We use the latest server, database, backup and firewall technologies to protect the data we store. Our data is housed in secure data centres, with both physical access restrictions and network security restrictions in place. Access to backup media is also controlled and redundant media is wiped securely or physically destroyed. We endeavour to keep abreast of OS and application updates, security fixes and keep our knowledge current about new types of exploit.
We encrypt sensitive data on the machine (such as user names, email addresses and date of birth) and transmit it to our servers securely. We store user passwords using strong one-way cipher hashes (uniquely salted) recommended for passwords. We guard against known attack vectors (such as SQL injection, cross-site scripting attacks, etc) and employ 'defence in depth' strategies (i.e. multi-layers of defence) following industry best practice security guidelines (like OWASP) wherever possible.
Our general staff have no access to sensitive user profile data or an individual's test measurement data (although some meta data, aggregated data and anonymised results are made available to authorised personnel - see also the dedicated data disclosure section above). We also take steps to ensure computers outside of the data centres are kept secure (to guard against employee accounts being compromised for example).
We develop to dedicated developer and staging servers. To prevent errors during development exposing user data, our developer servers do not contain live user data, only dummy data. Our source code is version controlled so we can track change history and audit who worked on individual pieces of code.
We use some data centres outside of the UK/EU area, specifically in the US. We continue to be the owner of this data and ensure these operators have robust data privacy policies, materially compliant with our own and/or compliance with the EU-US Privacy Shield Framework (formerly the EU Safe Harbor Framework).
If you find a security weakness in our site, we urge you to contact us privately before disclosing it publicly - to give us the opportunity to fix it. We are happy to give you public credit for such disclosures made responsibly in this manner, once a fix has been made available.
Should we discover a data breach of our system (or be made aware of one), we pledge to notify the ICO supervisory body and affected users in a timely manner without undue delay.