Background
We occasionally get asked generic security questions related to our hosted/SaaS provision - to speed the process of answering these we have taken a selection of the typical questions that we are asked and have posted them below.
This should be viewed in conjunction with our Company Policy Statements page, which has more detailed information on specific areas.
Basic System Overview
We have produced a support page that covers, in broad terms, the architecture and flow of the SaaS system. This isn't a 'deep dive' into technology but should give a good overview of the principles in play. The page also takes you through a basic User Journey of the system - Click here to view. For a slightly more technical description of the operation, click here.
Data Centre
| Question | Response |
| Is the data encrypted at rest | Yes, all data is stored on a encrypted storage device(s) and replicated up to another encrypted storage device (supplied by the Microsoft data centre). |
| Where is the primary data centre? | Our data centres are managed by Microsoft Corp. |
| Secure data deletion | Data can be purged within the application or by PAS on request. As standard, data is retained until the end of the then current tax year for legislative reasons. |
| Data centre hardware | All hardware is owned and maintained by Microsoft Corp. |
| Data centre compliance | All data centres in use are ISO 27001 accredited - Click here to access the data centre information. |
| Data centre tenancy | Customer data is stored on shared storage devices provided by Microsoft Corp. |
| Data centre location (country) | Data centres are UK based and no data is ever transferred outside of the UK. |
| Data centre providers | Prime and redundant facilities are within separate Microsoft data centres in the UK. |
| Is the data encrypted in transit | Yes, all communications to and from the data centre are conducted over a secure Microsoft Azure encrypted connection. |
| Data segregation | All customer data is segregated based on unique serial numbers, Active Directory and NTFS permissions. |
| Data centre access | Data centres are inaccessible outside Microsoft Corp. staff |
| Data centre security | All data centres are covered with secure access, CCTV and authorised only access. |
| Data centre ISO27001 certificate | The current ISO27001 certificate for the Microsoft Corp. data centre can be found here. |
Security / System
| Question | Response |
| Is there 2FA (two factor authorisation) support | Yes - please see the guide here. This can be set up for any account - please contact support@p11dorganiser.co.uk for more information. |
| Is Single Sign On (SSO) available? | Yes, the system can be configured to work with Single Sign On and authentication systems from Microsoft or Google. SSO can also be configured as 'mandatory'. |
| System Access by Personal Audit Systems Ltd | Only the specific customer has access to their data. Any access by PAS would require management clearance and customer authorisation. |
| API integrated services | All software and services in use are created and administered by PAS only. |
| Penetration testing | Penetration tests are conducted on regular basis, and customers are encouraged to commission their own tests if required. As our reports also detail internal data security elements, these reports are not available to customers/prospects, although the latest summary sheet can be accessed here. |
| Business continuity | PAS has a formal Business Continuity plan that is tested at regular intervals - Business Continuity Management. |
| Segregation of duty | Access to client data is only permitted via management and customer request. |
| Data Backup | Data is both replicated and backed-up. Customers can request a restore of specific data (charges may apply) - see here: Hosted/SaaS Replication and Backup. |
| Subcontractors | No subcontractors are involved in the provision of the service. |
| Data control | No customer data is used for any other purposes. |
| Data subject rights | Individuals can't request data deletion directly, only via their business entity. |
| DDoS prevention | All web facing properties are proxied via Cloudflare. |
| Vulnerability scanning | We run monthly external vulnerability scans on the live web site, utilising the following methodologies:
|
| Secure coding | PAS work to a secure coding practice. |
| Server updates | PAS work to a published update schedule to ensure all servers are fully patched. |
| ICO Registration | Our ICO registration is Z2118265. |
| Hosted P11D Organiser SLA | See support article: Hosted P11D Organiser Uptime SLA. |
| Performance and uptime | Please see published document. |
| Outgoing mail encryption | All outgoing mail from the hosted P11D Organiser is TLS encrypted. |
| Data deletion policy | Please see our Data Handling and Disposal of Sensitive Data documents. |
| Development access to live environment | The development team DO NOT have access to the live environment outside of specific maintenance windows. |
| Customer specified encryption | Customers can't request a specific encryption to be used on their storage. |
| Information security policy | Please see published policy. |
| Policy reviews | All company policies are reviewed at least on an annual basis. |
| GDPR | All Personal Audit Systems Ltd terms & conditions contain relevant clauses for GDPR - click here to see the current hosted terms and conditions. |
| How is email sent? | Emails from the SaaS solution are sent via an OAuth connection to Office 365/Google Workspace. |
| Web Application Firewall (WAF) | There is a Web Application Firewall in place hosted via Cloudflare. |
| What are the password requirements for the site? | We supply a standard set of password requirements and enforcement (as below), however these can be adjusted on a per customer basis:
|
Firewall / Ports
| Question | Response |
| What is the main address/URL | https://www.myp11d.com - we would suggest that IT teams ensure *.myp11d.com (wildcard) is allowed on firewalls to ensure connectivity. |
| What external IP address does the site use? | The main site is proxied/protected via Cloudflare, so it would be one of their addresses, Currently it is showing as 104.26.9.173, but this Cloudflare support page may assist: Cloudflare IP ranges. |
| What port does the software communicate over | 443. |
| Other information | If you are running ZScaler, you may need to add the SSL exceptions: p11d.co and *.myp11d.com. |
Company Specific
| Question | Response |
| Do Personal Audit Systems Ltd have employers' / product / public / professional / cyber indemnity insurance? | Please see our Insurances Page for details. Yes, we are covered for the following amounts:
|
| Confidentiality Agreements | All employees are required to sign a terms and conditions that include a confidentiality agreement when commencing employment. |
| Training & awareness | All staff are required to complete annual training in security and data management/handling. |
| Pre-employment screening | All staff are run through a third-party pre-employment screening process. |
| Do Personal Audit Systems Ltd have a Business Continuity Plan? | Yes, it is available here. |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article