Overview
At Phorest. protecting your personal and business data is one of our top priorities. Here we outline some of the key operational and procedural controls we’ve put in place to help protect your data.
Phorest utilizes AWS as our cloud infrastructure provider. A large portion of the technical controls are implemented within Phorest’s AWS environment unless specified otherwise.
Our Engineers
Our internal infrastructure and security teams include highly experienced engineers who play a pivotal role in building, auditing and maintaining secure infrastructure and systems.
Best Practices
Logging & Monitoring
- We have comprehensive internal logging and monitoring procedures which allow us to audit and monitor events
- We utilize internal AWS threat-monitoring tools to ensure we are alerted promptly to any anomalous or malicious actions from outside actors
- We have internal processes that alert engineers to both security and outage events
Identity and Access Management
- We follow strict internal access policies which help ensure that only authorized systems and people can access or work with production data
- We conduct regular permissions audits of internal and third party systems to ensure we adhere to a least privilege principle
Encryption
- We encrypt your data at every opportunity; whilst it’s in transit, in use and at rest, meaning your data is safe at every stage
Build Process Automation
- Internally, we utilize an automated build pipeline. This allows us to roll out changes and updates efficiently whilst providing adequate logging and auditing capabilities
Infrastructure
- All Phorest infrastructure runs in the cloud (AWS). We do not own or run any internal physical or on-prem hardware/servers
- Phorest have infrastructure across multiple AWS availability zones, which helps provide resilience and redundancy
- Traffic to and from our infrastructure is protected using finely tuned access control lists (ACLs) which only allows access from explicitly specified ACL entries
- AWS additionally provide a number of security controls that helps protect our cloud based resources
- We protect web based resources using both web application firewalls (WAF) and a rate limiting based approach where possible
- Phorest employs a robust and comprehensive backup strategy using both full and incremental backups
- We take an automated approach to building and deploying infrastructure, allowing us to easily audit our infrastructure as code and also make quick changes and fixes when required
Data
- Phorest adheres to GDPR compliance requirements and are certified HIPAA-compliant
- Production data is stored securely within our AWS environment. To protect this data, we employ encryption as well as multiple access and permissions controls
- The only entities that access your data are you and, in some cases, authorized Phorest support engineers whenever they are assisting with a query or technical issue
- Phorest endeavors to retain data for the shortest amount of time required to conform with regulatory and regional data retention standards
- Additional information related to AWS compliance and certifications can be located hereÂ
Business Continuity
Phorest endeavour to safeguard critical customer data and ensure continuity of services in a number of different ways, this includes employing a comprehensive backup strategy for critical data.
- All data that we deem critical is backed up across different regions
- We adopt a continuous backup policy to minimise the possibility of data loss
- Where applicable backups are protected using AES-256 encryption
- Backups and snapshots of data are regularly tested and validated to ensure consistency
Payment Card Information
- Phorest does not directly store any credit card or payment information
- We use Stripe to securely process card transactions, Stripe is one of the biggest payment platforms in the world and as such has the highest level of PCI compliance
- Nobody at Phorest can see or access payment or credit card information
- Alongside the highest level of PCI compliance, Stripe also:
- Encrypts all card numbers
- Prevents internal Stripe systems from accessing card data
- Only allows secure communication over HTTPS/TLS
- Regularly audits its processes and infrastructure
Security Audits
- Internally we review and audit our security controls on a near daily basis. This approach allows our engineers to continuously audit ourselves to ensure we address any potential gaps
- We engage with external auditors to conduct periodic penetration tests of internal and external infrastructure
- We work with external auditors to remediate or implement any findings or security recommendations they provide
- Phorest works towards an annual security strategy which aims to perpetually improve upon security initiatives
Education
- All Phorest staff are educated on current and emerging cybercrime trends
- Internally, we conduct periodic security exercises to uncover and close any gaps in education
Customer Responsibilities
Phorest will always do its best to protect your personal and business data. This is a shared responsibility between Phorest and its customers, meaning Phorest customers should be aware of the vital role they play in protecting their own data. Some responsibilities for customers include:
- Protecting any credentials that belong to your businesses’ computer systems
- Ensuring that you are using complex and unique passwords across all devices and systems
- Enabling and using two-factor authentication wherever possible
- Installing and using an up-to-date antivirus solution on your business systems where possible
- Notifying Phorest of any security incidents that occur within your business
Contacting Phorest
- If you wish to report a security issue or have a security specific question, you can contact the Phorest security team at security@phorest.com
- Alternatively, you can use the internal Phorest technical support system and any security questions you have will be directed to the correct team