Supplier Integrity® security and privacy
Data centre and network security
We ensure the confidentiality and integrity of your data with industry best practice. Our servers are hosted by Amazon Web Services (AWS). AWS complies with ISO27001 and many country data protection acts (including the EU Data Protection Directive). See https://aws.amazon.com/compliance/.
AWS has built its data centre and network architecture to meet the requirements of the most security-sensitive organisations. Your data is encrypted in transiting with Transport Layer Security across all services.
We take steps to ensure secure development and test against security threats to ensure the safety of our client data.
Our development and test environments are separated from the production environment. No actual client data is used in the development or test environment.
We employ third-party tools for dynamic scanning against the OWASP top-ten security flaws prior to each software and patch release.
In addition to the scanning program, we run penetration testing by qualified security experts on major releases.
We use the test results to work with engineering teams to remediate any discovered issues.
Product security features
All communications with Supplier Integrity® servers are encrypted using industry standard HTTPS over public networks, meaning all traffic between you and the the platform servers is secure.
Access to Supplier Integrity® data is governed by access rights and role with system-level and supplier-level control, meaning users cannot see supplier data unless they have been given specific access.
We protect your confidential data as if it is our own data.
General privacy practice
Personal contact information may be entered into the platform to support notifications and communication between client and/or third party stakeholders. Any personal information collected is only shared with system users with permissions to access that information.
Access to client data, including personal data, is allowed only by authorised personnel. This is strictly controlled under identity and access-management policies, and is monitored in accordance with The Red Flag Group’s internal privileged user monitoring and auditing programme.