitly blocked.
Will you transmit our data to third parties?
Generally No. We do send small amounts of data to third parties to accomplish some tasks. For example, we send postcodes to a provider of address lookups, and sales details to another provider in order to process credit card transactions. This information is used only for the purposes described and we have agreements with these third parties not to store that information beyond what is needed for the immediate task.
Will you use strong encryption when transmitting our data outside of SchemeServe?
Yes. All communication of data to third parties is sent using SSL encryption. We use the best protocols available to ensure maximum protection (an 'A' rating on ssllabs.com) See latest scan results
Is information containing payment card details (as defined in Payment Card Industry (PCI) information Security Standard) encrypted during storage and transmission?
We do not store any information of this kind, and only transmit it as needed using secure https protocols.
You can read our assessment of our PCI compliance here.
How is our data kept separate from other client's data?
We have a number of ways we do this. We record identifiers on each record along with who can access that record. We also store information in physically separate files to ensure separation.
How often do you back-up your data?
We backup our data at least once a day, usually every few hours.
How do you know your backups were successful?
Each time a backup is scheduled, our team gets notified of a successful or otherwise completion. If the backup was not successful - which happens from time to time if our servers are busy, it is automatically repeated. Backups are also tested on a regular basis and restored to our 'Beta' servers. What are 'Beta' servers?
How long do you retain your back-up information?
We keep backups for 52 weeks, in a physically separate location to the servers, to protect from any disasters.
How often do you test restores of data?
Our restores are checked every couple of months by actually restoring them to a diagnostic environment and validating the contents. They are also used on a regular basis to update our 'Beta' servers. What are 'Beta' servers?
How long does it take to recover your backup systems?
We have a contract with our server provider to provide physically new servers and restore to a working set in 6 hours. However, because we use multiple servers hosted in the cloud, the reality is that even with a disaster at the hosting centre, the site would likely be able to continue without interruption.
Do you have clustered / high availability features on the systems that will support our business?
Yes. We have multiple database servers and multiple web servers running SchemeServe so that operations can continue in the event of a server failure. These automatically switch while alerting the entire technical team at SchemeServe and also our hosting company so that it may be resolved quickly.
What sort of antivirus protection do you have?
We use Sophos Anti Virus on our servers. This is updated frequently (usually every month) with new virus definitions, and files are checked at the point of being written to. This is monitored and maintained centrally at our hosting centre.
Do you have any network protection in place?
We have firewall devices on the external facing ports of our server network, as well as on the incoming connection to the hosting centre. There is a firewall between the web servers and the data servers. Each server also maintains its own firewall protection.
Can you provide make and model details of your firewalls and other equipment?
As this is a cloud based service, some of the devices, such as the load balancers are proprietary, however, the firewall devices are Cisco ASA 5510 Sec+, and there are OS and proprietary firewalls in place as well.