We are a cyber essentials certified mobile application development company. Though we cannot provide you with the full overview due to security concerns, here is an overview of certain steps taken by us to protect your data:
If you host with us, our data centre is based in the UK, with dedicated managed servers supplied by VI.net. These data centres are manned with 24/7/365 access via secure procedures. Redundant, meshed Cisco 6500 series routers (true as of 9/2017) with redundant fibres capable of 320Gb/s in total-for-total resilience. Our servers are regularly updated to run the latest software and patches, and the servers themselves have a firewall.
The back-end server code used to drive your application is configured to run over HTTPS and has a secure SSL certificate installed.
We store passwords as hashed strings using a per-user salt, and in some scenarios, we store some sensitive data using two-way encryption algorithms. Should the worst possible scenario happen, and your data is compromised, the culprit would still need to perform complex decryption for the data to be readable.
The frameworks that we develop within, provide tested security features out-of-the-box. For example, Yii2 and Laravel allow us to escape and sanitise user inputs to protect against SQL injection attacks, XSS, host-header and CSRF exploits, as well as avoiding direct file exposure through protected and restricted directories. Debugging modes are only enabled on test environments, meaning that live servers don’t reveal source code in the event of an error. We also write our code in special circumstances to build upon the protections provided by such frameworks.
Even with the best development frameworks, developers can make mistakes that pose a security threat accidentally. As a layer of additional security, we use third-party security software (Codacy) to audit every line of code that we write. Codacy sends the team notifications with each code ‘commit’, alerting us to potential security issues within our system, thus reducing the risk of publishing serious issues.
Public-private keys are used to give developers SSH access into hosted accounts when deploying code, which allows for the secure management of access credentials.
Our standard servers are backed up daily, both on-site via bare-metal backups in the event of a complete server failure, as well as in a secure, redundant, off-site location within the UK. This backup process provides multiple layers of backup redundancy, allowing for the quick and complete recovery of data.
We offer the option to integrate your site or application using a secure content delivery network such as Cloudflare or Akamai. These can provide an extra layer against DDoS attacks while also speeding up the performance of your service. They provide an additional firewall layer, rate limiting, and mask your server’s IP address from those with malicious intent.
Sites that take payment do so via industry-standard PCI-compliant processes.All of our staff are contractually obligated to follow our security policies and receive training on the latest data security procedures. We regularly sign non-disclosure agreements (NDA).