Building security in
We implement security practices and tools to protect your information and data, starting from the overall system architecture through to how we operate our business processes. We understand that security needs, and best practices, change over time, and we aim to continue to enhance and improve our information security measures as these needs change.
Network Datacentre security
We use Microsoft Azure to host Circularity Scotland systems alongside other cloud products as part of our operations. Azure datacentres meet security regulations and standards with industry-leading physical and environmental controls. Our applications therefore benefit from a datacentre and network architecture built to meet the requirements of most security-sensitive organizations.
We are committed to maintaining the security of our virtual server landscape. Maintaining a secure server estate requires constant attention and effort. On a routine basis, we evaluate the services and information accessible across our landscape and any specific security requirements. We build and monitor our systems against good industry practice and regularly assure sever compliance and currency of operating systems and software.
By default, Circularity Scotland solutions communicate utilising the HTTPS protocol. Our servers support Transport Layer Security (TLS) encryption to protect against unauthorized disclosure or modification. We utilise encryption in transit for all data exchanges within our control (i.e. between our systems) and attempt to prioritize where we can (i.e. opportunistic TLS with all email) Encryption of authentication and session data User credentials and strong authentication are required to access Circularity Scotland systems. We store authentication and session data using AES-256 encryption so that account credentials are protected. PCI compliant PCI compliance certifies that the requirements for protecting cardholder data are met. Circularity Scotland provides a payment portal for card payments and complies with our SAQ-A requirements. Our third-party credit card processor provides a fully PCI compliant solution. Firewall We control access to our sensitive production networks through the use of strict firewall rules and encrypted connections. Our firewalls are configured to block all but essential ports.
Our users are required to utilise strong passwords and two factor authentication when not in our secure sites. Our privileged users and financial systems are required to provide 2FA authentication at all times. Testing Changes to our systems are tested by our dedicated technology testing team prior to release. However, in addition to this, all members of the solution development teams are responsible for testing. Security testing is undertaken by qualified and independent Penetration Testers prior to go live. This testing is repeated after any major release or after 12 months, whichever is soonest. Additionally, Circularity Scotland will employ continuous testing of our systems using online scanners to ensure that security is maintained. The backups are geo-redundant, which creates multiple copies of backup files to paired regions to ensure the backup is safe and always available. SaaS components have automated transparent backups every 30 minutes.
Access to customer data
Access to customer data is tightly controlled for security. Customer data can only be accessed by a small team, and only under limited and auditable circumstances. All Circularity Scotland employees operate under our internal Ethic Policy, and a full Information Management Policy framework including Clear desk, GDPR and Acceptable Use policies.
Training and awareness
Our team participates in regular training to review security developments, threats, how Circularity Scotland is addressing those threats and how to best avoid them. The procedures themselves are reviewed and updated by our security team regularly. Business continuity and disaster recovery
We maintain a business continuity and disaster recovery plan to minimize the impact of disruptions to our operations on our customers. We aim to continue providing our services, provide support, and perform essential functions without business disruption. Our security team meets regularly to reinforce security policy and provide training to staff. The security team is responsible for managing and implementing ongoing security improvements.
Circularity Scotland is supported by their Internal Audit and Compliance team who provide assurance of the appropriate definition and operation of our security controls.
We care about security and continue to work on improving our systems, and processes. We accept we are responsible for the security of our products, systems, and operations.