Security

Built with security at its core

Security isn't just a feature; it's at the heart of everything we do. Your use of EverScout is confidently backed up by our commitment to safeguard your data.

Compliance

Our commitment to security

Your data must remain safe, and our job to protect it never stops. We adopt a limitless approach and will continue to implement and update to the latest standards ensuring that you and your information are shielded from evolving threats.

Our company already implements ISM controls to meet ISO 27001 and SOC 2 type 2 regulations and we are actively working on obtaining accreditation.

For our cloud hosting, we use AWS. Learn more here

Scope

This policy applies to all EverScout services and products operated by Duality Studio LTD.

Physical Security

Hosting Facility

Amazon's data centers have been accredited for ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate Sarbanes-Oxley (SOX) and more

Onsite Security

Onsite security for AWS involves comprehensive measures to safeguard physical infrastructure hosting Amazon Web Services (AWS) resources. This includes data centers, networking equipment, and servers. AWS employs stringent protocols such as biometric authentication, 24/7 surveillance, and restricted access controls to ensure only authorised personnel can enter these facilities. Additionally, security personnel, along with advanced monitoring systems, continuously monitor for any suspicious activities.

Ongoing Monitoring

The AWS Security Operations Center performs regular threat and vulnerability reviews of data centers. Ongoing assessment and mitigation of potential vulnerabilities is performed through data center risk assessment activities. AWS backup their own risk management with third-party testing to ensure AWS have appropriately implemented security measures aligned to established rules needed to obtain security certifications.

Locations

EverScout is primarily deployed in the UK region, however accommodations can be made to deploy to any of the AWS capable regions.

Network Security

Around the clock alerts

All of our systems are monitored 24/7 to ensure that alerts and risks are mitigated as a matter of priority.

Firewalls

All services essential for the operation of EverScout are protected with enterprise-grade firewalls to ensure all traffic is filtered. Our databases are hosted on Amazon's RDS services, with access restricted solely to the local network.

DDoS Mitigation

Our platform implements audit-logs which are continuously monitored for anomalies, complimented with automatic spike alarms. AWS Shield is used to protect our services and mitigate any DDoS style attacks against our systems and infrastructure.

Access Control

Access control is strictly managed, employing the principle of least privilege to ensure that users only have access to the resources necessary for their roles.

Multi-Factor Auth

Where possible, our security policies enforces multi-factor authentication to add additional layers of security.

Vulnerability Scanning

Our security partners, Hexiosec, actively monitor our systems and provide proactive remediation steps with their tool Hexiosec ASM.

Development

Billing

EverScout does not store any credit card data nor does any data touch our infrastructure. Our billing is handled by a third party service called Stripe who are fully PCI compliant.

Quality Assurance

We adopt a cautious approach to testing. Our testing regimen includes integration with unit tests, peer-to-peer reviews, end-to-end tests, as well as smoke tests. Any features raising concerns are promptly removed from the release. Notwithstanding this, it is technically impossible to guarantee a fault-free service. In the event of reported issues, hotfixes will be swiftly implemented outside of the normal release schedule.

Separate/Different Environments

We maintain distinct environments for both staging and testing purposes, with each environment logically and physically segregated from our live-production environment. This separation ensures that any changes or updates can undergo thorough testing in isolated environments before deployment to production. Importantly, no customer data is utilised in these testing or development environments, minimizing the risk of data exposure or compromise.

Penetration Testing

Regular internal penetration testing is conducted quarterly. Additionally, a bi-annual penetration test is conducted through our security partner.

Mitigating Common Attacks (XSS, CSRF, SQLi)

Our application is built to OWASP standards to mitigate common application vulnerabilities. Additionally, we utilise AWS WAF to protect against suspicious activity.

Updates under the hood

We monitor the services that we rely on, whether internal or external, and ensure that they are actively kept up to date.

Encryption

Data at Rest

All data is stored encrypted with AES-256 encryption algorithm.

Data in Transit

Any access to our system, including transmission of data, is encrypted inline with industry best practices.

Software

Single Sign On

SSO Via Office 365 or Google Workplace is available by contacting us

2FA

2FA is available using an authenticator app such as Authy or Google Authenticator. Forcing 2FA across your team can be enabled by contacting us

Password Policy

Our system implements password policies that require a minimum 10 characters, mixed case letters and numbers.

Audit Logs

Audit logging is in place and can be provided for review on request. Audit logs include action, performer and timestamp.

Availability

Uptime

EverScout has maintained an average uptime of 99.9% during the last 24 months.

Redundancy

EverScout is hosted using AWS Lambda which scales on demand. In the extreme situation there is an issue with the AWS zone, EverScout can be switched to a different zone to enable normal operations to continue.

Data retention

Event finished

The event can be archived or deleted after use. Data is initially soft deleted for 35 days before being permanently deleting. Soft deleted data can be recovered up to 5 days before permanent deletion by contacting us. Automatic controls are available in app to delete the data after the event is finished.

Closing Account

Your account will be soft deleted for 35 days before being permanently deleting. Your account can be recovered up to 5 days before permanent deletion by contacting us.

Data Backups

Database Backups

Amazon RDS provides a robust service including the ability to provide point in time backups. Our backup period last 14 days and is available across all of our provisioned zones. Additionally, daily snapshots are recorded and stored encrypted with our backup provider.

Other Backups

Our system uses AWS S3 for storage of any other data which is highly durable and implemented with cross-region replication for redundancy.

Recovery

We test our recovery procedures on an annual basis to ensure that our processes work should we ever need them.

Business Security

Our Business

EverScout is owned and operated by Duality Studio LTD. We are a limited company registered in England and Wales under company number 10718526. Our registered address is 10 Icknield Drive, Northampton, England, NN4 9YS.

Data Protection Officer

Our Data Protection Officer can be contacted by email at hello@dualitystudio.co.uk, or by post at 10 Icknield Drive, Northampton, England, NN4 9YS.

Organisational Security

Further information about our internal security, policies, practices and business continuity can be discussed by contacting us.

Helpful Links

Contact Us

To contact us please use the following details:

• Email address: hello@dualitystudio.co.uk.
• Postal Address: 10 Icknield Drive, Northampton, England, NN4 9YS.