01732 762001 hello@bluespark.co.uk

Email marketing system data security

Operational security

Dedicated security team

There is a dedicated information security team, responsible for securing the application, identifying vulnerabilities and responding to security events.

Data storage and processing locations

Data is stored in a US-based data centre. In addition, multiple data processing locations are used including USA, Australia and Germany. Fastly is used as an external content delivery network, which is used for content caching. Fastly’s locations are available here: https://www.fastly.com/network-map.

Security policies

There is a suite of security guidelines with supporting procedures, which have been aligned with the ISO 27001 standard. Security documentation is frequently reviewed and updated to reflect changes to processes made in response to newly identified threats, as well as a commitment to continuous improvement.

The NIST Cyber Security Framework is used to measure ability to identify, protect, detect, respond and recover from security events.

Awareness and training

All staff and contractors go through a vetting process where they are subject to background checks and confidentiality agreements.

The ongoing program of security awareness training is designed to keep all members of staff informed and vigilant of security risks. This includes regular assessment of comprehension to measure the program’s effectiveness.

Physical security

Physical controls are designed to prevent unauthorized access to, or disclosure of, customer data.

Data centre controls

Only use state of the art data centres and cloud providers are used. Data centres are monitored 24×7 for all aspects of operational security and performance. They are also equipped with state-of-the-art security such as biometrics, sensors for intrusion detection, keycards, and around-the-clock interior and exterior surveillance.

In addition, access is limited to authorised data center personnel; no one can enter the production area without prior clearance and an appropriate escort. Every data centre employee undergoes background security checks.

Data center compliance

The data centre provider is certified to the following compliance standards: HIPAA, PCI-DSS, SOC 1 Type 2, SOC 2 Type 2, ISO 27001 and FISMA/NIST.

The cloud provider has the following certifications: PCI-DSS, ISO 27001, SOC 1 / 2 / 3, IRAP, ISO 27018 and ISO 9001.

Application security

The application has been designed with focus on security by leveraging OWASP-aligned security principles for software engineering, encryption technologies and security assurance.

Security testing

A combination of regular scheduled scans of the application, as well as penetration testing and bug bounty programs, are used to ensure that every area of the application has undergone rigorous security testing.

The scheduled vulnerability assessment scans simulate a malicious user, while maintaining integrity and security of the application’s data and its availability.

Security controls

Your data is never given, rented or sold to anyone else, nor is it made use of for any purpose other than to provide the service. See our full privacy policy for more information.

Each account’s data is stored within a unique identifier, which is used to retrieve data via the application or the API. Each request is authenticated and logged.

Secure code development

Industry best practices and standards are followed such as OWASP and SANS. There are separate environments and databases for different stages of the application development. Production data is not used in our test and development environments.

Data encryption

To protect data information is encrypted in transit by supporting TLS 1.0, 1.1 and 1.2. Data at rest is also encrypted using AES-256 encryption.

User access

Considerable effort is put into ensuring the integrity of sessions and authentication credentials. Passwords storage and verification are based on a one-way encryption method, meaning passwords are stored using a strong salted hash. Email addresses are validated against a strong salted hash, stored along with the email.

The databases are further protected by access restrictions, and key information (including passwords) is encrypted when stored. Data is either uploaded directly into the application using a web browser or uploaded via the API which uses secure transfer protocols.

Logging and cookie management

Cookies are used for user authentication. Session IDs are used to identify user connections. Those session IDs are contained in HTTPS-only cookies not available to JavaScript.

All key actions on the application are logged and audited, for instance whenever staff access an account for maintenance or support functions, such activities are logged so they can be referred to later.