Trust Centre - Security
We work with the principle of ‘security by design’. This means that the technology we have developed to deliver our services are carefully planned and executed to be secure from the outset. We take the time to attend to the risks and controls required to secure our systems at every level:
- Operational Security - How we work together in teams to develop and maintain our systems
- Network Security - How we set-up, configure and secure our servers and connections
- Application Security, Control and Visibility - How we build and maintain our application, so that it is secure and has the enterprise level security features you require
- Physical Security - All of our servers and workers are hosted within Amazon Web Services (AWS) ensuring we are safe from environmental risks and physical threats. Find out more
Our security culture has grown with the refinement of operational security. Enhancing the everyday interactions between people to include security when something needs to change, when a new feature is developed, or when a new team member joins, etc., takes a high level of security awareness. Working to the ISO 27001 standard, our people are exploring the risks, applying the required controls and are interacting with our Security Team and our Information Security Management System (ISMS) to make sure that the work carried out is highly secure - this is for every idea, every change, every event, every incident, in every moment we are working. We have regular management reviews to discover and define the risks. We are constantly managing changes to all systems. We track incidents to ensure controls are applied and verify that the controls are effective. We audit every area of our technology eco-system to ensure that nothing is amiss. For information on the IT DRP and BCP see reliability.
Our network security and monitoring techniques are designed to provide multiple layers of protection and defence. We employ industry-standard protection techniques, including firewalls, network vulnerability scanning, network security monitoring, and intrusion detection systems to ensure only eligible and non-malicious traffic is able to reach our infrastructure. To ensure data residency and user privacy requirements, all data is transferred between user devices and nowhere servers using up to 256-bit encrypted connection via TLS 1.2. We also employ encryption at rest (AES-256) and our cryptographic keys are protected by Amazon’s Key Management Services. Access to our production environment is restricted to authorised IPs and requires MFA. Public access is provided through proxies that are protected by sophisticated firewalls. Internal networks and computers are monitored for malicious events. Logs are collected from all areas for central analysis. Our system is constantly monitored, tested and audited to identify security risks and possible threats by our security team and by third party security specialists.
We employ a threat modelling methodology that ensures risk analysis is embedded in the development of features and alterations. The integrity of our application is maintained by ensuring that risks are discovered during specification and development, and the appropriate controls are applied. The security and quality of the application is tested on every deploy using blanket security tests, security testing based on the specific risks found in the threat modelling process, peer reviewed code and with regression tests. The application is regularly penetration tested and certified by external security specialists. The types of security risks managed include but are not limited to; access control, session management, error handling, logging, cryptography, HTTP security and input validation.
Application Control and Visibility
We provide control and visibility features that allow IT and end users to manage their business and data. We have tiered admin roles that allow specified users to manage the organisation. Passwords can be managed, with MFA for increased access security. Groups allow a limited number of employees access to specified resources. To ensure that our customers have excellent visibility of application access, data and usage, we store all important user actions such as login, invites, reminders, admin actions, group management actions, data input, file downloads and logout. We have various integration features such as SSO and HR data integration and SMTP email server integration.