Trust centre
Information Security Programme
d6 Group have a defined Privacy and Information Security Programme aligned with the following security frameworks: ISO/IEC27001, ISO/IEC27701, OWASP Top 10
The Programme includes the following risk management activities:
- Identification of internal and external threats that could result in an Incident;
- Assessment of the likelihood and potential impact of such threats, considering the sensitivity of Information;
- Assessment of the effectiveness of policies, procedures, and safeguards in place to mitigate such risks;
Physical Security
Our offices are monitored by CCTV and have 24-hour security present. They are equipped with alarm systems and armed response. Servers, where used, are within secured areas with access control restricted to named users.
Endpoint Device Controls
Any company owned mobile equipment (laptops and external storage mediums) is encrypted using a minimum of AES encryption with 128-bit keys.
We have strict internal Bring-Your-Own-Device policies and Acceptable Use Policies, and devices owned by staff members are segregated when connecting to our networks. Company information systems (such as e-mail and document management) are secured by mandatory multi-factor authentication.
End to end security systems are in place on each computer and on the network, including Anti-virus, Intrusion Detection, and Malware protection.
Encryption
Data at rest in the forms of regular backups are encrypted at backup time prior to being transferred to longer term storage. Backups are encrypted using GPG encryption.
In transit encryption is achieved by Transport Layer Security (TLS), both within the hosting environment and to the end user.
Authentication and Passwords
Our systems validate password complexity to ensure that the passwords in use are not easily guessable, and we enforce minimum password complexity across all of our products.
Vulnerability Testing
In order to continually assess our security position, we perform regular tests against our environment, in line with OWASP Top Ten and other industry standards and benchmarks. Independent vulnerability assessments are performed periodically on our offerings. More information regarding our testing is available on request.
Access Control
Logical access to our servers for maintenance is strictly controlled internally and is limited to named, authenticated users. Any access is saved to audit logs, and privileged accounts are more strictly controlled than regular accounts.
Solutions hosted within our online platform are logically separated, reducing the risk of cross-site scripting and privilege escalation between accounts and tenants.
From an application point of view, customers are given full rights to manage their own access control within the system. As such, it is the responsibility of the customer to ensure that their access control to the system is managed according to good practice.
Our data centres and hosting locations are outsourced to industry leaders, who maintain strict control and security of the environments. Security controls include physical access control, logical access control, and Intrusion Prevention systems.
Baseline Configurations
Our servers are all configured to stringent baseline configuration standards. If we provision a new service, you can rest assured that it has security pre-applied to it and does not rely on insecure defaults in configuration.
Intrusion Prevention
Our physical offices are secured by alarm systems, 24/7 access control and CCTV systems. While we do not host your services at our administrative offices, we maintain strict control over who has access to our internal systems. All systems are access controlled for designated team members and are inaccessible to non-employees. Centralised storage is located within our secured cloud or within a secure server room with strict named access control.
Our hosted services are protected by various Web Application Firewalls (WAF) and other preventative measures.
