Pluform security policy

Introduction

This document describes the measures taken by Pluform to ensure proper levels of service and security.

Standards

Pluform’s security policy is based on the ICT security guidelines for web applications from the Dutch National Cyber Security Center (NCSC).

Data protection and Privacy

Pluform meets the requirements regarding data protection and privacy, in accordance with the Data Protection Act (DPA) and information about clients will never be sold or transferred to third parties (unless forced by Dutch law).

Users of the Application

In the application users can only access their own data, or data which is specifically needed within a Coach-Client relation. Thereby Pluform takes the possible professional secrecy of a Coach into account.
Different roles have different access levels, the roles within the application are Organization Manager, Coach and Client. Organization Managers are able to manage the profile data (e.g. name and e-mail) of Coaches and Clients. Organization Managers are not able to access any data regarding the conversation between Coaches and Clients. Coaches only have access to data of their own Clients (except passwords). Clients on the other hand only have acces to their own personal data and the data provided to them by their Coach.
Data of inactive users is stored for two years, on request Pluform can delete all data relating to a specific account.

Passwords

Users determine their own passwords. We apply a severe regime based on 8 characters including 1 number and at least one capital letter. Lost passwords are handled by a link sent through e-mail (no passwords are sent by e-mail). Passwords are stored encrypted in the database.

Two-step Verification

Besides user authentication by username and password Pluform also provides the option to enable two-step verification. If enabled, users are required to, besides their password, enter a code which they receive on their mobile phone number which is authenticated by the user beforehand.

 

User Statistics

Pluform does not use Google Analytics for statistics on user behaviour within the secure online tool. Pluform does use Google Analytics and Cookies outside the secure online tool. More information about this can be found in our Privacy and Cookie statement. 

Hosting

Pluform has it’s IT hosting infrastructure managed by Webscale (Application Managers). Webscale is a Dutch company providing hosting services to Dutch government agencies, municipalities, educational institutions and health organizations. Webscale owns and administers Linux clusters and provides managed virtual servers to its customers. In case of increasing application load, the server-infrastructure can easily be upgraded to adapt to the increased volume in traffic. Webscale uses ISO 9001 and 27001 certified datacenters of Interconnect located in the Netherlands (Eindhoven and ‘s-Hertogenbosch). Pluform is not Patriot act liable. Webscale has it’s own Chief Security Officer who is also CISSP certified.

Development and Maintenance

Maintenance updates, security updates and new features are carried out by Pluform (Development Managers). Pluform has a strict policy regarding server access which is controlled by their Chief Operation Officer. Besides access control, Pluform also uses staged development, whereby all updates and new features are deployed in phases (Test-, Acceptance- and Production server) to decrease the possibilities of critical issues on the Production server which may lead to vulnerabilities in security.

Datacenter location protection

All datacenters used by Webscale have implemented high level measurements to prevent unauthorized physical access to server areas, including biometric access control, cameras, digital code locks and security personnel. Only authorised Webscale staff members and authorised Interconnect staff members have access to the server space. Webscale and Interconnect keep detailed logs of staff entering the server spaces.

Transport security

Pluform.com is secured with a SSL-certificate. User data is transported using high grade SSL (Secure Sockets Layer) encryption. Update, improvement and maintenance operations data is transported over secure SSH connections. SSH is a cryptographic network protocol for securing data communication.

Audits

IT systems and procedures of Webscale are subject to audits.

Firewalls

All Pluform servers are equiped with a Linux iptables based firewall. Default all access is blocked with exception of certain public ports needed for incoming HTTP and HTTPS traffic from the Internet. The firewalls can be instructed to block Denial-Of-Service attacks or throttle traffic.

Backups

Application data is backupped on an daily basis. Every night, a backup is transferred to an offsite backup server.

Application security

The Pluform application is built using Drupal technology. Drupal is a framework for building secure web sites and web applications, which has been used for more than 10 years and has an outstanding security record. All information is transferred over secure SSL connections. Email is an insecure medium, therefore all e-mails send from the application never contain any confidential information. The emails are used as notifications to the actual message, which resides within the application and is accessible after logging in with a password. It is not possible to fish for usernames using the lost-password functionality.

Server security

In order to provide proper server security, the following best practices are followed: Webscale administrators have SSH access to the production machines. The user accounts don’t have passwords, SSH-key-based login only. The servers are only accessible via ip restricted management servers. Root passwords are stored in an encrypted file shared between administrators. Operating system software updates are first tested on testing machines, before being rolled out to acceptance and production environment. The Administrators subscribe to different security bulletins in order to keep up-to-date on security threats.

Monitoring

The health and performance of the Pluform servers and applications are monitored using Icinga technology. 
Munin is used to collect historic information, based on which Webscale operations can make informed decisions on how to scale the infrastructure.

Changes to our privacy policy

We reserve the right to change this privacy policy. Changes will be notified on this website and previous versions will stay available.

version 5 17-05-2017