Security Measures at Governance360

We take security extremely seriously at Governance360. Here is an outline of some of the key measures that we take to enforce this stance

Encryption

  • Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.
  • One of the most common encryption technologies used in website and application development is SSL. SSL, or more accurately Secure Sockets Layer is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
  • From the moment you start using Governance360, all activity you have with us (and with your fellow Board members when using the platform) is encrypted with SSL. Our SSL certificates use SHA-256 & 2048-bit encryption to protect your data, amongst the most secure measures currently available.
  • We enable Users to use 2 Factor Authentication when signing-in to the App (and recommend that they do).
  • We ask our internal staff to operate a VPN when operating outside of known security networks, for example in public access wifi spaces.

Financial Security

  • Governance360 never stores your credit card details on our platform, nor do we want to.
  • If you pay for your services directly through Our Store using your credit card, then all payments are made over SSL connections, not logged or stored in our systems.
  • Dependent on your choice of payment method they are either processed by:
    • Stripe, a PCI-DSS level 1 compliant service provider. Click here for a copy of the Stripe privacy policy.
    • or by GoCardless, a UK based payment systems providers – click here for a copy of their privacy statement and procedures.
  • If you choose to pay in advance via invoice, then payments are processed manually using Stripe credit card functionality.

Password Security

  • For your own security, we recommend you choose a password of at least 10 characters with a mixture of letters, numbers and punctuation characters when you create an account on Governance360. We also help enforce this with a simple validation check when you first register with the application.
  • We recommend the use of a unique password (external password manager applications such as Roboform or Lastpass may help you here).
  • Our platform is only accessible through the SSL protocols noted above, albeit we cannot be held responsible for how you access the internet and strongly suggest you ensure your environment is as secure as possible (for example we do not recommend you use public wifi to access the application).
  • The Governance360 web app will log-out when you leave the browser you are logged in with and will ask you to log-in once again to use the platform again.
  • Our App will sign-out automatically if there is no activity logged on the site thirty minutes after you log-in.  We have also set the application to not enable a ‘simple’ password to be used by an account holder – these checks are carried out automatically when you set up your account, our apologies if you find it frustrating to not be allowed to use a simple password but we believe that your security should come first.
  • Your data should be saved on a regular basis during your use of the App, so please sign-in again and you should find that your progress is ready at the place at which you left it.
  • We do offer 2 Factor Authentication to logged in users - we offer the choice of mobile, email or authenticator app based 2FA.  Whilst we cannot force our users to use this, we do strongly suggest that they do and include warning notes within the App for those that have not yet activated this feature to encourage them, regularly, to do so.

Virus Controls and scanning

  • We work with a third party security specialist to ensure our desktop estate is as secure as it can be.  This includes the use of industry leading virus detection and malware detection software which is enforced at all times.
  • We also operate virus scanning software on the database infrastructure we operate to seek to reduce our risks, and that of our users, when storing key documents and information with us.

Data Retention & Storage

  • We store the minimum amount of data required to provide our services as outlined in our Privacy and GDPR notice.
  • Your data in the App is stored and backed up off-site daily by our sub-processors – you can find out more about these in sub-processors page.
  • Your personal data is stored and backed up off-site daily for recovery from disasters in Data Centres in the UK & US so that we can enhance the delivery of our service.
  • Customer data is held by Governance360 for the purposes of our accounting records and fiscal duties, either within our CRM system or our financial system, both of which we have received confirmation for from their vendors that they are GDPR compliant.
  • Credit cards details are only stored by PCI compliant service partners as noted above.

People Controls

  • Staff, and where appropriate, external contractors are cleared prior to working with us by our Human Resources department.
  • Our checks are comprehensive, and include (in no particular order), Proof of Identity, Proof of Right to Work and Proof of Residency.
  • We also maintain internal Human Resources policies, reviewed annually.
  • Only employees with the necessary rights and roles can access our data centre facilities and underlying data.
  • Customer data is accessed on an as-needed only basis, and only when approved by the customer (i.e. as part of a support incident), or by operational staff to provide necessary support and maintenance.
  • All employees are asked to sign confidentiality agreements and are trained on a regular basis as to the importance of these policies and procedures.