Security is of huge importance to Purepoint. We follow industry best practices at every step.
- We are Cyber Essentials certified.
- We are ISO 27001 compliant.
- We strive to stay up to date with and follow the guidance of OWASP on all security matters.
A quick overview of our main security processes and practices:
Security - Applications
- We use encryption at rest
- We use encryption in transit (SSL/TLS)
- We keep up to date with patches
- We follow good design practices such as 2 factor authentication
- No sensitive data stored in repositories
Security - Key storage
- Keys are never shared insecurely
- Certs & keys are stored in an encrypted vault
Security - Secure storage
- 256 bit on disk encryption is used to:
- Store keys
- Store sensitive data
- Store passwords (unique per service)
Security - Data protection
We maintain accurate records about employees and any current contractors that are working with us. This includes names, addresses, DOB, payment details. We only keep information that we require and when a team member leaves, we remove the information. We also maintain information on our clients such as contact details, job titles, and names. Some of our software solutions, or logging systems record IP addresses.
- Data is stored on a per customer basis. Generally in the EEA or US.
Security - Social engineering
- If ever asked for anything unusual employees are instructed to simply call or video conference the person to get physical confirmation. If they are unsure, check the request with management.
- Certain things are never transferred externally (e.g. keys, customer data)
Security - Employees
- All Google accounts centrally managed
- 2 factor authentication enforced on all accounts
- We use encryption and strong passwords on workstations
- All team members provide photo ID on record
- All team members have active contracts & IP transfer
- Access and permissions are structured per project
- No one person has the ability to lose system critical information
Security - Hardware
- All public facing production hardware is firewalled
- We run active monitoring and maintain blacklists
- We maintain asset registers
Security - Incident management
- We have tested DR plans
- We have distributed audit trails and logging
- We have undergone simulated pen testing attacks by 3rd party security companies