Social Sync Security
At Social Sync, security is our absolute highest priority.
In the spirit of openness and transparency, this page summarises some of the security measures we take to protect and defend the Social Sync platform and our Customer’s data.
These security measures are part of Social Workshop Ltd’s Information Security Management System (ISMS). A full list of all ISMS policies is found at the bottom of this page.
Social Sync is wholly owned and operated by Social Workshop Ltd. A privately owned company registered in the United Kingdom.
Information Security Management System Objectives
It is the policy of Social Workshop Ltd that information, as defined hereinafter, in all its forms–written, spoken, recorded electronically or printed–will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life-cycle.
Ultimately, the information security goal of Social Workshop Ltd is to maintain:
- Confidentiality: data and information are protected from unauthorized access
- Integrity: Data is intact, complete and accurate
- Availability: IT systems are available when needed
Social Workshop Ltd’s information security objectives, consistent with the company’s information security program are:
- To protect information from all internal, external, deliberate, or accidental threats;
- To encourage consistent and professional use of information;
- To enable secure information sharing;
- To ensure clarity about roles and responsibilities associated with protecting information, both internally and externally;
- To ensure business continuity and minimize business damage; and,
- To protect the company from legal liability and the inappropriate use of information.
Scope
Social Workshop Ltd’s Information Security Program applies to:
- Information in any form, regardless of the media on which it is stored, as well as, any facility, system, or network used to store, process, and/or transfer information.
- All Social Workshop Ltd employees, temporary staff, partners, contractors, vendors, suppliers, and any other person (collectively also referred to as “Staff” or “Users”) or entity that accesses the Company’s systems or any other public or private network through the Company’s networks or systems.
- All activity while using or accessing the Company’s information or information processing, storage, or transmission equipment.
- Information resources that have been entrusted to the Company by any entity external to the Company (i.e. Customers, Contractors, and others).
- Documents, messages, and other communications created on or communicated via the Company systems are considered the company’s business records and, as such, are subject to review by third parties in relation to audits, litigation, process improvement, and compliance.
Roles and Responsibilities
The Compliance Team is responsible for:
- The design, development, maintenance, dissemination, and enforcement of the items contained in the ISMS policies.
- The monitoring and periodic review of all ISMS policies.
- Spot checks to ensure all employees, contractors and system users are compliant with ISMS policies and associated procedures.
- Reporting on the performance of the ISMS to Company directors.
The Compliance Team is comprised of the following members of staff:
Compliance manager: Chief Product Officer
Compliance team members: Head of Product, Head of Engineering, Head of Customer Success, Devops Engineer
Policy Review
At minimum on an annual basis, a security and/or compliance committee composed of senior management and key personnel must discuss, evaluate and document the company’s ISMS, ensuring strategic goals and objectives are continually being developed.
At a minimum on an annual basis, all ISMS policies must be reviewed, modified and/or edited to meet necessary security standards. All policies must be signed and approved by authorized personnel.
How we protect our customers data
– A quick primer
Hosted on AWS
Our enterprise architecture is hosted on Amazon Web Services (AWS) and is designed to provide 99.99% availability. Our database is managed by Amazon RDS, ensuring redundancy, high availability and trustworthy automated, encrypted backups.
As a global leader in web hosting, AWS is certified for a growing number of compliance standards and controls, and undergoes several independent third party audits to test for data safety, privacy, and security. Read more about the specific certifications on the AWS compliance page.
We protect your data
Built with a distibuted architecture, all services are contained within a protected virtual private cloud (VPC) environment with access restricted via the use of individual security groups and a private VPN.
All systems and services are equipped with integrated failover and fault tolerance with multiple availability zones for redundancy.
All data is written to multiple disks instantly, backed up daily, and stored securely in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.
Your users’ data never leaves our servers
We distinguish between data about your users and data about you, yourself.
While, for example, your billing information is shared with Stripe, and your profile is accessible to us in our CRM software; any data about your users are never shared with any external providers, and never leaves our servers hosted with Amazon Web Services (AWS).
Encrypting data in transit
Whenever your data is in transit between you (or your users) and us, everything is secured with TLS 1.2 encryption and sent using HTTPS.
During a user agent’s (typically a web browser) first site visit, Social Sync sends a Strict Transport Security Header (HSTS) to the user agent that ensures that all future requests should be made via HTTPS even if a link to Social Sync is specified as HTTP. Additionally, we use HSTS preload, guaranteeing that requests are never – not even the very first – made over a non-encrypted connection. Cookies are also set with a secure flag.
Encrypting data at rest
Any data or files which you upload to us are stored and encrypted at rest using industry standard AES-256 encryption. Our backups of your data are also encrypted.
Concurrency and rate limiting
We employ several layers to protect against abuse and DoS attacks, such as concurrency limiting (limits number of active requests) and rate limiting (limits number of requests over time). Our servers gracefully queue requests when under high load, and handles them at a safe pace.
Organizational practices
- We operate under the principle of least privilege: Employees are assigned the lowest level of access that allows them to do their work.
- Multi factor authentication is enforced in all sensitive systems.
- All employees are required to use approved password managers (like Lastpass, 1Password or Dashlane) to generate and store strong passwords that are never reused.
- All employees are required to enable screen locking for device security.
- All employees are required to install a Company owned antivirus and mobile device management (MDM) software provided by Sophos. This is managed 24-7-365 by Caretower, one of the UK’s largest cyber-security service providers.
- All employees are required to complete security awareness and compliance training as part of their onboarding process.
- All access to application admin functionalities is restricted to a small subset of Social Workshop Ltd staff.
- We never store customer data on personal devices (like laptops).
Development practices
- All production systems require VPN and multi factor authentication.
- All code changes are tested in a staging environment before deploying to production.
- All code changes are thoroughly tested through our Continuous Integration software.
- Infrastructure provisioning is automated via code to remove human error and standardise workflows.
- All customer data is logically separated and tied to a customer ID that is used to validate requests during data retreival processes.
- All API and client communication require secure HTTPS connections
- We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
- We use several tools and services to automatically monitor uptime and service availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies.
- Logs are permanently deleted after 30 days.
Penetration testing
On top of our development-related continuous testing, we also conduct periodic third-party manual penetration testing of both our application and infrastructure. You can request a copy of our latest report at compliance@socialsync.io.
Regularly-updated infrastructure
Our software infrastructure is updated regularly with the latest security patches.
Our software is protected by a web application firewall and a host of security services to notify and mitigate the impact of any attack. While perfect security is a moving target, we work with researchers at one of the UK’s largest cyber-security providers to keep up with the state-of-the-art in web security.
We protect your billing information
All credit card transactions are processed via Stripe using secure encryption—the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely on a PCI-Compliant network.
Have a concern? Need to report an incident?
Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Send urgent or sensitive reports directly to compliance@socialsync.io. We’ll get back to you as soon as we can, usually within 24 hours. Please follow up if you don’t hear back.
Keeping customer data safe and secure is a huge responsibility and a top priority. We work hard to protect our customers from the latest threats. Your input and feedback on our security is always appreciated.
All security policies
Please find below the full list of policies and documents which make up Social Workshop Ltd’s Information Security Management System (in alphabetical order):
- Acceptable Use Policy
- Backup Policy
- Code of Conduct
- Data Deletion Policy
- Data Protection Policy
- Endpoint Security Policy
- Incident Response Plan
- Password Policy
- Social Networking Policy
- System Access Control Policy
Revision History
| Version | Date | Editor | Description of Changes |
|---|---|---|---|
| V1 | August 15th, 2022 | Social Workshop Ltd | Initial Creation |
| V1.1 | August 30th, 2022 | Social Workshop Ltd | Minor tweaks and publication |
Take your social fundraising to the next level
Book a demo to discover how your organisation can use the latest innovations to build stronger relationships with all your fundraisers.
Book a demo