Enterprise-Grade Security
Protecting your account, your data, and earning your trust every day.
The highest levels of security, privacy, availability, and performance
We value your data and are committed to continuously invest in providing you with our high-quality service, improving your user experience, and protecting your data.
Our service is designed with security, privacy and availability by design and default. We aim to meet and exceed key industry best practices and regulatory schemes to protect your data.
We also know how important vendor security is to your business which is why we have received independent assurances to show our commitment to protecting your data. If you are a current customer you can request access to our reports by contacting us at: compliance@youcanbook.me
SOC 2 Type II
We have been externally audited by a Licensed SOC 1 and SOC 2 Auditor, and are compliant with the SOC 2 Type II standard for security with no control exceptions.
ISO/IEC 27001
The Centre for Assessment confirms that our Information Security Management System has been audited and the requirements met for ISO/IEC 27001.
Certificate Number: 20/3433
GDPR Compliance
GDPR is a priority to us. We have an appointed Data Protection Officer (DPO), and specific processes and tools in place to ensure compliance and protect your data and privacy
How do we keep your data secure?
Encryption
Data In Transit
All data in transit is encrypted using TLS1.2. The SSL Certificate in use by the service uses a 2048 bit RSA Key with a SHA256 algorithm.
Data at Rest
The database which stores Customer Data is encrypted to AES-256 using the AWS Key Management Service (KMS).
Security organization
Security is managed at the highest levels of the company, our appointed Data Protection Officer (DPO) meets with senior management regularly to discuss issues and coordinate company-wide security initiatives.
Confidentiality
We have controls in place to maintain the confidentiality of Customer Data in accordance with our Data Processing Agreement.
People security
Employee Background Checks
We perform background checks on all new employees at the time of employment in accordance with applicable local laws.
Employee Training
At least once a year, all our employees must complete security and privacy training which covers security policies, security best practices, and privacy principles, plus regular phishing awareness campaigns and highlighting potential new threats to employees.
Vendor management
Supplier Assessment
We use third party suppliers or sub-processors to provide our Service. Before working with them we carry out a security risk-based assessment of prospective suppliers to validate they meet our security requirements.
Supplier Agreements
We enter into written agreements with all of our suppliers which include confidentiality, privacy and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process. Where the supplier is located outside of the UK or EEA and are not subject to an adequacy agreement, these agreements include standard contractual clauses (SCC’s) for the transfer of personal data to third countries.
Architecture and data segregation
We host our servers in Amazon Web Services (“AWS”). The AWS data center infrastructure used in providing our service is located in the United States.
The production environment within AWS, where Customer Data and the Service is hosted, is a logically isolated Virtual Private Cloud (VPC).
Our Development and Staging environments within AWS are strictly controlled and no Customer Data is stored or used in these environments.
Resilience and service continuity
Our Service uses a variety of tools and mechanisms to achieve high availability and resiliency. The infrastructure spans multiple fault-independent AWS availability zones in geographic regions physically separated from one another.
Backups and recovery
We perform regular backups of Customer Data using AWS RDS managed service. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256).
Security by design
We follow security by design principles and a strict Software Development Life Cycle (SDLC) standard to perform numerous security-related activities for all new developments across different phases of the product creation lifecycle; from requirements gathering and product design all the way through production deployment.
Access controls
To minimize the risk of data exposure, we follow the principles of least privilege through an Identity and Access Management (IAM) model when provisioning system access.
Change management
We have a formal change management process to administer changes to the production environment for the Service, including any changes to the underlying software, applications, and systems.
Vulnerability management
We maintain controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements.
Penetration testing
We perform penetration tests and engage independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities which are identified are prioritized, triaged, and remediated promptly.
Security incident management
We maintain security incident management policies and procedures. The Information Security Management team assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions.
Legal documentation
You can read about our Terms and Privacy documentation.
Contact
If you have any additional questions regarding security at YouCanBookMe, please contact us at: compliance@youcanbook.me