Contents
Disclaimer
The purpose of this document is to show our users/customers how we implement Information Security for the WhosOff platform. This document does not constitute a contract between customer and supplier, nor does it constitute towards the Terms and Conditions of the WhosOff service.
We are unable to sign, agree to or otherwise endorse any of our customers' own terms and conditions nor their own security related questionnaires and documents.
We hope this document will show we take Information Security seriously at the highest level and enable you to use the service with confidence.
X:drive Computing Limited
WhosOff is wholly owned and operated by X:drive Computing Limited.
Registered Office:
Office D+E, Beer Cart Building
1 Beer Cart Lane
Canterbury
Kent
CT1 2NY
The WhosOff trademark is the sole property of X:drive Computing Limited
UK Trade mark
Number: UK00002409781
Classes: 9, 16, 35, 38, 42
US Trade mark
Serial: 85102767, Registration: 3943798
Basis: 44E
Platform & Data Centres
The WhosOff platform is a web based application, residing on servers owned by us, only accessible by our management team.
We use Microsoft Hyper-V technology to replicate data between data centres in the event of failure. Load balanced servers ensure we can provide a quality delivered online service even throughout high demand periods.
Servers are connected to Enterprise level databases and Enterprise level mail servers.
All of our physical servers are covered with appropriate on-site engineer support/warranties.
Managed firewalls prevent unauthorised access with an intrusion detection system to monitor network activity.
We are able to monitor all of our servers from within our office via screens constantly displaying disk space, cpu usage, temperatures and activity. Any out-of-range alerts get notified to senior managers via SMS to cover out of office times.
New features are considered by the management team and, if approved, developed and tested thoroughly before implementation. We do not employ 3rd Party developers, nor do we allow any third party to connect to our servers.
First class data centres
Our first class data centres are based in the UK and have Tier 3 (TIA-942) classification, with alignment to Tier 4 standards.
The data centre locations are manned 24/7, razor-wire ring fenced and are monitored with CCTV. The data centre buildings themselves are card access only and also CCTV monitored.
Data centres are equipped with environmental controls, multiple power and internet connectivity, along with generator back up power supply.
Data Storage & Failover
- Data is logically separated between customers accounts.
- WhosOff stores users' email address and their leave/absence information, we do not store other personal information.
- Passwords are encrypted with a 1 way SALT, we do not encrypt any other data.
- Data is encrypted between the browser and the web servers via Transport Layer Security (TLS1.2 Protocol).
- Password policy: Minimum length requirement
WhosOff supports integration with multiple vendors, for an up to date list check out our dedicated integrations page.
PCI DSS ComplianceWe maintain rigorous data security standards to ensure that our customer's credit card information remains safe and secure. PCI DSS compliance is made via SAQ A3.2.1 and must be passed every 12 months.
Security testing / vulnerabilitiesVulnerability scans are carried out to fall in-line with new security requirements from bodies such as OWASP/Cyber Essentials/NCSC, with any remedial work carried out within 2-4 weeks dependant on assessment/impact level.
Failover testingOur fail over procedures are tested every 6 months. These tests are in place to ensure our procedures allow for every eventuality and help us restore service for our customers in the event of power loss, internet loss, as well as total data centre loss.
Online Payments
We do not store any credit/debit cards for online payments. Our payment provider GlobalPayments are PCI DSS Level 1 certified and are responsible for managing payments on behalf of WhosOff.
Data Protection & GDPR
The Data Protection Act 1998 and UK GPDR.
We are a "Data-Processor", we process data on your behalf as part of your use of our service. We are committed to GDPR and our customer's GDPR compliance.
Our Terms and Conditions, along with our Privacy Policy have been updated to include the clauses and principles relating to Data Processing in accordance with the UK General Data Protection Regulation (UK GDPR), and this forms the Data Processing Agreement between us.
We will NOT be able to sign any additional agreements/contracts/documents.
Accreditations & Achievements
ISO27001:2017
Certificate No: 197436
X:drive Computing Limited, the owners and operators of WhosOff.com, are certified for the International Standard ISO27001:2017 in respect of Information Security. This means we have robust procedures in place for information and data confidentiality, integrity and availability.
Owned and operated by X:drive Computing Limited, who are registered with the Information Commissioners Office,
Reg. Number: Z2383418
Crown Commercial Service Supplier
Service ID: 5315 8353 6212 146
Since 2016, WhosOff has been recognised at a Crown Commercial Service (CCS) supplier within the G-Cloud 9 Digital Marketplace, this allows WhosOff can be used by organisations across the UK public sector including central government, local government, health, education, devolved administrations, emergency services, defence and not-for-profit organisations.
Cyber Essentials
X:drive Computing Limited, owners and operators of WhosOff, have been independently assessed and verified to comply with the requirements of the Cyber Essentials Scheme.
Certification Date: 29-10-2024
Certification statement: "The Certificate certifies that the organisation was assessed as meeting the Cyber Essentials implementation profile and thus that, at the time of testing, the organisations ICT defences were assessed as satisfactory against commodity based cyber attack. However, this Certificate does not in any way guarantee that the organisations defences will remain satisfactory against a cyber attack."
3rd Party Apps / Vendors
Google AnalyticsWe used anonomised statistical data to understand traffic/usage across the "Public" pages of our platform.
GlobalPaymentsOur payment provider "GlobalPayments" are PCI DSS Level 1 certified and are responsible for managing payments on behalf of WhosOff.
SotaConnectOur data centres are owned & operated by SotaCONNECT, a UK based ISO27001 accredited company. We own and operate our own servers located within these data centres (see Platform & Data Centres).
Emails / Support SystemsWe don't use 3rd Party support / ticketing systems. (Which very often lead to customer data being stored on other vendor's platform outside of the EU).
We build and operate our own email/ticketing/support platform and your data will NEVER leave the UK.
What you could/should be asking your provider
The following questions are examples of what you should be asking your current/future provider. Answers from WhosOff are in italics under the question.
Who owns our data?
Where will the servers be based on which our data would be stored?
Is there any possibility of it being transferred outside the EU?
Do you use any subcontractors for the storing of our data and if so, who are they and where are they based; if any are based in the US, are they a member of the US Safe Harbor Scheme?
Are you ISO 27001 and/or 9001 and/or 27017/8 certified and/or certified by any other data security organisation? Please supply a copy of any relevant certificates.
Have you ever had a security breach and was any client data lost or accessed?
How is our data encrypted?
Is our data backed up?
Who can access my data?
What if a server crashes?
Will we need to sign a data processing agreement under GPDR?
We will NOT be able to sign any additional agreements, contracts or documents.
