Trust Centre - Compliance
Regulatory and corporate compliance enhances consistency, prevents internal errors and fosters trust between us, our clients and end users. Over 20 years of service delivery, we have developed all the necessary internal policies and processes, as well as external rules and regulatory compliance to ensure the integrity of client and customer data.
Information Security Management System (ISMS)
Recognised worldwide, the ISO 27001 is the international standard for an Information Security Management System. nowhere is committed to its systematic approach to protecting all forms of information, whether digital, hard copy or in the Cloud. By signing up to the standard we commit to ongoing improvement, and take a robust stance regarding securing the confidentiality, availability and integrity of the personal information. Our mandatory technical and organisational measures must be adhered to by all staff, and are subject to an annual independent audit by the British Assessment Bureau, which holds accreditation with UKAS, the only government-backed body for ISO certification in the United Kingdom. With an ISO 27001-compliant ISMS (cert no. 212607), nowhere meets the information security requirements of laws such as the UK’s Data Protection Act 2018, the Network and Information Systems Regulations 2018 and the EU’s General Data Protection Regulation (GDPR). Read our ISMS Policy for more detail.
Internal and External Security Audits
Security vulnerabilities are discovered in many ways; but primarily through regular system audits (automated and manual), system monitoring, developer threat modelling and penetration testing (internal and external - white and black box testing). We run a change management system and an incident management system to track tasks through various stages of development to resolution.
Our servers and software are regularly tested by respected third-party, independent penetration testers. Vulnerabilities discovered via external audits are tracked and resolved in accordance with our policies and industry best practices. We use these audits to proactively and pre-emptively close any loopholes in relevant applications. All our client deployments are fully tested in this manner to ensure client data and systems are secure.
In this ever-evolving digital threat landscape, we are dedicated to ensuring that our customers can be as secure as possible when they access our products. As such we use AWS exclusively for all our cloud computing, renowned as the world’s most comprehensive cloud platform with exceptional security practices. Additionally, the following security features provide an extra layer of end-user validation and authentication, which prevents unauthorised access to confidential client data.
Cryptographic Controls - To ensure data residency and user privacy requirements, all data is transferred between user devices and nowhere servers using up to 256-bit encrypted connection via TLS 1.2. We also employ encryption at rest (AES-256) and our cryptographic keys are protected by Amazon’s Key Management Services.
Tiered admin model - This feature enables more effective team management by adhering to the principle of least privilege to reduce access to critical systems or sensitive personal data.
Single Sign-On (SSO) - We offer directory integration, with SSO, to allow client employees access to our systems without the need for creating new login details. We use the industry-standard Security Assertion Markup Language 2.0 (SAML 2.0) which manages the whole authentication process for a streamlined, secure and stress-free set up experience.
Timed log-out - This feature automatically logs users out after a certain period of inactivity to reduce the risk of unauthorised users accessing an unattended computer.
nowhere digital products and contractual commitments comply with the EU General Data Protection Regulation (GDPR), in effect since May 25, 2018. We offer our enterprise clients a range of data management tools including but not limited to:
Admin and user activity logs - A timestamped audit trail provides visibility into admin and user actions. Audit logs act as a detective control and help when dealing with unforeseen circumstances, including unauthorised activity, systems flaws or violations.
Centralised User Management - The ability to easily manage user access to an account, including updating personal details, deactivating and deleting inactive accounts.
Data compliance tools - The ability to import and export data, as well as delete specific data sets as required.
Data Processing Agreement - To ensure both the client and nowhere are in agreement as to the rights and obligations concerning the protection of personal data. Read our Data Processing Agreement for more detail.
Data Subject Access Request - Individuals have the right to obtain a copy of their personal data as well as other supplementary information verbally or in writing. The Security Team can be contacted on the following email address and they will endeavour to respond without undue delay and within one month of receipt of the request - firstname.lastname@example.org.
Privacy Notice - Our statement on the way we gather, use and manage data. Read our Privacy Notice for more detail.