Last reviewed: June 2024
At Elucidat, information security and data protection are at the forefront of everything we do. We have robust processes and practices in place to ensure data, server, application, network, physical, and access security in everything we do.
Elucidat is ISO 27001:2022 certified meaning that we are fully committed to securing and protecting your data. Our systems, infrastructure, and our own behaviours are designed with confidentiality, integrity, and availability in mind so that we provide a reliable service that you can depend on.
We also fully adhere to the General Data Protection Regulation (GDPR). As a company, we take pride in ensuring data protection is by design and by default - making information security and data protection part of our culture.
Our Information Security Team is headed up by our CTO and our Operations Manager. If you have any questions on our information security or data protection practices, please contact operations@elucidat.com.
Information Security & Data Protection at Elucidat
Elucidat uses commercially reasonable efforts to implement and maintain the security measures listed below. We may update or modify these Security Measures from time to time provided that the updates and modifications will not result in any material reduction in the overall standard of information security.
Data Hosting
- Data Centers: Elucidat hosts data on Amazon Web Services (AWS), who are an ISO 27001 and SOC Certified cloud hosting provider. They maintain industry-leading security practices, and offer state-of-the art environmental and physical protection for the Elucidat services and infrastructure. (More information: https://aws.amazon.com/compliance/data-center/controls/)
- Backups: Elucidat conducts system and database backups, at least daily. Backed up data is stored for fourteen (14) days after initial backup date. We perform regular backups and restoration testing.
- Resilience: All Elucidat services are set up to auto-scale to ensure resilience in periods of high demand.
- Hosting Security: All servers are hosted within Virtual Private Networks, and hardened, using industry-standard hardening practices such as non-standard ports and firewalls, limiting our attack surface area.
Application Security
- Vulnerability Scanning: Elucidat utilises both internal and external penetration testing to ensure regular coverage. Our internal penetration testing is carried out weekly and monthly, with external penetration tests conducted annually.
- RBAC (Role Based Access Control): Elucidat uses IAM (Identity and Access Management) policies to enforce strict access controls for employees to access secure server environments.
- Updates: All Elucidat servers have security updates applied automatically, daily. All servers are built via ‘infrastructure as code’, ensuring a highly consistent, secure and resilient server environment.
-
Development: All development at Elucidat follows our Software Development Life Cycle process, which enshrines secure development processes:
- Any risks associated with development are identified, mitigated and managed through this process.
- All development and testing is carried out in secure environments without access to production data (or any personally identifiable information).
Data Practices
- Industry Standard Encryption: All data is encrypted, at rest and in transit (using SSH or HTTPS, and AES256 encryption).
-
Retention and Deletion: All personally identifiable data about Learners and Authors using Elucidat is deleted or anonymised after a period of 3 years from licence end. Staff are regularly requested to remove any downloaded data from their laptops and ensure it is securely deleted after use.
- Downloading data is only carried out either in support of the service we provide or at the request of our clients.
- Downloaded personal data is deleted immediately after use.
- Storage: Elucidat is a multi-tenant environment hosted on AWS servers and logically isolates Customer Data.
- Transfer of Information: Secure processes are in place in order to transfer data to our customers.
Network Protection
- Firewalls: Elucidat configures firewalls according to industry best practices and unnecessary ports and protocols are blocked by configuring AWS Security Groups and NACL (Network Access Control Lists). Configurations are regularly monitored using cloud security tools.
- Monitoring, Logging, and Alerting: Elucidat utilises application logs to monitor for suspicious activity wherever possible. These logs are regularly reviewed.
- AWS WAF (Web Application Firewall): Elucidat uses AWS WAF to prevent brute-force and DoS (Denial of Service) attacks.
Organisational Security
- Access Controls: Elucidat provides access to information systems based on the principle of least privilege and access is revoked promptly upon termination. We review all system access quarterly or when there is a material change within the business.
- Multi-factor Authentication (MFA) / Single Sign-On (SSO): Elucidat utilises MFA or SSO across all core systems within the business.
- Passwords: We enforce best practice password complexity requirements on all Elucidat system access. We utilise a password manager tool to ensure that passwords can be stored securely and that reuse of passwords is limited.
- Anti-Virus and Malware: We use MacBooks as standard issue at Elucidat, allowing for strong security controls as standard on all devices. Elucidat employs an anti-virus and malware solution on all end user devices.
- Endpoint Security: All Elucidat devices are configured to meet our security requirements, and registered with our Mobile Device Management (MDM) software, which includes full disk encryption, remote data wipe and lock capabilities, and which also disables the use of removable media.
- Monitoring and Incident Response: We have a comprehensive Incident Management & Business Continuity Policy in place, ensuring that all data can be restored in a timely manner in the case of disaster. We conduct disaster recovery rehearsals annually.
- Physical Access: Elucidat has a business HQ in Brighton, England, however as we have no server infrastructure on site our physical security risks are minimal. We adhere to best practice physical security including fob entry, out of hours deadlocks and alarms, CCTV, and we lock all devices away when not in use. Office setup ensures the contents of computer screens are not viewable through windows.
- Disposal of Assets: All Elucidat assets (whether electronic or paper) are disposed of securely at the end of their use. We follow manufacturer instructions to factory reset MacBooks and all paper based waste is shredded and disposed of securely.
- Policy Management: all key information security policies within the business are reviewed and updated every 6 months or when a material change occurs within the business. These include: Information Security Policy; Incident Management & Business Continuity Policy; Software Development Policy; Access Control & Data Integrity Policy; Information Security Risk Management Policy; Patch Policy; Change Management Policy; Employee Handbook; Internal Security Rules; and, Staff Employment Policy.
People Security
- Information Security: Elucidat requires all staff to comply with our Internal Security Rules as well as our wider information security policies and procedures. Compliance is regularly reviewed and noncompliance is subject to disciplinary action. This applies to all staff whether working in the office or remotely.
- Background Checks: Elucidat conducts background checks for employees and contractors as appropriate depending on their role and responsibilities within the business. At a minimum all staff have their ID verified and references collected from at least 2 previous employers.
- Confidentiality: All Elucidat staff and contractors are bound by appropriate confidentiality agreements either through their Employment Contract or a Supplier NDA.
- Security Education and Awareness Training: All staff at Elucidat are required to attend security and privacy training upon hire and annually thereafter. We also provide ad hoc training and information sessions throughout the year to ensure staff awareness is up to date.
Subprocessors & Third Party Suppliers
- Due Diligence: Elucidat conducts thorough security reviews for all vendors and third party suppliers prior to onboarding to ensure adequate levels of security, compliance, and privacy for the scope of services provided.
- Confidentiality: Elucidat ensures our security standard is maintained by establishing agreements that require subprocessors and third party suppliers to adhere to confidentiality commitments.
Security Certifications and Reports
- Security Compliance: Elucidat maintains ISO 27001:2022 certification with a UKAS accredited body. In order to maintain ISO 27001:2022 certification we must demonstrate a commitment to our ISMS maintenance and our ongoing improvement, which is audited annual.
- Penetration Testing: Elucidat works with independent third party firms to conduct penetration tests at least annually. Results of these tests are shared with senior management, triaged, prioritized, and remediated in a timely manner.