Security 

Proactive Security & Threat Management 

We actively hunt for and mitigate threats before they can impact your data. Our security program is built on continuous monitoring, regular testing, and strict access controls.

• Vulnerability Management: We run frequent vulnerability scans and prioritise findings based on their severity. Vulnerability assessments are carried out daily within our Software Development Life Cycle (SDLC) through automated security checks, container image scanning, and application vulnerability scanning. 

• Penetration Testing: To validate the effectiveness of our security controls, we conduct annual penetration tests with external, CREST-approved vendors.

• Malware Protection: We use antivirus and anti-malware software on all company devices and email. We also perform virus scans and reviews on all Docker container images before they are deployed to production.

• System Hardening: All operating systems and third-party software are regularly patched to prevent known vulnerabilities.

• Network Protection: Claromentis has a Communications & Network Security Policy in place and uses several automated tools to secure the network perimeter. 

• Endpoint Protection: We use a centrally managed endpoint security solution, including EDR. All approved company devices are encrypted.

• Application-Level Protection: We use technical controls to protect applications against various attack vectors. This includes:

  • SQL injection: Prevented using SQL query parameterization, input sanitization, and input validation.

  • CSRF attacks: All web form requests are protected against cross-site request forgery using our CSRF token check system.

  • XSS (Cross-Site Scripting): We restrict plain HTML with JavaScript wherever possible and use bespoke and third-party HTML sanitizers for user-provided HTML.

  • Brute-force attacks: User accounts are locked for a configurable period after a certain number of failed login attempts.

Data Resilience & Availability 

Your data's integrity and accessibility are our top priority. We use a comprehensive backup strategy to ensure that your information is protected and can be restored quickly.

• Secure Backups: We regularly back up all information, software, and system images to protect against data loss. The backups are stored in the cloud within the Google Cloud Platform, and data can be stored in the US, UK, or Europe depending on the chosen location. 

• Disaster Recovery & Business Continuity: We have a comprehensive and formally documented Business Continuity Plan (BCP). The plan is reviewed at least annually to ensure controls are operating as intended and its accuracy and completeness are formally approved by senior management. Our Recovery Time Objective (RTO) is 8 hours, and our Recovery Point Objective (RPO) is 24 hours. Our backup procedures are specifically designed to allow us to recover customer data promptly, in accordance with our documented Service Level Agreements (SLAs).

• Software Updates: We have established a robust QA process for our development and testing, and updates are applied to QA environments before being released for production. Unscheduled or scheduled updates are applied out of hours, and downtime is rarely required. If it is, we provide at least 48 hours' notice. We have a rollback procedure in place for failed or problematic upgrades.

Operational & Human Oversight 

We believe security is a shared responsibility, supported by rigorous internal procedures and oversight from our leadership team.

• Change Management: To maintain a stable and secure environment, all changes to our systems are managed through a formal change management process. 

• Internal Audits: Our senior leadership, including the CIO and COO, conducts monthly internal audits to identify and mitigate information security risks. We also have quarterly internal audits, management reviews, and annual external audits for ISO 9001 and ISO 27001 carried out by the British Assessment Bureau.

• Logging and Monitoring: We actively monitor and log all access to customer data, including user, IP address, timestamp, and action performed.

• Physical Security: Our SaaS platform is hosted within Google Cloud Platform, which adheres to stringent physical security principles. 

• System Segregation: We maintain a strict separation between our production, development, and testing environments, either physically or virtually. We never use confidential customer data in development or test environments without explicit approval. When approved, sensitive information is scrubbed to protect your privacy. Test data in non-production environments is anonymized or de-identified. We also use a single-tenant architecture, ensuring each customer has their own web service, database, and data volume.

• Access Control: We use SAML 2.0 or Oauth SSO for our Cloud/SaaS platform, which can be configured to work with a customer's external user directory like Active Directory. Our system also supports two-factor authentication (2FA) for remote access. All login attempts are logged with date, time, user ID, and source network address.

• Employee Training: The company has an employee training program with cyber security learning courses within our Learning Management System (LMS). We also perform periodic phishing and other social engineering tests, and anyone who fails is automatically enrolled in a training course.

• Subcontractor Due Diligence: We have a robust supplier security policy and regularly review all suppliers. We perform thorough security, legal, and compliance checks before and during our use of any third-party services. For new suppliers, a risk assessment is conducted, and if they will process confidential data, a Data Protection Impact Assessment (DPIA) is submitted. We check for security certifications like ISO 27001, SSAE 18 (SOC2), and Cyber Essentials.

• Data Deletion: Customer Data is permanently deleted 30 days after a contract ends. Employee devices are wiped according to NIST SP 800-88 Revision 1 and DoD 5220.22-M standards.