Building security in

We implement security practices and tools to protect your information and data, starting from the overall system architecture through to how we operate our business processes. We understand that security needs, and best practices, change over time, and we aim to continue to enhance and improve our information security measures as these needs change.

Network Datacentre security

We use Microsoft Azure to host Circularity Scotland systems alongside other cloud products as part of our operations. Azure datacentres meet security regulations and standards with industry-leading physical and environmental controls. Our applications therefore benefit from a datacentre and network architecture built to meet the requirements of most security-sensitive organizations.

Server security

We are committed to maintaining the security of our virtual server landscape. Maintaining a secure server estate requires constant attention and effort. On a routine basis, we evaluate the services and information accessible across our landscape and any specific security requirements. We build and monitor our systems against good industry practice and regularly assure sever compliance and currency of operating systems and software.

Encrypted transmission

By default, Circularity Scotland solutions communicate utilising the HTTPS protocol. Our servers support Transport Layer Security (TLS) encryption to protect against unauthorized disclosure or modification. We utilise encryption in transit for all data exchanges within our control (i.e. between our systems) and attempt to prioritize where we can (i.e. opportunistic TLS with all email) Encryption of authentication and session data User credentials and strong authentication are required to access Circularity Scotland systems. We store authentication and session data using AES-256 encryption so that account credentials are protected. PCI compliant PCI compliance certifies that the requirements for protecting cardholder data are met. Circularity Scotland provides a payment portal for card payments and complies with our SAQ-A requirements. Our third-party credit card processor provides a fully PCI compliant solution. Firewall We control access to our sensitive production networks through the use of strict firewall rules and encrypted connections. Our firewalls are configured to block all but essential ports.

Authentication

Our users are required to utilise strong passwords and two factor authentication when not in our secure sites. Our privileged users and financial systems are required to provide 2FA authentication at all times. Testing Changes to our systems are tested by our dedicated technology testing team prior to release. However, in addition to this, all members of the solution development teams are responsible for testing. Security testing is undertaken by qualified and independent Penetration Testers prior to go live. This testing is repeated after any major release or after 12 months, whichever is soonest. Additionally, Circularity Scotland will employ continuous testing of our systems using online scanners to ensure that security is maintained. The backups are geo-redundant, which creates multiple copies of backup files to paired regions to ensure the backup is safe and always available. SaaS components have automated transparent backups every 30 minutes.

Reliability Backups

Database backups for Circularity Scotland systems are made weekly full backups, daily incremental backups and 10-minute transaction log backups. Data will be retained in line with published retention as per Circularity Scotland’s Privacy Policy.The window for data loss is 15 minutes or less. Operational security practices ISMS Circularity Scotland aligns to ISO27001 and Information Security Policies define an organization-wide approach to how systems and data are protected. These include policies around how the service is designed and developed, how the system is operated, how the internal business systems and networks are managed, and how employees are hired, trained, and managed.

Access to customer data

Access to customer data is tightly controlled for security. Customer data can only be accessed by a small team, and only under limited and auditable circumstances. All Circularity Scotland employees operate under our internal Ethic Policy, and a full Information Management Policy framework including Clear desk, GDPR and Acceptable Use policies.

Training and awareness

Our team participates in regular training to review security developments, threats, how Circularity Scotland is addressing those threats and how to best avoid them. The procedures themselves are reviewed and updated by our security team regularly. Business continuity and disaster recovery
We maintain a business continuity and disaster recovery plan to minimize the impact of disruptions to our operations on our customers. We aim to continue providing our services, provide support, and perform essential functions without business disruption. Our security team meets regularly to reinforce security policy and provide training to staff. The security team is responsible for managing and implementing ongoing security improvements.

Internal Audit/Compliance

Circularity Scotland is supported by their Internal Audit and Compliance team who provide assurance of the appropriate definition and operation of our security controls.

Privacy

We understand our customers’ needs for privacy and have systems and policies in place to protect this. Our full privacy policy, including how we handle of Personally Identifying Information (PII), can be found here: Privacy Policy | Circularity Scotland Ltd

Responsibility

We care about security and continue to work on improving our systems, and processes. We accept we are responsible for the security of our products, systems, and operations.