We use the latest server, database, backup and firewall technologies to protect the data we store. Our data is housed in secure data centres, with both physical access restrictions and network security restrictions in place. Access to backup media is also controlled and redundant media is wiped securely or physically destroyed. We endeavour to keep abreast of OS and application updates, security fixes and keep our knowledge current about new types of exploit.
We encrypt sensitive data (such as user names, email addresses and date of birth) and store user passwords securely (as a strong one-way cipher hash uniquely salted). We guard against known attack vectors (such as SQL injection, cross-site scripting attacks, etc) and employ 'defence in depth' strategies (i.e. multi-layers of defence). We follow industry best practice security guidelines (like OWASP) wherever possible.
Our staff have no access to sensitive user profile data or an individual's test measurement data without prior consent authorised by the individual (although some meta data, aggregated data and anonymised results are made available to authorised personnel - see also the dedicated data disclosure section above). We also take steps to ensure computers outside of the data centres are kept secure (to guard against employee accounts being compromised for example).
We develop to dedicated developer and staging servers. To prevent errors during development exposing user data, our developer servers do not contain live user data, only dummy data. Our source code is version controlled so we can track change history and audit who worked on individual pieces of code.
We use some data centres outside of the UK/EU area, specifically in the US. We continue to be the owner of this data and ensure these operators have robust data privacy policies, materially compliant with our own and/or compliance with the EU Safe Harbor directive.
If you find a security weakness in our site, we urge you to contact us privately before disclosing it publically - to give us the opportunity to fix it. We are happy to give you public credit for such disclosures made responsibly in this manner, once a fix has been made available.