Security & Technical Information

Annual Leave Security & Technical Information

Disclaimer

The purpose of this document is to show our users/customers how we implement Information Security for the Annual Leave platform. This document does not constitute a contract between customer and supplier, nor does it constitute towards the Terms and Conditions of the Annual Leave service.

We are unable to sign, agree to or otherwise endorse any of our customers’ own terms and conditions nor their own security related questionnaires and documents.

We hope this document will show we take Information Security seriously at the highest level and enable you to use the service with confidence.

 

Platform & Data Centres

The Annual Leave platform is a web-based application, residing on Microsoft Azure Application Service.

It’s a fully managed platform that run and scale our applications effortlessly, using a fully-managed platform to perform infrastructure maintenance, load balancing, and more.

Our Data Centres are hosted in the Microsoft Azure Cloud in Ireland (Primary Data Center) and the Netherlands (Secondary Data Server) which is also used as a Disaster Recovery Data Center. We use Microsoft Hyper-V technology to replicate data between data centres in the event of failure.

 

Security and Compliance

  • Data is logically separated between the customer accounts.
  • Passwords are encrypted with Hash Algorithm, we do not encrypt any other data.
  • Data is encrypted between the browser and the web servers via Transport Layer Security (TLS1.2 Protocol).

 

PCI DSS Compliance

Vulnerability scans are carried monthly to ensure we are compliant for PCI DSS standards.

Security testing / vulnerabilities

Vulnerability scans are carried out to fall in-line with new security requirements from bodies such as OWASP/Cyber Essentials/NCSC, with any remedial work carried out within 2-4 weeks dependant on assessment/impact level and recommendation by the 3rd party provider Qualys.

Failover testing

Our fail over procedures are tested frequently. These tests are in place to ensure our procedures help us restore service for our customers in the event of power loss, internet loss, as well as total data centre loss.

 

Online Payments

We do not store any credit/debit cards for online payments. Our payment provider “Stripe” is responsible for managing payments on behalf of Annual Leave.

 

Accreditations & Achievements

Annual Leave has a number of accreditations which represent a commitment towards the highest standards of document information security, the highest standards of service and more.

 

ISO 27001 for Information Security
The ISO 27001 is an overall management and control framework for managing Annual Leave’s Information Security. This standard requires that Annual Leave consistently assesses the information security risks of the business and provides controls to remove the risk to confidentiality, integrity and availability.  Our customers can rest assured that in achieving this standard Annual Leave has demonstrated our compliance regarding all information security matters including data protection, privacy and IT governance within our industry.

ISO 9001 for Quality

The ISO 9001 standard outlines a process approach to implementing and supporting a quality management system.  Annual Leave has well defined and documented procedures designed to continuously improve the consistency of our service. Quality is constantly measured and our procedures ensure corrective action is taken whenever defects occur.

ISO 14001 for Environmental Initiatives
The ISO 14001 standard provides a framework for Annual Leave to assess, manage and reduce the impact to the environment of operating our business now and in the future.  Our customers will have confidence in knowing that Annual Leave meets our environmental management system commitments and company environmental policy requirements

ISO 15489 for Records Management Procedures
The ISO 15489 ensures records kept by Annual Leave are maintained, easily accessible and correctly documented from their creation right through to ultimate disposal, be that archiving, imaging or destruction. The standard ensures that disposal is carried out in a transparent manner according to pre-determined criteria.  Our customers can be assured that Annual Leave will archive, manage, protect and destroy all records to industry best practice and as prescribed by relevant legislative and regulatory requirements.

 

GDPR & Data Protection

The Data Protection Act 1998, due to be replaced by the General Data Protection Regulation (EU) 2016/679 from May 2018.

We are a “Data-Processor”, we process data on your behalf as part of your use of our service. We are committed GDPR and our customer’s GDPR compliance.

Our Terms and Conditions, along with our Privacy Policy have been updated to include the clauses and principles relating to Data Processing in accordance with the General Data Protection Regulation (GDPR), and this forms the Data Processing Agreement between us.

We will NOT be able to sign any additional agreements/contracts/documents.

This document was last updated on August 15th 2018