Secure configuration Our AWS account is configured so that minor or security-critical updates to software are installed automatically. Larger updates with the potential to introduce breaking changes are implemented as soon as possible, pending manual review & testing. We run the servers as immutable deployments and they are only configured to use necessary tools. Multi factor authentication is required for all critical accounts (i.e. those which store data and/or considered critical to operations). HTTPS/SSL is enforced over all connections, and data is encrypted with AES at rest. We have DDoS protection provided by AWS Shield Network security We have set up security policies in AWS which block connections from certain ports, and where appropriate, to only accept connections from certain IP addresses. AWS security check is run weekly which produces a report on potential threats & solutions to them. User education and awareness We provide security training to our staff when they join the organisation, with refreshers throughout the year. Our goal here is to ensure that all staff understand the basics of data security, what is expected/required of them, and how to take sensible steps to reduce the risk of a data/security breach.