Apply4 Technology security overview
Apply4 Technology Ltd is a software as a service (SaaS) provider for authorities to manage application processes. Our portfolio includes FilmApp, our flagship product, EventApp, and WorksApp, all offering integrated solutions allowing applications to be made online simply and inexpensively. Our systems are currently used by local authorities and landowners in the UK and USA.
We understand the importance of our clients being able to trust our system as being reliable and secure. To ensure we are able to meet the high standards expected we have taken the steps that we believe have created a robust, resilient and dependable system. This document outlines the key parts of our security system. Where questions arise about our approach we are always happy to provide answers.
Apply4 Technology’s products are hosted on public servers managed by our hosting partner EveryCity Ltd. All data, including backups, is stored in the UK in two locations:
Primary datacentre Offsite backups
Interxion The Bunker
11 Hanbury Street Ash Radar Station
London Marshborough Road
E1 6QR Sandwich, Kent
* If a client would prefer their data to be hosted and reside in another location, i.e. on a USA based public cloud server such as Amazon Web Services or Joyent, we are happy to work with them to put this setup in place. The following storage, security and cloud backup information would need to change and would not be available until we configure the service.
The server’s configuration and environment includes:
The servers are monitored twenty four hours a day, seven days a week and alarms are in place to protect critical systems following best practice set by the ITILv3 framework. These include both internal checks and external checks performed from a separate network as part of a Nagios monitoring system. Alerts from these checks are sent to the EveryCity Network Operations Centre and can be configured to be sent to third parties on request. Performance statistics are produced as part of the monitoring process including core server vitals such as CPU, memory and disk space. These are available in graph form.
Security patches are updated weekly, every Sunday at 0300 GMT.
Emergency resilience support is provided all day, three hundred and sixty five days a year with routine support offered Monday to Friday, 0900 to 1800 GMT.
Data Security, Backup, and Compliance
All information while on the move between the browser and our systems is protected from eavesdroppers with 256-bit SSL encryption. The lock icon in your browser lets you verify that you aren’t talking to a phishing site impersonating our applications and that your data is secure in transit.
To ensure data at rest contained on the server is protected, we operate a dedicated virtual server in a cloud environment. Only Apply4 Technology client data is stored within this virtual server.
Your data is stored alongside other Apply4 Technology client data within this server. The data is prevented from mixing with other client information by unique application codes. Data is always stored on the file system and in our database using a unique client ID and is strong password protected. When you log in, this ID is used to determine what information is displayed. Our application code ensures you can never access other client data, and other clients cannot access your data. We also use permission levels and sharing rules to separate information within each client data set.
While we hold all data during the life of a contract, the authority retains ownership of its data. Our Master Service Agreement with each authority outlines this in full. The Master Service Agreement also sets out that clients would be notified via email as soon as possible following any breach of their data.
* Different levels of additional protection can be provided if required. For example, we could provide a dedicated virtual server for you, which runs a copy of an application’s code, but with only your data stored on this virtual server.
Cloud data backup
We have a daily incremental backup procedure with data retained for a fourteen day period. Each hour a ZFS snapshot is taken of the physical hosts, which are kept for twenty four hours before being securely deposited. A further snapshot is taken daily of the server locally, and then sent over an encrypted dedicated leased line to our offsite backup facility to a Hard Disk based backup storage array. These backups are kept for 14 days.
Backups are fully integrated into EveryCity’s Hypervisor, so there is little room for operator error. When a new VM is provisioned, its file system is automatically snapshotted as the backup script snapshots all file systems on the server. We can roll back a SmartOS Zone or Windows/Linux VM to a snapshot held locally on a physical host within seconds so long as the data is still held. To restore from further back, we would need to transfer the backup from the offsite location which might take longer.
Log files of backup jobs are kept on the server for 30 days. Backups are performed to disk and their success status is monitored. Failed disks are kept on-site until they can be securely destroyed by a certified data destruction company. Removal of any media that has not been securely erased is expressly forbidden by EveryCity’s Information Security Policy.
We would be happy to set up a simulated scenario of the loss of a server to show the recovery process in action.
Contractual privacy protection for customers
Apply4’s employment contracts include confidentiality provisions that prohibit us from disclosing customer confidential information, including customer and end user data, except under certain narrowly defined circumstances, such as when required by law.
Apply4 Technology employees agree not to access customers’ accounts, including customer data, except to maintain the service, prevent or respond to technical or service problems, at a customer’s request at a customer’s request in connection with a customer support issue, or where required by law.
Code of Conduct, Confidentiality Agreements, and Information Security Policies
Every Apply4 Technology employee and contractor must follow Apply4’s code of conduct, sign confidentiality agreements and follow Apply4’s security policies.
We understand that having confidence that secure and resilient systems are in place is vital for our partners. Our goal is to ensure that Apply4 Technology’s application management systems are able to fully meet your needs. While this document provides a snapshot of the protection that is in place using our standard hosting provider, we are always willing to discuss our approach and work with partner communities to make sure that we are able to meet their individual needs.
* We would obtain this information as part of any due diligence before establishing a relationship with any other cloud service provider.
If you have any additional questions please contact us directly on firstname.lastname@example.org.
31st March 2018