We occasionally get asked generic security questions related to our hosted/SaaS provision - to speed the process of answering these we have taken a selection of the typical questions that we are asked and have posted them below.


Data Centre

QuestionResponse
Is the data encrypted at restYes, all data is stored on a encrypted storage device and replicated up to another encrypted storage device
Secure data deletionData can be purged within the application or by PAS on request. As standard, data is retained until the end of the then current tax year for legislative reasons
Data centre hardwareAll hardware is owned and maintained by PAS specifically for this provision
Data centre complianceAll data centres in are ISO 27001 accredited - Click here to access the data centre information
Data centre tenancyCustomer data is stored and shared storage devices
Data centre location (country)Data centres are UK based and no data is ever transferred outside of the UK
Data centre providersPrime and redundant facilities are with different suppliers - link?
Is the data encrypted in transitYes, all communications to and from the data centre are conducted under an HTTPS/TLS connection
Data segregationAll customer data is segregated based on unique serial numbers, Active Directory and NTFS permissions
Data centre accessData centres are access controlled - only pre-authorised visitors are allowed access and need to present ID (passport/driving licence) to gain access. Data centres all have CCTV and 24 hour supervision
Data centre securityAll data centres are covered with secure access, CCTV and authorised only access



Security/System

QuestionResponse
Is there 2FA (two factor authorisation) supportYes, using authentication apps (Authy, Google, Microsoft etc)
System Access by PAS LtdOnly the specific customer has access to their data. Any access by PAS would require management clearance and customer authorisation
API integrated servicesAll software and services in use are created and administered by PAS only
Penetration testingPenetration tests are conducted on regular basis, and customer are encouraged to commission their own tests if required. As our reports also detail internal data security elements, these reports are not available to customers/prospects
Business continuityPAS has a formal Business Continuity plan that is tested at regular intervals - link
Segregation of dutyAccess to client data is only permitted via management and customer request
Data BackupData is both replicated and backed-up. Customers can request a restore of specific data (charges may apply)
SubcontractorsNo subcontractors are involved in the provision of the service
Data controlNo customer data is used for any other purposes
Data subject rightsIndividuals can't request data deletion directly, only via their business entity
Secure codingPAS work to a secure coding practice - please see this document
Server updatesPAS work to a published update schedule to ensure all servers are fully patched - link
ICO RegistrationOur ICO registration is Z2118265
System diagram/descriptionSystem schematic is available here
Hosted P11D Organiser SLAPlease see published document
Performance and uptimePlease see published document
Outgoing mail encryptionAll outgoing mail from the hosted P11D Organiser if TLS encrypted
Data deletion policyPlease see  our Data Handling and Disposal of Sensitive Data documents
Development access to live environmentThe development team DO NOT have access to the live environment outside of specific maintenance windows
Customer specified encryptionCustomer's can't request a specific encryption to be used on their storage
Information security policyPlease see published policy
Policy reviewsAll company policies are reviewed at least on an annual basis
GDPRAll PAS Ltd terms & conditions contain relevant clauses for GDPR - click here to see the current hosted terms and conditions
How is data transferred within the systemSee this document that describes the workflow process
What are the password requirements for the site?We supply a standard set of password requirements and enforcement (as below), however these can be adjusted on a per customer basis
  • Minimum password length of 7 Characters
  • Maximum password length of 32 Characters
  • 30 Days before password expiry
  • A maximum of 5 invalid password attempts
  • No reuse of the previous 5 passwords
  • Passwords must include special characters
  • Passwords must be mixed case
  • Passwords must include numeric values 



Company Specific

QuestionResponse
Do PAS Ltd have employers' / product / public / professional indemnity insurance?Yes, we are covered for the following amounts:
  • Employers' - £10m
  • Public/Product - £2m
  • Professional - £1m
Non Disclosure AgreementsAll employees are required to sign a non-disclosure agreement when commencing employment
Training & awarenessAll staff are required to complete annual training in security and data management/handling
Pre-employment screeningAll staff are run through a third party pre-employment screening process
Do PAS Ltd have a Business Continuity Plan?Yes, it is available here
Is PAS Ltd ISO 27001 accreditedBoth data centres that we use are ISO 27001 accredited - please see this site regarding our main Manchester data centre