Security and Privacy
We understand that data security and privacy is a constant and top concern to our clients. The Red Flag Group protects your confidential data as if it is our own data. To ensure the safety of your data, we provide protections in the following layers:
Data centre and network security
We ensure the confidentiality and integrity of your data with industry best practices. Our servers are hosted by Amazon Web Services (AWS). AWS has built its data centre and network architecture to meet the requirements of the most security-sensitive and highly-regulated cooperations and organisations. AWS complies with ISO27001 and many country data protection acts including the EU Data Protection Directive.
Please check https://aws.amazon.com/compliance/ for AWS compliance details.
Data in transit is encrypted with Transport Layer Security (TLS) across all services.
Secure development and quality assurance environments as well as processes against security threats are well-established to ensure the safety of our client data.
Our development and test environments are separated from the production environment. No actual client data is used in the development or test environments.
We employ third-party tools for dynamic scanning against the OWASP top-ten security flaws and components health check prior to each software and patch release. In addition, we run static code analysis to discover potential bugs and vulnerabilities prior to each software and patch release. The test results are shared and discussed with our engineering team to remediate any discovered issues.
Product security features
All communications with servers are encrypted using industry standard HTTPS over public networks ensuring that all traffic between our clients and the servers is secure.
Administrators can safely upload files to ComplianceInteractive® and files are stored securely on the AWS servers.
Access to content and application data is governed by access rights, roles and groups with system-level and feature-level control, meaning users cannot access or perform the action using certain features unless they have been given specific access.
General privacy practice
Your personal information might be provided for auditing purposes when certain reports are generated and shared for internal and external compliance training audit. Any personal information will only be shared with your company’s internal or external auditors based on your company's request and on a need-to-know basis.
Access to client data, including personal data, is allowed only by authorised personnel. This is strictly controlled by identity and access-management policies, and is monitored in accordance with The Red Flag Group’s internal privileged user monitoring and auditing programme.