GDPR – A Shared Data Security Responsibility
Continuing our series of GDPR releases we look at shared data security responsibility: working together to keep your data secure…
With the forthcoming implementation of the new General Data Protection Regulation we look to clarify the responsibilities of Clook and those of our customers in order to keep your data secure.
In house, we take comprehensive measures to protect our infrastructure, network, and applications with employees being trained in security and privacy practices. We regularly put our systems and practices through rigorous internal and third-party testing and auditing.
Whilst we are responsible for securing each aspect of the service that’s under our control, you the customer also play a key role in ensuring your data is protected and secure.
This article aims to help you understand what we do to keep your account safe, and what you can do to reinforce this security…
Our Data Security Responsibilities
Build security into our network
When it comes to our server hardware we use the best of the best and spare no expense when it comes to investment in our infrastructure. Our servers are fully managed and monitored 24/7. We ensure everything stays stable and if we notice any issues we will work on fixing it immediately without any request from you. We manage all updates and security hardening on our servers both during setup and on an ongoing basis.
Encrypt user data
To protect user data in transit between users and our servers, we use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.
Maintain a reliable service
Server uptime can make or break your business, most of our servers have a 100% uptime record on a month by month basis. Our cloud platform operates with layers of redundancy to guard against data loss and ensure availability.
Limit employee access to backend systems
Whilst technical staff at Clook have access to data stored on our hosting platforms it is not necessary that other departments have the same access. All staff are subject to an internal data protection policy and have committed themselves to confidentiality when handling or accessing customer information.
Maintain employee security and privacy awareness
Part of keeping our service secure is making sure that the staff working at Clook understand how to be security conscious and recognise suspicious activity. Employees are required to acknowledge security policies prior to being granted systems access. Security and privacy training is mandatory for new staff with ongoing data security awareness training occurring on a regular basis.
Validate our practices
As part of our ISO27001 & ISO9001 accreditations, external auditors visit our office every year to assess our practices. Additionally, ongoing PCI-DSS compliance requires regular external testing.
Communicate issues to you
Our server status page provides real time stats of all hosting servers within the network. If we are alerted to a compromised website on the hosting platform we will disable where applicable and notify the owner.
As per the GDPR, we will notify the ICO of a serious data breach within 72 hours of becoming aware in accordance with Article 55. In addition we will notify you the client without undue delay after becoming aware of such a breach.
Only use GDPR compliant sub-processors
Article 28(2) of the GDPR states that a processor of personal data “shall not engage another processor without prior specific or general written authorisation of the controller”. As part of our contract with you it may be necessary to process your data with domain registrars or SSL Certificate providers. When doing so we will only use GDPR compliant companies.
Your Data Security Responsibilities
Learn about our practices
Deciding whether Clook are the right fit for your organisation is an important process. We encourage you to take the time to validate our practices, as you would with any other supplier.
Configure sharing and viewing permissions
Our client portal gives you flexibility to configure your account to support your security, collaboration, and privacy needs. The account holder is able to assign different roles to authorised contacts. For example a member of your administration team can have access in order to make payments but will not be able to make changes to the account or access the web hosting panel.
You should ensure users added to your Clook account have the appropriate permissions set.
Strong authentication practices will help keep your data safe. It is recommended to enable two factor verification in order to sign in to your account. This security feature adds an extra layer of protection to your Clook account. Once enabled you will be prompted for a a six-digit security code or a security key in addition to a password upon sign-in.
Conduct regular access reviews
Access to your Clook account may evolve as your team membership and internal roles change. You should regularly check to make sure that only the appropriate people have access to your account to help keep your information in the right hands.
Monitor for unusual activity
Both the Clook Client Portal and cPanel record account log-ins and actions. It is important to let us know should you spot any suspicious activity in order to keep your account secure.
Keep your online content upto date
Security risks are identified regularly within Content Management Systems. Popular CMS such as WordPress, Drupal, Magento, etc release patches or updates in order to fix these vulnerabilities. We often see hacks on older versions of WordPress installs or plug-ins – By not performing released updates you are leaving yourself open to attack.