Pluform security policy
This document describes the measures taken by Pluform to ensure proper levels of service and security.
Pluform’s security policy is based on the ICT security guidelines for web applications from the Dutch National Cyber Security Center (NCSC).
Data protection and Privacy
Pluform meets the requirements regarding data protection and privacy, in accordance with the Data Protection Act (DPA) and information about clients will never be sold or transferred to third parties (unless forced by Dutch law).
Users of the Application
In the application users can only access their own data, or data which is specifically needed within a Coach-Client relation. Thereby Pluform takes the possible professional secrecy of a Coach into account.
Different roles have different access levels, the roles within the application are Organization Manager, Coach and Client. Organization Managers are able to manage the profile data (e.g. name and e-mail) of Coaches and Clients. Organization Managers are not able to access any data regarding the conversation between Coaches and Clients. Coaches only have access to data of their own Clients (except passwords). Clients on the other hand only have acces to their own personal data and the data provided to them by their Coach.
Data of inactive users is stored for two years, on request Pluform can delete all data relating to a specific account.
Users determine their own passwords. We apply a severe regime based on 8 characters including 1 number and at least one capital letter. Lost passwords are handled by a link sent through e-mail (no passwords are sent by e-mail). Passwords are stored encrypted in the database.
Besides user authentication by username and password Pluform also provides the option to enable two-step verification. If enabled, users are required to, besides their password, enter a code which they receive on their mobile phone number which is authenticated by the user beforehand.
Pluform does not use Google Analytics for statistics on user behaviour within the secure online tool. Pluform does use Google Analytics and Cookies outside the secure online tool. More information about this can be found in our Privacy and Cookie statement.
Pluform has it’s IT hosting infrastructure managed by Webscale (Application Managers). Webscale is a Dutch company providing hosting services to Dutch government agencies, municipalities, educational institutions and health organizations. Webscale owns and administers Linux clusters and provides managed virtual servers to its customers. In case of increasing application load, the server-infrastructure can easily be upgraded to adapt to the increased volume in traffic. Webscale uses ISO 9001 and 27001 certified datacenters of Interconnect located in the Netherlands (Eindhoven and ‘s-Hertogenbosch). Pluform is not Patriot act liable. Webscale has it’s own Chief Security Officer who is also CISSP certified.
Development and Maintenance
Maintenance updates, security updates and new features are carried out by Pluform (Development Managers). Pluform has a strict policy regarding server access which is controlled by their Chief Operation Officer. Besides access control, Pluform also uses staged development, whereby all updates and new features are deployed in phases (Test-, Acceptance- and Production server) to decrease the possibilities of critical issues on the Production server which may lead to vulnerabilities in security.
Datacenter location protection
All datacenters used by Webscale have implemented high level measurements to prevent unauthorized physical access to server areas, including biometric access control, cameras, digital code locks and security personnel. Only authorised Webscale staff members and authorised Interconnect staff members have access to the server space. Webscale and Interconnect keep detailed logs of staff entering the server spaces.
Pluform.com is secured with a SSL-certificate. User data is transported using high grade SSL (Secure Sockets Layer) encryption. Update, improvement and maintenance operations data is transported over secure SSH connections. SSH is a cryptographic network protocol for securing data communication.
IT systems and procedures of Webscale are subject to audits.
All Pluform servers are equiped with a Linux iptables based firewall. Default all access is blocked with exception of certain public ports needed for incoming HTTP and HTTPS traffic from the Internet. The firewalls can be instructed to block Denial-Of-Service attacks or throttle traffic.
Application data is backupped on an daily basis. Every night, a backup is transferred to an offsite backup server.
The Pluform application is built using Drupal technology. Drupal is a framework for building secure web sites and web applications, which has been used for more than 10 years and has an outstanding security record. All information is transferred over secure SSL connections. Email is an insecure medium, therefore all e-mails send from the application never contain any confidential information. The emails are used as notifications to the actual message, which resides within the application and is accessible after logging in with a password. It is not possible to fish for usernames using the lost-password functionality.
In order to provide proper server security, the following best practices are followed: Webscale administrators have SSH access to the production machines. The user accounts don’t have passwords, SSH-key-based login only. The servers are only accessible via ip restricted management servers. Root passwords are stored in an encrypted file shared between administrators. Operating system software updates are first tested on testing machines, before being rolled out to acceptance and production environment. The Administrators subscribe to different security bulletins in order to keep up-to-date on security threats.
The health and performance of the Pluform servers and applications are monitored using Icinga technology. Munin is used to collect historic information, based on which Webscale operations can make informed decisions on how to scale the infrastructure.
version 5 17-05-2017