Security + Governance
General information about our company, our registrations and our data protection officer contact.
Connect Mix Share is a product of AM Data Limited. Registered in England and Wales. Company number: 12914020
AM Data Ltd is registered with the Information Commissioner’s Office (ICO). Registration number: ZB037387. All data protection officer enquiries to [email protected]
AM Data Ltd is certified to Cyber Essentials and complies with the requirements of the scheme. Certificate ID: 15638d91-246b-448b-b807-577c972c9c4d
All of our infrastructure is hosted within a London, UK data centre, certified to SOC 1 Type II, SOC 2 Type II, ISO 27001 and PCI-DSS.
Biometric, proxmity card, and/or personal identification number (PIN) reader systems are used to restrict data center access. Hardware is monitored, destruction is certified and policies are documented.
Our servers are highly configured at deployment for their specific role. All default access is removed, automatic updates are enabled and servers are actively monitored by trusted server management solutions.
We use a Virtual Private Cloud (VPC) to secure traffic between internal resources and isolate them from the public internet. Public access is limited to only essential services and routed through a firewall.
Our managed databases provide automated failover and highly scalable services. They are regularly updated, patched and monitored. Data is encrypted end-to-end using TLS/SSL in transit and LUKS at rest.
Resources are visualised to ensure scalability, flexibility and high availability. Rigorous permission protocols, device configurations, and comprehensive data isolation are integral components.
Access to infrastructure resources and controls are limited and protected by SSH keys, firewall policies, multi-factor authentication and layered permissions. All access is logged and monitored.
All resources are monitored 24/7 for performance, availability and security. We use a combination of automated and manual monitoring to ensure our systems are always available.
All data stored within our managed databases are automatically backed up daily, encrypted and stored off-site. Backups are tested regularly to ensure data integrity.
The security of your data is our top priority. We've integrated leading industry-standard security measures directly into our development processes. With these robust safeguards, you can confidently rely on our platform's security.
We employ email-password authentication combined with optional two-factor authentication. Email addresses must be verified, and passwords are hashed and salted using Bcrypt. Every authentication event is logged and monitored.
Each customer has a dedicated database for their chosen data. Only the data selected by the customer is transferred and stored. Furthermore, data transfer jobs run in isolation.
Credentials provided for external data sources are encrypted using OpenSSL with AES-256 at the application layer and further encrypted at the database level.
We protect at multiple levels against threats like DDoS, XSS, and SQL Injections with a robust WAF and CSP. All traffic runs strictly over HTTPS, ensuring secure interactions.
Our code is tracked and reviewed via a version control system. Combining automated and manual testing, we ensure our code remains secure and stable.
Through multiple layers of error logging and performance monitoring, we detect anomalies in real-time, enabling swift identification and resolution of issues.
Automatic updates and reviews of our server services, core frameworks, and code dependencies ensure we use only the latest stable and secure versions.
Access to our administrative interface is restricted to authorised individuals and safeguarded with strong passwords, keys, and two-factor authentication.
We regularly perform over 18,000 checks and tests on our infrastructure and web applications to guard against known and emerging vulnerabilities.
We scan our servers, development software, network monitoring, networking systems, content management systems and other well-known weaknesses.
We check for multiple OWASP Top Ten issues, SQL injection, cross-site scriping, XML eternal entity injection, local/remote file inclusions, web server misconfigurations, directory/path traversal, and more.
We check for publicly exposed databases, administrative interfaces, sensitive services and network monitoring software that could be used to gain access to our systems.
We check for any private information that should not be exposed to the public, such as local directory path information and internal IP addresses.
We look for weaknesses in SSL/TLS implementations, such as Heartbleed, CRIME, BEAST and ROBOT, weak encryption ciphers and protocols, SSL misconfigurations, unencrypted services and more.
We check for VPN configuration weaknesses, exposed git repositories, unsupported operating systems, open mail relays, DNS servers allowing zone transfer and more.
We are committed to protecting the privacy of our customers and their clients. Our shared responsbilities are important to us, and we are here to help you meet your GDPR obligations.
The (UK) GDPR and Data Protection Act 2018 (DPA18) set out the rules that apply to handling personal data in a fair and lawful way. We are committed to complying with the law and helping you to comply too.
All the data we handle and store for our customer work is on GDPR compliant servers, and kept safe from loss or corruption using up to date, robust technical and procedural security measures.
As the ‘Controller’ of personal data about your clients or service users, you are responsible for working with ‘Processors’ who will protect that data properly. ‘Processors are companies who provide a service that involves handling the personal data that you control, such as Connect Mix Share. You are required to explain (usually in your Privacy Notice) to people that you use Processors.
Your legal basis for collecting, using, and analysing personal data is extended to Connect Mix Share by way of our contract together. You don’t need to worry about obtaining special consent for us to handle the data on your behalf, as we are working as an extension of your team, both legally and practically.
Our policies are designed to ensure transparency, security, and responsibility when using our services. They underscore our commitment to protecting user data and setting clear expectations for our users.
Our privacy policy on the data we control and how we process it can be found here: Privacy Policy
Our Terms of Service, including our customer’s responsbilities, can be found here: Terms of Service
Our third-party data processors are used to provide our services and are listed below. We ensure that all subprocessors are GDPR compliant and have appropriate security measures in place.
DigitalOcean is our cloud infrastructure provider. All services are located in their London (UK) data center and is used to host our web services and database. Further information about DigitalOcean’s security can be found here
SendGrid is used to send emails from our systems and used by our optional Survey service. Further information about SendGrid’s security can be found here
Intercom is used to provide support and communication services to our users. We use Intercom’s EU hosting to meet our GDPR requirements. Further information about Intercom’s security can be found here
Live data sharing for charities, funders & social enterprises
Connect Mix Share is a product of AM Data Limited. Registered in England and Wales. Company No. 12914020
