Enterprise-Grade Security

Enterprise-Grade security, privacy, availability, and performance

We value your data and are committed to continuously invest in providing you with our high-quality service, improving your user experience, and protecting your data.

Our service is designed with security, privacy and availability by design and default. We aim to meet and exceed key industry best practices and regulatory schemes to protect your data.

We also know how important vendor security is to your business which is why we have received independent assurances to show our commitment to protecting your data. If you are a current customer you can request access to our reports by contacting us at: compliance@youcanbook.me

SOC 2 Type II

We have been externally audited by a Licensed SOC 1 and SOC 2 Auditor, and are compliant with the SOC 2 Type II standard for security with no control exceptions.

ISO/IEC 27001

The Centre for Assessment confirms that our Information Security Management System has been audited and the requirements met for ISO/IEC 27001.

GDPR Compliance

GDPR is a priority to us. We have an appointed Data Protection Officer (DPO), and specific processes and tools in place to ensure compliance and protect your data and privacy

How do we keep your data secure?

Encryption

Data In Transit
All data in transit is encrypted using TLS1.2. The SSL Certificate in use by the service uses a 2048 bit RSA Key with a SHA256 algorithm.

Data at Rest
The database which stores Customer Data is encrypted to AES-256 using the AWS Key Management Service (KMS).

Security organization

Security is managed at the highest levels of the company, our appointed Data Protection Officer (DPO) meets with senior management regularly to discuss issues and coordinate company-wide security initiatives.

Confidentiality

We have controls in place to maintain the confidentiality of Customer Data in accordance with our Data Processing Agreement.

People security

Employee Background Checks
We perform background checks on all new employees at the time of employment in accordance with applicable local laws.

Employee Training
At least once a year, all our employees must complete security and privacy training which covers security policies, security best practices, and privacy principles, plus regular phishing awareness campaigns and highlighting potential new threats to employees.

Vendor management

Supplier Assessment
We use third party suppliers or sub-processors to provide our Service. Before working with them we carry out a security risk-based assessment of prospective suppliers to validate they meet our security requirements.

Supplier Agreements
We enter into written agreements with all of our suppliers which include confidentiality, privacy and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process. Where the supplier is located outside of the UK or EEA and are not subject to an adequacy agreement, these agreements include standard contractual clauses (SCC’s) for the transfer of personal data to third countries.

Architecture and data segregation

We host our servers in Amazon Web Services (“AWS”). The AWS data center infrastructure used in providing our service is located in the United States.

The production environment within AWS, where Customer Data and the Service is hosted, is a logically isolated Virtual Private Cloud (VPC).

Our Development and Staging environments within AWS are strictly controlled and no Customer Data is stored or used in these environments.

Resilience and service continuity

Our Service uses a variety of tools and mechanisms to achieve high availability and resiliency. The infrastructure spans multiple fault-independent AWS availability zones in geographic regions physically separated from one another.

Backups and recovery

We perform regular backups of Customer Data using AWS RDS managed service. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256).

Security by design

We follow security by design principles and a strict Software Development Life Cycle (SDLC) standard to perform numerous security-related activities for all new developments across different phases of the product creation lifecycle; from requirements gathering and product design all the way through production deployment.

Access controls

To minimize the risk of data exposure, we follow the principles of least privilege through an Identity and Access Management (IAM) model when provisioning system access.

Change management

We have a formal change management process to administer changes to the production environment for the Service, including any changes to the underlying software, applications, and systems.

Vulnerability management

We maintain controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements.

Penetration testing

We perform penetration tests and engage independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities which are identified are prioritized, triaged, and remediated promptly.

Security incident management

We maintain security incident management policies and procedures. The Information Security Management team assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions.

Legal documentation

You can read about our Terms and Privacy documentation.

Contact

If you have any additional questions regarding security at YouCanBookMe, please contact us at: compliance@youcanbook.me

Get started for free

Get started for free with a 14 day trial of our paid plan.
After your trial, enjoy our free version — forever.

No credit card required Cancel anytime

Enterprise-Grade Security