GDPR Compliancy Information
Nuco Technologies Ltd - GDPR Compliancy
GDPR compliancy will come into force on 25th May 2018 and due to the number of recent enquiries we have received from clients about it, we have produced the following information to help clarify the responsibilities of Nuco Technologies Ltd and its' associated hosting brands eg Host-it Internet Solutions (Host-it) in its role as a Data Processor and those of our customers in their role as a Data Controller in order to help them understand what we do to keep their account safe, how we secure our hosting services and what they can do to reinforce this security.
Our Data Security Responsibilities
Unlike some hosting companies, we operate our own datacentres meaning we are in full control of all physical security for our own servers housed within them.
Having this greater control enables us to take comprehensive measures to protect our infrastructure, network, and applications with ALL employees being trained in security and privacy practices.
Whilst we as the Data Processor are responsible for securing each aspect of the services that are under our control, you as the customer and Data Controller also play a key role in helping to ensure your own customers’ data that we may process on your behalf as part of the hosting service supplied, is protected and secure.
Build security into our network
When it comes to our server hardware we only use recognised industry brands. Our servers are monitored 24/7 and if we become aware of any issues, our Support Dept will work on resolving them immediately. For all Virtual hosting packages we manage the firewalls, all Operating System and hosting platform software updates and can do this for VPS and dedicated servers where the Management option has been taken.
We also security harden our servers both during setup and on an ongoing basis.
Encrypt user data in transit
To protect all data in transit between customers’ web browsers and our own websites, billing platforms and hosting platforms, we use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.
Maintain a reliable service
We understand that organisations rely on our services so we strive to maintain maximum availability by monitoring our servers' uptime, carrying spare server components onsite in case of failure, operating a resilient/diverse MPLS network and having a resilient power infrastructure within each datacentre including UPS and Generator backup. For all Virtual hosting services, we also take regular data backups which are encrypted and stored in one of our other datacentres should a full restoration be required.
Limit employee physical access to servers and digital access to backend systems
Although our Support Staff will have access to data stored on our hosting platforms for shared hosting and managed VPS/Dedicated servers, it is not necessary that staff in other departments have the same access. Physical server access is also restricted by being contained within locked racks with cameras in each aisle and are within locked and alarmed data halls with all access policed through an access control system to only let permitted people enter. All company staff including Directors have had a basic DBS check performed.
Maintain employee security and privacy awareness
Part of keeping our services secure is making sure that the staff working at Host-it understand how to be security conscious and recognise suspicious activity or potential fraudulent requests including social engineering.
Employees are required to acknowledge internal information security policies and procedures prior to being granted systems access. Security and privacy training is mandatory for new staff with ongoing data security awareness testing occurring on a regular basis.
Validate our practices
Host-it are ISO27001:2013 Information Security accredited (certification available upon request) with external auditors visiting our datacentres’ every year to assess our own security policies, procedures and controls.
We are also registered under the Data Protection Act (Registration number Z8167547)
Communicate issues to you
Should a shared hosting server or VPS node have an issue which is affecting multiple customers then updates will normally broadcast through our Twitter page or via tickets that have been raised with your Online Portal.
If we are alerted to a compromised website on any of our hosting platforms we will disable the site where applicable and notify the client by opening a support ticket on the Portal.
As per GDPR requirements, we will notify the ICO of a serious data breach within 72 hours of becoming aware of it. In addition we will notify you the client without undue delay after becoming aware of such a breach.
Only use GDPR compliant sub-processors
Under GDPR legislation, a processor of personal data “shall not engage another processor without prior specific or general written authorisation of the controller”. As part of our contract with you it may be necessary to process your own AND/OR your customers’ personal data with other sub-processors for example Domain Registrars, SSL Certificate/PCI Scanning providers and Connectivity suppliers where this information is a requirement as part of their service provision. When doing so we will only use GDPR compliant companies.
Your Data Security Responsibilities
If you are using our services for your customers’ data then you are the Data Controller for that data and must ensure that you are GDPR compliant for any "personal information" contained within that data. You will need to familiarise yourself with the provisions of the new regulations and understand how they may differ from your current data protection obligations and consider any changes to working practices/policies/procedures that may need to be implemented.
Learn about our practices
As the Data Controller, you can decide on what data processers you use for your organisations’ data and we encourage you to take the time to validate our practices, as you would with any other supplier.
Configure sharing and viewing permissions on your account
Our online portal gives you flexibility to configure your account to support our security measures, and privacy requirements. The primary account holder is able to assign sub-account roles to additional authorised contacts.
For example a member of your accounts dept can have their own separate access in order to make payments and view/download invoices but will not be able to make changes to the account or access the web hosting panel.
You should ensure sub-account contacts added to your account have the appropriate permissions set.
Strong authentication practices will help keep your account data safe. It is recommended to enable two factor authentication in order to sign in to your account on the Online Portal.
This security feature adds an extra layer of protection to your online account. Once enabled you will be prompted for a six-digit security code in addition to a password upon sign-in.
Conduct regular access reviews
Access to your Online Portal may evolve as staff/job roles change. You should regularly check to make sure that only the appropriate people have access to help keep your and your clients' information in the right hands.
Monitor for unusual activity
Both the Online Portal and Plesk panel software record account log-ins and actions. It is important to let us know should you spot any suspicious activity in order to keep your account secure.
Keep Your Website Content Management Software up to date
Information Security risks are identified regularly within hosted Content Management Systems (CMS). Popular CMS such as WordPress, Drupal, Magento, etc release patches or updates in order to fix these vulnerabilities.
The vast majority of website attacks are concentrated on older versions of WordPress installs or plug-ins. By not performing released updates you are leaving your website and any data held by that website, open to attack.
If your website uses CMS software then it is your responsibility to update it. If you are unsure if an update may affect existing functionality within the website then please contact your websites’ developer(s) for advice/assistance.
Encrypt user data
We would strongly advise clients to protect user data in transit between their website and end users browsers by installing a secure certificate onto their website.
The above is not an exhaustive list and we recommend our clients perform their own assessments in terms of the information that is being held by them on our hosting platforms.
This document has been written for informational purposes only and is subject to change or be removed without notice.
V1.0 - April 2018