Security

Last edited: July 29th 2021

Network Security

  • We have regular security and penetration tests performed by a certified Service Provider of CREST (Council of Registered Ethical Security Testers) and certified CHECK Service Provider, maintaining the highest “green level” status.
  • We have a dedicated Information Security Team which includes highly skilled security engineers to perform regular internal security audits, the scope of which includes a risk assessment, vulnerability assessment and security assessment.
  • All communication channels between the users and the Openwage servers are encrypted using HTTPS 256-bit (TLS) encryption starting with the initial client login and covering all subsequent client-server interactions.
  • Openwage services are set up on highly protected data centers, which benefit from key features to help protect the data. These include alerting our administrators of malicious activity and policy violations, as well as identifying and taking action against attacks.
  • Anti-Malware / Anti-virus software is active on all servers. The latest virus definitions and programme enhancements are updated regularly to ensure that all newly created viruses are caught. All data is virus scanned before it is accepted into the Platform.

Data Storage

  • Data is secured from unauthorised access with encryption features and access management tools.
  • UK customer data is stored within the UK region.
  • We are registered with the Data Protection Register of the ICO (Information Commissioner’s office), registration number ZA849463.
  • We are committed to collecting, processing, storing and destroying all information in accordance with the General Data Protection Regulation, UK data protection law and any other associated legal or regulatory body rules or codes of conduct that apply to our business and/or the information we process and store.
  • All Openwage employees receive comprehensive Information Security training as part of the new employee enrolment procedure in addition to ongoing refresher training.

Corporate IT

  • All Openwage employees are vetted in accordance with BPSS (Baseline Personal Security Standards) / BS7858 standards to ensure authenticity and trustability of employees.
  • All Openwage employees receive comprehensive Information Security training as part of the new employee enrolment procedure. Refresher training is also provided to existing employees in the event that any changes occur that require additional training to be carried out.
  • Audit trails of access are logged and reviewed.
  • Network level permissions are provided on the basis of Network Access Control Lists and Security Groups.

Data Transfer

All transfer of data is performed over either HTTPS with no less than a 2048 bit using public key authentication.

Security Best Practices

  • All user passwords are salted and hashed with the Crypt algorithm.
  • Openwage is ISO 27001 compliant. We’re in the process of acquiring ISO 27001 Certification and Cyber Essentials Security Certification.
  • Adequate Disaster Recovery & Business Continuity procedures are in place to ensure maximum availability.
  • Disaster Recovery & Business Continuity testing procedures are carried out at least every 6 months.

Compliance and governance

  • The Openwage Platform includes appropriate controls with a view to protect any personal and sensitive information held or processed by the system in accordance with the terms of the DPA 2018 and the current GDPR regulations.
  • Implemented a Data protection team to oversee data protection information requests, compliance and breaches, including a dedicated email, dataprotection@openwage.com.
  • We are registered with the ICO under the UK Data Protection Act (ZA849463).
  • All data centres are readily compliant with ISO27001, SOC-1,2,3 PCI-DSS L1 and more.
  • All staff complete the NCSC cyber awareness training
  • All staff are checked with the DBS (Disclosure & Barring Service). This is an executive non-departmental public body, sponsored by the Home Office.