Security and privacy
Security and privacy is important to us, as it is important to you. This page should give you everything you need to know about the Employer Portal.
-
-
Data is hosted in the UK, with the main data-centre located in the south of the UK.
-
We have a backup / fall back data-centre located in the west of the UK.
-
Physical protection is managed by Microsoft and our staff have no physical access.
-
All user passwords are 'Hashed and Salted'. Hashing means that we store encrypted passwords and therefore it is not possible for anyone to view an actual password on the database.
-
Passwords use 'salted bcrypt' with a high, adaptive round-count. Besides incorporating a salt to protect against 'rainbow table attacks', bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to 'brute-force search attacks' even with increasing computation power.
-
The only way a password can be reset is via a uniquely generated password reset email that is sent to the user.
-
Only the actual user of an account sets their password; not even the system administrator can set, view or change an individual user’s password.
-
As an additional measure, users can enable multi factor authentication. This is an extra, secure way to prove who you are.
-
Files are encrypted in transit using Secure Socket Layer (SSL) and The Advanced Encryption Standard (AES).
-
PDF's and payslips are stored separately from the main application data. This is to optimise the demand on the servers. This reduces the opportunity for any attack as a large number of requests don’t need to use the application data.
-
We run separate instances of Azure for development and the live product, with strict procedures and policies in place restricting access to the live instance.
-
This protects both customers and staff from accidental or unauthorized access.