Data processing activities by Synap are undertaken as part of specific requests from our clients - i.e. to provide technical support to users, or if we receive explicit instructions from a client to process data on their behalf (i.e. reporting/data analysis).
Data collected includes users’ name and email address, so that the client can attribute actions taken on the platform to a particular user, and get in touch with them when work is due. No special category data is collected.
Synap is hosted on Amazon Web Services (AWS) infrastructure within the EU (Dublin). Our database is provided by MongoDB, which is also hosted on AWS in Ireland.
Our databases are backed up every day and kept for 7 days before being deleted. All data - including backups - are encrypted in transit and at rest (HTTPS/AES-256). Card payments are processed by the client’s own payment processing gateway (e.g. Stripe/Paypal)
Only Synap employees have access to our data, and we will only access identifiable client data upon written request / authorisation from the client, or to fulfill an obligation outlined in our contract with the client. Our offices are controlled by keycard access to all floors and key access to individual offices.
Only Synap directors (James and Omair) have access to admin accounts on AWS, Database hosting and our internal dashboards. We have individual user accounts set up for all team members which provide them with the minimum access they need in order to perform daily tasks (configured with AWS Identity & Access Management controls). All company devices are locked with a password, and where available, multi-factor factor authentication. We have completed the UK Government-backed ‘Cyber Essentials’ scheme and will renew this annually when due. For more information on our operational security measures, please see our Digital Marketplace (G-Cloud) listing here: https://www.digitalmarketplace.service.gov.uk/g-cloud/services/741306168157348
Secure configuration Our AWS account is configured so that minor or security-critical updates to software are installed automatically. Larger updates with the potential to introduce breaking changes are implemented as soon as possible, pending manual review & testing. We run the servers as immutable deployments and they are only configured to use necessary tools. Multi factor authentication is required for all critical accounts (i.e. those which store data and/or considered critical to operations). HTTPS/SSL is enforced over all connections, and data is encrypted with AES at rest. We have DDoS protection provided by AWS Shield Network security We have set up security policies in AWS which block connections from certain ports, and where appropriate, to only accept connections from certain IP addresses. AWS security check is run weekly which produces a report on potential threats & solutions to them. User education and awareness We provide security training to our staff when they join the organisation, with refreshers throughout the year. Our goal here is to ensure that all staff understand the basics of data security, what is expected/required of them, and how to take sensible steps to reduce the risk of a data/security breach.
We have real-time monitoring set up which alerts our engineers as soon as one of our servers is unreachable or otherwise experiencing degraded performance . Secure database backups are taken daily, as well as prior to any major changes. Malware prevention Company devices have anti-malware / anti-virus software installed, and our office network also has protection built into the routers. Monitoring We have real time monitoring set up with Pingdom that measures traffic / impact on services. We also have weekly security routines configured with AWS which look for potential attack vectors / suspicious traffic. Removable media controls We do not use removable media devices. We have a policy in place to securely delete any local files containing user data as soon as they are done with. Home and mobile working Only Synap directors work on anything related to user data / servers etc from home. This takes place on devices with strong passwords, on a secure wifi network with hardware firewalls. Again, all accounts are also locked behind multi factor authentication.
Synap maintains a CyberEssentials certification. CyberEssentials is a UK Government-backed, industry-supported scheme, designed in conjunction with the UK National Cybersecurity Council (NCSC). It outlines a set of technical and organisational controls to help organisations protect themselves against common online security threats.
Synap conducts regular internal penetration tests against the OWASP Top 10 criteria, as well as monthly external penetration tests against OWASP Top 10 and a wide variety of other attack vectors. The external penetration tests are conducted by Intruder, a widely used automated tool that checks against over 17,000 known attack vectors.
We are committed to resolving any Critical, High or Medium severity issues flagged by penetration testing as soon as possible, usually within days of discovery. We aim to resolve Low priority issues within 1-2 months.
We are happy to make a copy of our external penetration test report, and/or our CyberEssentials audit report available upon request.