Data Protection – An Overview of our framework
We understand that when you use our cloud services, you are putting your trust in Capture with one of your most valuable assets—both the digital content and related information which may including personal information meta data and much more.
We take your privacy seriously and use a matrix approach to manage this through lifecycle of assets we hold. Below we have provided a summary of our approach and would be happy to discuss the specifics with you as required. In addition to the resources, people and processes, we ground our commitments in strong contractual guarantees, so you can trust that we’ll protect the privacy and confidentiality of your data and will only use it in a way that’s consistent with your expectations.
Certified and secure: We use a mixture of Private and Public Cloud infrastructure.
Our primary datacentre provider has certifications for ISO27001, G-Cloud, PCI-DSS, CSA Star and IASME. They have in place multi-layer security system featuring Swipe card & PIN for recorded access, CCTV with 90-day retention, security fencing and intrusion alarm system. This ensures the physical security of all of our clients assets.
Highly redundant platform: Our facilities feature N+1 redundancy for power, including UPS and on-site generators, N+1 Environmental controls (cooling) as well as Double-knock and VESDA systems with fire suppression systems. Our private platform then includes multiple redundant networks and highly redundant storage based on RAID to ensure that your assets are accessible with the highest of uptime.
Resilience: We use a Microsoft based Server architecture, with most client implementations running in discrete, virtualized environments. This has multiple benefits including allowing us to ring fence any potential platform impacts to specific clients, scale up resources based on site usage and restore instances quickly.
Scale where we need it: We supplement our core infrastructure with services for leading, global services provides including Amazon Web Services. This allows us to use their reach when needed for example with CDN services, whilst not having to rely on metered services for our core offerings.
Deployment Choice: Whilst our preference is for us to host your service, as it makes SLAs and management simpler we do offer you options. You can self host on your own infrastructure or on the Public Cloud, for example AWS, Azure and Alibaba. We also offer both shared or dedicated server options. These choices allow you to gain access to our platform, inline with specific security parameters your organization may wish to work with.
2. Monitoring and Backup
Peace of mind: We run daily, disk-based onsite and software based backups to ensure that your digital content is safe – no matter what happens. We can restore individual files or an entire system, keeping your assets safe at all times on a rolling 90 days window. We also provide long term archiving for digital preservation on request, based on AWS Glacier.
Active Monitoring: Both Capture and data centre provider have in place active system monitoring, using tools including Rapidspike to prevent, highlight and mitigate a range of system related issues – from disk utilization monitoring to DDOS attacks.
Regular updates: We actively monitor changes to our underlying software architecture, applying patches and upgrades based on a risk assessment matrix.
State-of-the-art: Capture’s system includes industry standards for user account management, but can also optionally include integration with Single Sign On providers, utilizing Active Directory, SAML or OIDC to work within your corporate systems. We can also activate MFA on user accounts on request.
Encryption: We use industry-standard encrypted transport protocols, such as Transport Layer Security (TLS) for data in transit (1.2/1.3). We can implement encryption for data at rest, based on your requirements. We can utilize a wide range of encryption capabilities, giving you the flexibility to choose the solution that’s best for your business.
Fine-grain access control: Users and assets can be easily be grouped together, or controlled individually to manage access to ensure only the users you want to access an asset, can access an asset.
Secure Computing Framework: We are committed to aligning to the Secure Computing Framework and actively work to meet coding best practices, for example OWASP.
Independent Auditing: We work with a CREST approved security specialist to undertake regular penetration testing, interrogating both our network and web front end to identify and address any vulnerabilities. We also work collaboratively with multiple clients who undertake independent security audits.
4. Processes and documentation
ISO 27001: We are in the process of attaining our ISO27001 accreditation, with completion targeted for spring 2022. Our journey to achieving this has involved a root and branch overhaul of our security framework. It would not be possible for us secure a certification without having a robust, evidence based approach to data security.
Compliance: We are committed to alignment to industry guidelines, not just in the UK. We have a Data Protection Officer to support with governance, requests and supporting standards attainment, for example SAQ-A (in relation to PCI) in the UK.
Contractual committed: We only process your data based on your agreement and in accordance with the strict policies and procedures that we have contractually agreed to. Our standard Terms and Conditions include specific references to GDPR (Processes, Personal Data, Data Subjects), Transition Services (including data destruction policies), Confidentiality and regulatory compliance. We are open to amendments to our T&Cs to reflect any specific requirements you may – for example Compliance or local law. When we deploy subcontractors or subprocessors to perform work that requires access to your data, they can perform only the functions that Capture has hired them to provide, and they are bound by the same contractual privacy commitments that we make to you. We disclose who these contractors are.
Note: This is not an exhaustive list of the framework for data security that we operate within. We would be happy to discuss further any specific aspect.