Security + Governance

Protecting your data

Overview

General information about our company, our registrations and our data protection officer contact.

Company

Connect Mix Share is a product of AM Data Limited. Registered in England and Wales. Company number: 12914020

Data Protection

AM Data Ltd is registered with the Information Commissioner’s Office (ICO). Registration number: ZB037387. All data protection officer enquiries to [email protected]

Cyber Essentials

AM Data Ltd is certified to Cyber Essentials and complies with the requirements of the scheme. Certificate ID: 15638d91-246b-448b-b807-577c972c9c4d

Infrastructure

All of our infrastructure is hosted within a London, UK data centre, certified to SOC 1 Type II, SOC 2 Type II, ISO 27001 and PCI-DSS.

Physical Security

Biometric, proxmity card, and/or personal identification number (PIN) reader systems are used to restrict data center access. Hardware is monitored, destruction is certified and policies are documented.

Server Environment

Our servers are highly configured at deployment for their specific role. All default access is removed, automatic updates are enabled and servers are actively monitored by trusted server management solutions.

Network Protection

We use a Virtual Private Cloud (VPC) to secure traffic between internal resources and isolate them from the public internet. Public access is limited to only essential services and routed through a firewall.

Data Security

Our managed databases provide automated failover and highly scalable services. They are regularly updated, patched and monitored. Data is encrypted end-to-end using TLS/SSL in transit and LUKS at rest.

Virtualisation

Resources are visualised to ensure scalability, flexibility and high availability. Rigorous permission protocols, device configurations, and comprehensive data isolation are integral components.

Management Access

Access to infrastructure resources and controls are limited and protected by SSH keys, firewall policies, multi-factor authentication and layered permissions. All access is logged and monitored.

Monitoring

All resources are monitored 24/7 for performance, availability and security. We use a combination of automated and manual monitoring to ensure our systems are always available.

Backups

All data stored within our managed databases are automatically backed up daily, encrypted and stored off-site. Backups are tested regularly to ensure data integrity.

Application

The security of your data is our top priority. We've integrated leading industry-standard security measures directly into our development processes. With these robust safeguards, you can confidently rely on our platform's security.

User Authentication

We employ email-password authentication combined with optional two-factor authentication. Email addresses must be verified, and passwords are hashed and salted using Bcrypt. Every authentication event is logged and monitored.

Data Isolation

Each customer has a dedicated database for their chosen data. Only the data selected by the customer is transferred and stored. Furthermore, data transfer jobs run in isolation.

Credentials Encryption

Credentials provided for external data sources are encrypted using OpenSSL with AES-256 at the application layer and further encrypted at the database level.

Web Defence

We protect at multiple levels against threats like DDoS, XSS, and SQL Injections with a robust WAF and CSP. All traffic runs strictly over HTTPS, ensuring secure interactions.

Code Management

Our code is tracked and reviewed via a version control system. Combining automated and manual testing, we ensure our code remains secure and stable.

Errors and Monitoring

Through multiple layers of error logging and performance monitoring, we detect anomalies in real-time, enabling swift identification and resolution of issues.

Dependency Updates

Automatic updates and reviews of our server services, core frameworks, and code dependencies ensure we use only the latest stable and secure versions.

Administration

Access to our administrative interface is restricted to authorised individuals and safeguarded with strong passwords, keys, and two-factor authentication.

Protection

We regularly perform over 18,000 checks and tests on our infrastructure and web applications to guard against known and emerging vulnerabilities.

Vulnerable Software & Hardware

We scan our servers, development software, network monitoring, networking systems, content management systems and other well-known weaknesses.

Web Application Vulnerabilities

We check for multiple OWASP Top Ten issues, SQL injection, cross-site scriping, XML eternal entity injection, local/remote file inclusions, web server misconfigurations, directory/path traversal, and more.

Attack Surface Reduction

We check for publicly exposed databases, administrative interfaces, sensitive services and network monitoring software that could be used to gain access to our systems.

Information Leakage

We check for any private information that should not be exposed to the public, such as local directory path information and internal IP addresses.

Encryption Weaknesses

We look for weaknesses in SSL/TLS implementations, such as Heartbleed, CRIME, BEAST and ROBOT, weak encryption ciphers and protocols, SSL misconfigurations, unencrypted services and more.

Common Mistakes & Misconfigurations

We check for VPN configuration weaknesses, exposed git repositories, unsupported operating systems, open mail relays, DNS servers allowing zone transfer and more.

GDPR

We are committed to protecting the privacy of our customers and their clients. Our shared responsbilities are important to us, and we are here to help you meet your GDPR obligations.

The Legal Framework

The (UK) GDPR and Data Protection Act 2018 (DPA18) set out the rules that apply to handling personal data in a fair and lawful way. We are committed to complying with the law and helping you to comply too.

Data Security

All the data we handle and store for our customer work is on GDPR compliant servers, and kept safe from loss or corruption using up to date, robust technical and procedural security measures.

Your Responsibilities

As the ‘Controller’ of personal data about your clients or service users, you are responsible for working with ‘Processors’ who will protect that data properly. ‘Processors are companies who provide a service that involves handling the personal data that you control, such as Connect Mix Share. You are required to explain (usually in your Privacy Notice) to people that you use Processors.

Our Working Relationship

Your legal basis for collecting, using, and analysing personal data is extended to Connect Mix Share by way of our contract together. You don’t need to worry about obtaining special consent for us to handle the data on your behalf, as we are working as an extension of your team, both legally and practically.

Policies

Our policies are designed to ensure transparency, security, and responsibility when using our services. They underscore our commitment to protecting user data and setting clear expectations for our users.

Privacy Policy

Our privacy policy on the data we control and how we process it can be found here: Privacy Policy

Terms of Service

Our Terms of Service, including our customer’s responsbilities, can be found here: Terms of Service

Subprocessors

Our third-party data processors are used to provide our services and are listed below. We ensure that all subprocessors are GDPR compliant and have appropriate security measures in place.

DigitalOcean

DigitalOcean is our cloud infrastructure provider. All services are located in their London (UK) data center and is used to host our web services and database. Further information about DigitalOcean’s security can be found here

SendGrid

SendGrid is used to send emails from our systems and used by our optional Survey service. Further information about SendGrid’s security can be found here

Intercom

Intercom is used to provide support and communication services to our users. We use Intercom’s EU hosting to meet our GDPR requirements. Further information about Intercom’s security can be found here

Live data sharing for charities, funders & social enterprises

Pricing Security Support Login
Terms of Service Privacy Policy

Connect Mix Share is a product of AM Data Limited. Registered in England and Wales. Company No. 12914020