Here’s a description of our technical and organisation security measures that we use to secure Skills Reloaded and protect your personal data.
Data location
Skills Reloaded is hosted on Amazon Web Services platform. This places your data in their European data centres. At the time of writing we use both their ’eu-west-1’ zone located in Ireland.
Encryption of personal data
Your data is encrypted at rest using Transparent Data Encryption
Protecting data during transmission
Data moving through Skills Reloaded services is encrypted in transit using an appropriate encryption technology.
When data is moving between you and Skills Reloaded, everything is encrypted and sent securely using HTTPS.
Internal access controls
Our team doesn’t have a reason to access or process customer data on a day to day basis. Processing is fully automated. It’s only if there’s a problem with an account or to help resolve a customer support question that we might need to access personal data.
All our team members have signed confidentiality undertakings and undergo GDPR training in respect of their roles.
We use role based access controls for staff and use two-factor auth on both internal apps and external services.
Resilience and availability
Skills Reloaded is geographically spread and load balanced across multiple availability zones. It comes with extensive application and infrastructure monitoring. We maintain redundancy throughout our infrastructure in order to minimise the risk of low or slow availability or loss of data.
We use web application firewalls, rate limiting & DDOS protection to provide resilience and ongoing availability.
Managing availability
Skills Reloaded is hosted and load balanced across multiple availablity zones. This setup provides continuous availability in case of an outage or issue in either data centre. The database is replicated between these regions, and backed up, to give us full resilience.
Physical security
Skills Reloaded is hosted within data centres provided by Amazon Web Services. As such, we take advantage of their physical, environmental and infrastructure controls.
Amazon Web Services is accredited to ISO 27001
User identification and authorisation
Passwords for signing in are hashed and salted using an PBKDF2-based function in line with the recommendations of the UK’s National Cyber Security Centre
We suggest all users set up two-factor authentication in Skills Reloaded to protect their account and data.
We also offer Single Sign-On (SSO) to access Skills Reloaded with any of the main identity providers, including Google Workspace.
Only you, the client, can invite and remove users and apply permission levels in your account.
Testing, evaluating and assessing the measures
We automate a lot of tests that monitor our infrastructure to make sure it’s up and running 24/7.
We complete the Cyber Essentials accreditation each year as well as periodic penetration tests and are happy to work with security researchers
Event logging
All events are recorded in log files, therefore it’s possible to review when and by who personal data was entered, altered or deleted. We provide access to this information in the form of downloadable CSV files in Skills Reloaded.
Data transfers
We use sub-processors to help deliver Skills Reloaded, and sometimes this means transferring your data to a 3rd party, with data centres outside of the UK or EEA.
In all cases we make sure that an adequate level of data protection exists by assessing their security and having in place contracts based on the EU SCCs.
Data minimisation and retention
An important factor in data protection is to make sure we don’t collect and store any more data than needed to provide you with Skills Reloaded. Every piece of data we collect and store must be backed up with a justifiable reason.
If personal data is no longer required it is deleted, either by you, the client, or by automated script when data hits its maximum retention period.
As an example, we only store customer support data for 12 months, an automated script deletes tickets that are 12 months old.
Data quality
All of the data processed is provided by you (the data controller) or your end users (the data subjects). You’ll find reporting tools within Skills Reloaded to help you understand, validate, and if necessary correct the data.
Data portability and deletion
Skills Reloaded has built-in backup and reporting tools that allow you to download your data, and, if appropriate, permanently erase data.
We don’t store debit/credit card information.
All our payments are processed through Stripe. They are a PCI Service Provider Level 1 organisation. Using Stripe means we don’t need to store your payment card details, they are sent encrypted direct to Stripe, we don’t store them anywhere.
You can read more about security at Stripe here
Reporting security problems
We’re happy to work with security researchers, they’re an important part of keeping the internet a safe place to work. We have a defined process for reporting security issues
Security questions or concerns?
If anything here is unclear, gives rise for concern, or you just want to understand something, then please contact our support team