Data Security Summary
The Developing Leaders Partnership/Gyre®: Data Security Summary
Last Update: January 2024
Executive Summary
-
Gyre is ISO 27001 certified, the most robust international standard for information security.
-
Gyre is an approved Crown Service Supplier, available as part of the digital marketplace on G-Cloud 13.
-
Gyre is independently audited on an annual basis under the UK Government’s Cyber Essentials Framework (Cyber Essentials Plus certified).
-
Our digital services are hosted on Microsoft’s Azure Cloud Platform, which provides the highest levels of security and governance.
-
All data is encrypted at rest using industry-standard algorithms (AES-128/256).
-
All data is transferred and accessed securely using TLS 1.2 or greater.
-
Data is securely replicated across multiple geographic regions to provide resilience against data loss.
-
Gyre complies with all relevant data protection legislation, including GDPR.
-
Data is restricted internally to operational support roles, and all actions are logged.
-
Software development follows industry security best practices, including consideration of the OWASP Top 10.
Use of Gyre is subject to the published Terms and Conditions and Privacy Policy.
Data Storage and processing locations
In line with data protection legislation, including GDPR, we store and process data in the following locations:
• United Kingdom
• European Economic Area (EEA)
• US, under the 2021 EU Standard Contractual Clauses and having performed Transfer Impact Assessment (TIA)
Data Centres
-
Our databases and digital platform served are hosted in Microsoft Azure Data Centres.
-
Our data centres include strong physical controls (e.g. secured perimeter, 24-hour security monitoring and response, full-body metal detection screening on entry and exit)
-
Our Azure data centres comply with (among others):
-
CSA CCM v3.0
-
SSAE-16 / ISAE 3402
-
ISO 27001
-
HIPAA
-
Cyber Essentials Plus
-
G-Cloud
-
FedRAMP
-
SOC 1 and SOC 2
-
-
Data is deleted from data centers using best practice procedures and a wiping solution that is NIST 800-88 compliant.
-
For assets that can’t be wiped, a destruction process is used that destroys and renders the recovery of information impossible.
Network and data protections
-
Pseudonymisation OR Anonymization of personal data is used where appropriate
-
Encryption of all data at rest using (AES-128/256).
-
No personal data is held on removable media.
-
Data is secured using the industry-standard TLS 1.2, ECDHE_RSA with P-256, and AES_256_GCM or greater. Internally we use TLS 1.2 2048-bit RSA/SHA256 encryption keys or greater to access the cloud platform.
-
Personal data is segregated from other unrelated networks
-
Access control and user authentication processes – The Principle of Least Privilege is applied to access control and user authentication processes.
-
Management interfaces are restricted to operational support roles. • All actions are audited.
-
Antivirus/malware protection and patching kept up to date on all systems that store or process personal data.
-
Platform components hosted on Azure receive regular and automated security updates.
Protective Monitoring
-
We use both Azure's industry-leading security monitoring and our own defined processes to monitor for application and data compromises.
-
Security incidents reserve immediate top priority as part of our operational processes and are mitigated as soon as possible, subject to our agreed SLAs.
-
Vulnerability scanning is performed by Microsoft on server operating systems, databases, and network devices. The vulnerability scans are performed on a quarterly basis at a minimum.
-
Regularly third-party penetration tests are performed on our external production systems.
-
Microsoft Azure contracts with independent assessors to perform penetration testing of the Azure boundary. Red-team exercises are also routinely performed and the results are used to make security improvements.
Incident Response
-
We follow the 5-step incident response process used by Microsoft Azure; Detect, Assess, Diagnose, Stabilise and Close.
-
Users are able to report incidents through our standard support structure, ensuring a clear and robust pathway for all incidents.
-
Our policy is to notify customers of impacting or potentially impacting issues as early as possible via direct communication and maintain a dialogue as information becomes available through to resolution.
-
Once resolved we perform a post-mortem, which would also be shared with affected customers.
-
Security is given explicit consideration during the development of product features.
-
We have a security breach policy/plan in compliance with GDPR.
Secure Development
-
Our software engineering team keep up-to-date with best-practice security, including the OWASP Top 10.
-
We monitor industry security feeds, including GitHub Security Alerts, to identify any potential vulnerabilities in third-party dependencies.
-
Patches to known security vulnerabilities reserve immediate top priority as part of our software development process and are released subject to our SLA
IT Governance and Controls
-
We have clear roles responsible for security governance (CTO & DPO) who meet regularly with key stakeholders to review and update our policies and processes.
-
Throughout the organisation we enforce robust staff policies for IT security, including access controls, the encryption for all data, and appropriate policies for the use of passwords including two-factor authentication.
-
Security reviews and automated tests form part of our change management and software development processes, and we run regular assessments to validate our approach to information security.
-
Staff must follow our strict IT security policy(s) and are asked to review them periodically by the DPO. This includes not storing sensitive data on insecure devices, and ensuring strong passwords are used and hard drives are encrypted.
-
Only approved/screened key staff have access to production systems and data - all access is logged.
-
We do not keep personal or organisational data for any specific period but will not keep it for longer than is necessary for our purposes, as described in our Privacy Policy.
-
In considering how long to keep data, we take into account its relevance to our business and our legal and regulatory obligations.
-
We have processes in place to honour legal requests for deletion of data (e.g. via a subject request for erasure).
-
Audit information is kept for a minimum of 1 month and a maximum of 6 months.