Hosted/SaaS Security Questions and Technical Policies

Modified on Tue, 13 Aug at 4:01 PM

Background

We occasionally get asked generic security questions related to our hosted/SaaS provision - to speed the process of answering these we have taken a selection of the typical questions that we are asked and have posted them below.

This should be viewed in conjunction with our Company Policy Statements page, which has more detailed information on specific areas.


Basic System Overview

We have produced a support page that covers, in broad terms, the architecture and flow of the SaaS system. This isn't a 'deep dive' into technology but should give a good overview of the principles in play. The page also takes you through a basic User Journey of the system - Click here to view. For a slightly more technical description of the operation, click here.


Data Centre

QuestionResponse
Is the data encrypted at restYes, all data is stored on a encrypted storage device(s) and replicated up to another encrypted storage device (HPE Nimble storage device encryption).
Where is the primary data centre?Our primary data centre is managed by Equinix, details can be found here.
Secure data deletionData can be purged within the application or by PAS on request. As standard, data is retained until the end of the then current tax year for legislative reasons.
Data centre hardwareAll hardware is owned and maintained by PAS specifically for this provision.
Data centre complianceAll data centres in use are ISO 27001 accredited - Click here to access the data centre information.
Data centre tenancyCustomer data is stored on shared storage devices (HPE Nimble devices).
Data centre location (country)Data centres are UK based and no data is ever transferred outside of the UK.
Data centre providersPrime and redundant facilities are with different suppliers - Equinix & ioMart.
Is the data encrypted in transitYes, all communications to and from the data centre are conducted under an HTTPS/TLS connection.
Data segregationAll customer data is segregated based on unique serial numbers, Active Directory and NTFS permissions.
Data centre accessData centres are access controlled - only pre-authorised visitors are allowed access and need to present ID (passport/driving licence) to gain access. Data centres all have CCTV and 24 hour supervision.
Data centre securityAll data centres are covered with secure access, CCTV and authorised only access.


Security / System

QuestionResponse
Is there 2FA (two factor authorisation) supportYes - please see the guide here. This can be set up for any account - please contact [email protected] for more information.
System Access by PAS LtdOnly the specific customer has access to their data. Any access by PAS would require management clearance and customer authorisation.
API integrated servicesAll software and services in use are created and administered by PAS only.
Penetration testingPenetration tests are conducted on regular basis, and customers are encouraged to commission their own tests if required. As our reports also detail internal data security elements, these reports are not available to customers/prospects, although the latest summary sheet can be accessed here.
Business continuityPAS has a formal Business Continuity plan that is tested at regular intervals - Business Continuity Management.
Segregation of dutyAccess to client data is only permitted via management and customer request.
Data BackupData is both replicated and backed-up. Customers can request a restore of specific data (charges may apply) - see here: Hosted/SaaS Replication and Backup.
SubcontractorsNo subcontractors are involved in the provision of the service.
Data controlNo customer data is used for any other purposes.
Data subject rightsIndividuals can't request data deletion directly, only via their business entity.
DDoS prevetionAll web facing properties are proxied via Cloudflare.
Secure codingPAS work to a secure coding practice.
Server updatesPAS work to a published update schedule to ensure all servers are fully patched.
ICO RegistrationOur ICO registration is Z2118265.
System diagram/descriptionSystem schematic is available here.
Hosted P11D Organiser SLASee support article: Hosted P11D Organiser Uptime SLA.
Performance and uptimePlease see published document.
Outgoing mail encryptionAll outgoing mail from the hosted P11D Organiser if TLS encrypted.
Data deletion policyPlease see our Data Handling and Disposal of Sensitive Data documents.
Development access to live environmentThe development team DO NOT have access to the live environment outside of specific maintenance windows.
Customer specified encryptionCustomers can't request a specific encryption to be used on their storage.
Information security policyPlease see published policy.
Policy reviewsAll company policies are reviewed at least on an annual basis.
GDPRAll PAS Ltd terms & conditions contain relevant clauses for GDPR - click here to see the current hosted terms and conditions.
How is email sent?Emails from the SaaS solution is either sent via an OAuth connection to Office 365/Google Workspace or via the PAS Ltd SMTP server located in our data centre. If using the SMPT server, all mail is sent from the "[email protected]" address to avoid 'spoofing' issues.
Web Application Firewall (WAF)There is a Web Application Firewall in place hosted via Cloudflare.
How is data transferred within the system?See this document that describes the workflow process.
What are the password requirements for the site?We supply a standard set of password requirements and enforcement (as below), however these can be adjusted on a per customer basis:
  • Minimum password length of 8 Characters.
  • Maximum password length of 32 Characters.
  • 30 Days before password expiry.
  • A maximum of 5 invalid password attempts.
  • No reuse of the previous 5 passwords.
  • Passwords must include special characters.
  • Passwords must be mixed case.
  • Passwords must include numeric values.
  • Can not contain the word "Password".


Firewall / Ports

QuestionResponse
What is the main address/URLhttps://www.myp11d.com - we would suggest that IT teams ensure *.myp11d.com (wildcard) is allowed on firewalls to ensure connectivity.
What external IP address does the site use?The main site is proxied/protected via Cloudflare, so it would be one of their addresses, Currently it is showing as 104.26.8.173, but this Cloudflare support page may assist: Cloudflare IP ranges.
What port does communicate over443.
Other informationIf you are running ZScaler, you may need to add the SSL exceptions: p11d.co and *.myp11d.com.


Company Specific

QuestionResponse
Do PAS Ltd have employers' / product / public / professional / cyber indemnity insurance?Please see our Insurances Page for details. Yes, we are covered for the following amounts:
  • Employers' - £10m
  • Public - £5m
  • Product - £5m
  • Professional - £1m
  • Cyber - £2m
Confidentiality AgreementsAll employees are required to sign a terms and conditions that include a confidentiality agreement when commencing employment.
Training & awarenessAll staff are required to complete annual training in security and data management/handling.
Pre-employment screeningAll staff are run through a third-party pre-employment screening process.
Do PAS Ltd have a Business Continuity Plan?Yes, it is available here.
Is PAS Ltd ISO 27001 accredited?Both data centres that we use are ISO 27001 accredited - please see this site regarding our main Manchester data centre, and here for the certification.



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article