At ecoPortal, data protection and security aren't just features—they're a core commitment. Ensuring your data's safety begins with fortifying our own defences.
Our Security and Privacy teams lay the groundwork by creating robust policies, implementing sound controls, ensuring compliance, and obtaining verification of our stringent security measures through third-party audits.
Here's what guides our policies:
Granting access only to those with a legitimate business need. Adhering to the principle of least privilege ensures that your information remains in trusted hands.
Building on the principle of defence-in-depth, we establish multiple security barriers. This multi-tiered approach ensures that even if one defence is breached, others stand firm to protect your data.
We apply our rigorous security controls across the entire organisation, leaving no area exposed. Consistency in safety is key to our steadfast defence.
Security at ecoPortal is never static. We continually enhance our controls, aiming for higher effectiveness, more transparent audit trails, and smoother, frictionless operations that prioritise your peace of mind.
We utilise TLS 1.3 or higher to secure data transmitted over any network that could be potentially insecure. Features such as HSTS (HTTP Strict Transport Security) further enhance our data's security whilst in transit. Management of server TLS keys and certificates is handled by AWS and deployed through Application Load Balancers, reinforcing our commitment to maintaining the utmost level of protection for your data, every step of the way. .
Encryption keys are expertly managed through the AWS Key Management System (KMS), with key material stored in Hardware Security Modules (HSMs). This method precludes direct access by any individuals, even employees of Amazon or ecoPortal. The keys within HSMs are utilised exclusively for encryption and decryption via Amazon's KMS APIs.
Application secrets, on the other hand, are encrypted and securely housed via AWS Secrets Manager and Parameter Store. Access to these values is strictly limited, ensuring that your confidential information remains under the strongest possible protection.
ecoPortal ensures our security is robust by engaging with top-tier penetration testing consulting firms at least once a year. Our current preferred partner is Cacilian, renowned as leading experts in security.
Every part of the ecoPortal product and cloud infrastructure falls within the scope of these meticulous assessments. By making the source code fully available to the testers, we maximise both the effectiveness and coverage of our security evaluations.
For those interested, we provide summary penetration test reports, reflecting our commitment to transparency and confidence in our security measures.
ecoPortal requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):
|Static analysis (SAST) testing of code during pull requests and on an ongoing basis||Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain|
|Malicious dependency scanning to prevent the introduction of malware into our software supply chain||Dynamic analysis (DAST) of running applications|
|Network vulnerability scanning on a period basis||External attack surface management (EASM) continuously running to discover new external-facing assets|
Utilising specialised software, we enforce implementing measures such as disk encryption, screen lock configuration, malware protection and password manager. This integrated approach underlines our commitment to safeguarding your information at every possible touchpoint.
We implement phishing-resistant authentication factors, prioritising the exclusive use of WebAuthn wherever possible.
Access to applications for ecoPortal employees is strictly controlled, aligned with individual roles, and is automatically revoked upon termination of employment. Any further access must comply with, and be approved according to, the specific policies established for each application. This robust structure emphasises our unwavering dedication to the security of your information.
We prioritise the continuous security education of our team. Comprehensive training is provided to all employees upon onboarding and annually thereafter, through educational modules within using Vanta platform. New recruits attend mandatory live sessions centred on vital security principles, while our engineers participate in targeted sessions focusing on secure coding principles and practices.
Furthermore, our security team actively shares regular threat briefings with employees. These briefings keep the team informed of critical security and safety-related updates, highlighting areas that demand special attention or action. This ongoing educational approach underscores our dedication to maintaining the highest level of security awareness and vigilance.
At ecoPortal, we are vigilant in assessing updates to regulatory standards and emerging frameworks. This ongoing evaluation ensures that our programme continually evolves, reflecting our steadfast commitment to maintaining compliance and safeguarding your data privacy.