We occasionally get asked generic security questions related to our hosted/SaaS provision - to speed the process of answering these we have taken a selection of the typical questions that we are asked and have posted them below.
This should be viewed in conjunction with our Company Policy Statements page, which has more detailed information on specific areas.
Basic System Overview
We have produced a support page that covers, in broad terms, the architecture and flow of the SaaS system. This isn't a 'deep dive' into technology but should give a good overview of the principles in play. The page also takes you through a basic User Journey of the system - Click here to view. For a slightly more technical description of the operation, click here.
Data Centre
| Question | Response |
| Is the data encrypted at rest | Yes, all data is stored on a encrypted storage device(s) and replicated up to another encrypted storage device (HPE Nimble storage device encryption). |
| Where is the primary data centre? | Our primary data centre is managed by Equinix, details can be found here. |
| Secure data deletion | Data can be purged within the application or by PAS on request. As standard, data is retained until the end of the then current tax year for legislative reasons. |
| Data centre hardware | All hardware is owned and maintained by PAS specifically for this provision. |
| Data centre compliance | All data centres in use are ISO 27001 accredited - Click here to access the data centre information. |
| Data centre tenancy | Customer data is stored on shared storage devices (HPE Nimble devices). |
| Data centre location (country) | Data centres are UK based and no data is ever transferred outside of the UK. |
| Data centre providers | Prime and redundant facilities are with different suppliers - Equinix & ioMart. |
| Is the data encrypted in transit | Yes, all communications to and from the data centre are conducted under an HTTPS/TLS connection. |
| Data segregation | All customer data is segregated based on unique serial numbers, Active Directory and NTFS permissions. |
| Data centre access | Data centres are access controlled - only pre-authorised visitors are allowed access and need to present ID (passport/driving licence) to gain access. Data centres all have CCTV and 24 hour supervision. |
| Data centre security | All data centres are covered with secure access, CCTV and authorised only access. |
Security/System
| Question | Response |
| Is there 2FA (two factor authorisation) support | Yes - please see the guide here. This can be set up for any account - please contact support@p11dorganiser.co.uk for more information. |
| System Access by PAS Ltd | Only the specific customer has access to their data. Any access by PAS would require management clearance and customer authorisation. |
| API integrated services | All software and services in use are created and administered by PAS only. |
| Penetration testing | Penetration tests are conducted on regular basis, and customers are encouraged to commission their own tests if required. As our reports also detail internal data security elements, these reports are not available to customers/prospects, although the latest summary sheet can be accessed here. |
| Business continuity | PAS has a formal Business Continuity plan that is tested at regular intervals - Business Continuity Management. |
| Segregation of duty | Access to client data is only permitted via management and customer request. |
| Data Backup | Data is both replicated and backed-up. Customers can request a restore of specific data (charges may apply) - see here: Hosted/SaaS Replication and Backup. |
| Subcontractors | No subcontractors are involved in the provision of the service. |
| Data control | No customer data is used for any other purposes. |
| Data subject rights | Individuals can't request data deletion directly, only via their business entity. |
| DDoS prevetion | All web facing properties are proxied via Cloudflare. |
| Secure coding | PAS work to a secure coding practice. |
| Server updates | PAS work to a published update schedule to ensure all servers are fully patched. |
| ICO Registration | Our ICO registration is Z2118265. |
| System diagram/description | System schematic is available here. |
| Hosted P11D Organiser SLA | See support article: Hosted P11D Organiser Uptime SLA. |
| Performance and uptime | Please see published document. |
| Outgoing mail encryption | All outgoing mail from the hosted P11D Organiser if TLS encrypted. |
| Data deletion policy | Please see our Data Handling and Disposal of Sensitive Data documents. |
| Development access to live environment | The development team DO NOT have access to the live environment outside of specific maintenance windows. |
| Customer specified encryption | Customers can't request a specific encryption to be used on their storage. |
| Information security policy | Please see published policy. |
| Policy reviews | All company policies are reviewed at least on an annual basis. |
| GDPR | All PAS Ltd terms & conditions contain relevant clauses for GDPR - click here to see the current hosted terms and conditions. |
| How is email sent? | Emails from the SaaS solution is either sent via an OAuth connection to Office 365/Google Workspace or via the PAS Ltd SMTP server located in our data centre. If using the SMPT server, all mail is sent from the "donotreply@myp11d.com" address to avoid 'spoofing' issues. |
| Web Application Firewall (WAF) | There is a Web Application Firewall in place hosted via Cloudflare. |
| How is data transferred within the system? | See this document that describes the workflow process. |
| What are the password requirements for the site? | We supply a standard set of password requirements and enforcement (as below), however these can be adjusted on a per customer basis:
|
Firewall/Ports
| Question | Response |
| What is the main address/URL | https://www.myp11d.com - we would suggest that IT teams ensure *.myp11d.com (wildcard) is allowed on firewalls to ensure connectivity. |
| What port does communicate over | 443. |
| Other information | If you are running ZScaler, you may need to add the SSL exceptions: p11d.co and *.myp11d.com. |
Company Specific
| Question | Response |
| Do PAS Ltd have employers' / product / public / professional / cyber indemnity insurance? | Please see our Insurances Page for details. Yes, we are covered for the following amounts:
|
| Confidentiality Agreements | All employees are required to sign a terms and conditions that include a confidentiality agreement when commencing employment. |
| Training & awareness | All staff are required to complete annual training in security and data management/handling. |
| Pre-employment screening | All staff are run through a third-party pre-employment screening process. |
| Do PAS Ltd have a Business Continuity Plan? | Yes, it is available here. |
| Is PAS Ltd ISO 27001 accredited? | Both data centres that we use are ISO 27001 accredited - please see this site regarding our main Manchester data centre, and here for the certification. |