Data security – your questions answered

Your customers are concerned. How are you using their data? Who are you sharing it with? How are you protecting it?

Data security has never been more important not only from a regulatory point of view, but in doing the right thing for your customers. Here at Researchbods, we appreciate that our clients are often concerned about the data security when using our ex-plor platform and have put together some of the most frequently asked questions people ask.

What are your data security credentials? 

Researchbods holds the accreditation for ISO 27001,  the premium information security management system. We are also registered as Data Controllers under the Data Protection Act: Nr.Z5498703 and adhere to strict polices across the business, all governed by GDPR. We are registered under several data classes that allow for the recording and maintenance of personally identifiable information. Certificates and policies are available upon request.


Where will the panel be hosted?

ex-plor is hosted using Amazon Cloud (AWS) where a fully redundant, secure and scalable solution has been designed. The system is hosted in multiple availability zones within the London AWS Region.


How do you keep the database secure?

AWS provides resource specific security groups. Researchbods use these security groups to independently govern traffic routes in and out of those resources.  This allows the Infrastructure Team to localise routing and limit database access between production services only, protecting the data from infiltration either from an outside source or sub environment. Within AWS, we maintain control of Database access by using Security Groups. The live Database is in its own security group, and only live servers are allowed access to it.


What safety precautions do you take around administrator accounts/access?

We use AWS IAM to tightly control access to a small group of administrators and all accounts are secured using multi-factor authentication. Each user is organised into groups which have a finite, bespoke Researchbods managed policy that matches the requirement of access whilst limiting resource access. Other accounts have specific permissions to areas of our platform, but greatly reduced in control and responsibility. These permissions are reviewed periodically to ensure the highest level of security.


How do you secure SSH access?

All SSH access is restricted to VPN connections only. For live platforms, SSH access is restricted to Experienced Developers and the Infrastructure Team. Access is controlled by the Infrastructure.


We need to legally own the data collected through the community – is this possible?

All community members are taken through a double opt-in mechanic where you are able to define the terms and conditions or membership and the contents of the Privacy Policy. Users must accept these before becoming members. This allows us to explicitly define that Shift are the data controllers and that Researchbods are the Data Processors. Therefore, you will legally own the data collected on your behalf by our platform.


We need to have a regular data backup  provided for our databases on a monthly basis – how will this be conducted?

The platform has built in Disaster Recovery features that backup and encrypt the core database systems into a separate region of AWS. These backups are encrypted and locked by the Researchbods team and are therefore not suitable for transfer to your company. However, the platform contains features that allows you to export all data collected about members within the UI and this will meet this requirement.


What are your GDPR and panel member data procedures?

Researchbods are fully GDPR complaint, working with our clients to design secure, transparent and repeatable data processing procedures that work with the individual needs and capabilities of the customer and importantly, their data subjects. Backed up by our ISO27001 certification in information security management, our processes focus on the rights of the data subject and ensure that data is specific, held and processed for the relevant time, protected and transportable. This is underpinned by our Information Security Management team and our Data Processing Officer.


What is your panel security process?

The ex-plor platform is a web-based Software as A Service (SaaS) platform that comprises of both an admin Content Management System and a member Front End. Access to the admin area is controlled using the least privilege model, with only named individuals having direct access to the system. All admin accounts are protected by MFA. The member front end is secured using a username and password that is set and controlled by the individual members.


How do you carry out penetration testing?

The ex-plor platform undergoes annual 3rd party security assessments and we can also support our customers in running their own assessments. Please note our time is chargeable if you wish to run your assessment.


If you have any other questions or concerns regarding data security and the ex-plor platform, why not arrange a meeting to discuss with our team?