The Compliance Space is a tool developed for our clients to maintain a robust data privacy and data protection operating model. We recognise that information security is a key pillar for all organisations. At The Compliance Space, we take the privacy and security of our clients data very seriously. This Security Centre has been developed to be transparent on our operation and develop trust with our clients.

Organisational Security

At The Compliance Space we operate robust organisational processes and policies in alignment with the ISO 270001 standard and the Data Protection Act 2018. This includes internal audits by our dedicated information security personnel.

1. Staff

   Our staff are granted access to client’s data on a need to know basis as appropriate to their role. All staff are required to have and maintain a high level of awareness for data privacy and security.

   All staff are vetted for suitability for their roles with appropriate security checks completed where necessary.

   The Compliance Space has a dedicated Data Protection Officer who is responsible for both Information Security and Data Privacy.

   All staff are equipped with physical assets such as laptops and mobile phones that meet the Minimum Security Measures, these are:

   1. Local encryption

   2. Password protection

   3. Up-to-date Operating Systems

   4. Up-to date Antivirus software

   5. Mobile Device Management

Physical Security

1. Office Security

   The Compliance Space operate as a team from UK based office locations that meet stringent physical security controls to protect our data and that of our clients. These controls include as a minimum:

   1. Door entry systems

   2. CCTV

   3. Visitors procedures

   4. Physical lockable stores

2. Data Centre Security

   All services for The Compliance Space platform are hosted within the Amazon Web Services (AWS) data centre estate. The platform benefits from multi-zone failover across the EU region. AWS adhere to stringent security regulations and controls that meet our baseline controls, this includes physical and logical security with more detail available here: https://aws.amazon.com/compliance/data-center/controls/

Platform Security

1. Network Security

   The Compliance Space platform is an internet facing platform with the internet being delivered by the AWS network. In combination with the base level controls that exist on this network and the architected network infrastructure of The Compliance Space we protect our platform using:

   1. Dynamic Denial of Service (DDoS)

   2. Network redundancy

   3. Perimeter firewall

   4. Front end / back end separation

   5. Hardened operating system instances

2. Secure Development

   The introduction of change to The Compliance Space platform is goverened by a strict Change Management Policy and a principles based Secure Development policy. This includes code quality assurance, code versioning and testing through stages. The code is periodically tested for quality, repeatition and vulnerabilities by an independent organisation.

3. Data Security

   The security of our clients data is our top priority. As such we have implemented a number of controls to ensure the Confidentiality, Integrity and Availability of this data. This includes:

   1. Multi-zone data replication for high availability

   2. Local and offsite encrypted backups

   3. Database AES based encryption

   4. Encryption in transit for user connections as well as between the front-end and back-end instances

   5. Tokenized user passwords with a minimum complexity requirement

   6. Admin access via IP whitelisted networks and bastion hosts

4. Data Retention and Destruction

   We recognise that the data with our platform belongs to our clients and we have a duty of care to ensure that this data is retained only for as long as necessary in alignment with our retention periods (https://www.thecompliancespace.com/privacy-notice) and that it is destroyed appropriately

   The destruction of data from The Compliance Space is based on database data removal through the functions of the platform, such as the deletion of a user or the full deletion of data at the end of the clients contract term. This data is fully available as machine and human readable downloads from the platform itself.

5. Penetration Testing

   As The Compliance Space is an internet facing platform, it is appropriate to perform external testing for any vulnerabilities. Penetration Testing is completed annually on The Compliance Space by an external organisation. The testing criteria includes the top vulnerabilities as identified by the Open Source Foundation for Application Security (OWASP).

Incident Management

1. Incident Response

   The response to security incidents is governed by a robust process which includes triage, assessment, remediation and lessons learnt phases. All security incidents are recorded. To report a security incident please email us directly on support@thecompliancespace.com.

2. Personal Data Breach

   As a business The Compliance Space and as part of our platform we process personal data in accordance with our data privacy notice. As a result we have a robust and appropriate Personal Data Breach Response process. This process includes phases to triage, assess and discover the data as part of the breach. We take this responsibility seriously and conclude the process by remediating the breach and communicating with data subjects and the Information Commissioners Office (ICO) as appropriate.