Last month, our existing ISO 27001 certification was assessed and successfully renewed for the next 3 years. But what does that certification mean?
The ISO 27001 Certification attests the existence and maintenance of a well-defined and monitored Information Security Management System. It follows a series of best practices and mandatory requirements in a large number of categories related to Information Security. These range from email communication and password policies to network security and penetration testing. These categories are evaluated in a regular Risk Analysis which subsequently leads to a set of controls in a Risk Treatment Plan to be executed and monitored.
For you as a client, this certificate also has an important business value. First and foremost, you can be confident about our organization's ability to manage information security risks. On top of that, in a GDPR-governed world, it elevates the level of protecting your company against potential fines for personal data breaches.
With respect to the Notificare platform, we would like to highlight a couple of important measures that are taken:
Security by Design
We design and develop our software and systems with security in mind. Great care is taken in filtering and sanitizing incoming data, separating calls between the different levels of access and limiting storage of data in different locations. Systems are only accessible from the public internet through an authenticated and encrypted REST API layer and the platform is hosted in its own private subnet with strict access controls in place.
As much as we believe our systems to be secure, an extra pair of eyes will always see things that we might have overlooked. Our systems are regularly scanned for vulnerabilities, validity of data and backups and is penetration tested at least once a year. Our Information Security Management System is reviewed and audited every year to see if it performs according to our standards and conforms to the mandatory requirements as set forth by the ISO 27001 norm.
Since we are processing your data and that of your users, we want to make sure those same users can trust you for handling their data with care according to the EU's General Data Protection Regulation.
The settings of your applications in the Notificare dashboard allow you to configure how long we keep various types of data to match your internal data retention requirements, as mandated by the GDPR.
It is also why we provide you with a (signed) version of a Data Processing Agreement to keep track of what is gathered and stored on the Notificare platform.
An important thing to notice is the change we are putting in place in 2019. As mentioned in our Newsletter Update we sent earlier this month, maximum Data Retention settings are going to be enforced. According to GDPR, you need to provide a specific purpose of gathering and storing data. We believe 2 years is more than enough for even the longest data history use-cases. This means that by default, data retention will be set to 2 years. Keeping data for more than that will incur additional cost and will have to be discussed separately.
Settings will be gradually enforced starting from February 2019, we will send you reminders of this change during January.
Although our ISO certificate was successfully renewed for another 3 years, it does not mean security is a fixed process. Following our cycle of implementing, monitoring and evaluating, we will continuously keep improving the security of our software and systems.
The certification audit was performed by BSI, the renewed certificate can be found here.
Perhaps, after reading this, you might have some questions regarding our ISO certification or GDPR compliance. As always, feel free to contact our support team by email.