Attrax has achieved both ISO 9001 and 27001 certifications, the world’s most rigorous standards for information security and quality management systems.
Quality Management System
We measure and monitor clients’ satisfaction and that all our internal processes interact with each other in harmony. We have organised and optimised these processes for a fast delivery of our projects.
Information Security Management
This means that we keep clients’ data safe and have a solid resilience plan should any internal or external threats arise. With stringent process security and information management across the whole organisation, we have an ongoing commitment to protect our clients’ data, and their candidates’ data.
Microsoft Azure hosting
We host our sites on Microsoft Azure, the ever-expanding leading set of cloud computing services.
Azure’s infrastructure is designed from facility to applications for hosting millions of customers simultaneously, and it provides a trustworthy foundation upon which businesses can meet their security requirements. In line with industry standards, Attrax maintains a 99.9% Uptime SLA.
Data security is of paramount importance to us
Every Attrax customer has direct access to our London-based support team from 9am to 6pm (GMT) Mon-Fri. Moreover, Attrax is hosted on Azure with 24/7 monitoring alerting our infrastructure team immediately of any potential problems.
Secure transmission of personal or system data is critical to the system design. The following general principles apply:
- Publicly accessible endpoints are secured by SSL
- Authentication keys are required for API access
- Azure managed services are internally accessible using TLS and authentication keys generated in Azure Vault services
- Internal Network Security Group rules determine available ports and routing of traffic between network layers
- Secure Azure blob transfer and storage requiring https with SAS tokens
- Azure advanced threat protection enabled on storage
- Antivirus scanning of storage
- SQL data is encrypted in transit and at rest using TLS for data in motion and TDE for data at rest. The Always Encrypted Azure feature is switched on for sensitive data
- We adhere to Microsoft best practices in the management of system and software updates and deploy regularly on a controlled schedule
Alongside the security controls detailed above, staff are trained appropriately as part of their induction and specific role duties on how to apply secure principles to information sharing.
Under GDPR, Attrax’s client (as Data Controller) needs to ensure that it has the necessary legal basis from the candidates to process their personal data.
Attrax will process the personal data based on the instructions from the client (Data Controller), and only in relation to one of the following:
- Gathering additional data from the Attrax databases to determine source of the candidate records
- Anonymising personally identifiable data after a request by the candidate
Enterprise level permission system
Attrax allows you to be in full control of your site with granular control of user access to a wide range of tools and features. You grant different levels of access to users based on their role.
Account lockout protection is in place to ensure further security of user accounts.
We have disaster recovery and business continuity plans to ensure that our sites work, important services are supported, and data is always recoverable.
Business Continuity procedures are documented and tested annually. If you would like further information about our disaster recovery policies and procedures, please fill out our form:
Secure Development Lifecycle
We follow Microsoft principles in building the Security Development Lifecycle for Attrax. The key principles and areas for consideration are as follows
- Staff Training
- Security Requirements
- Threat Modelling
- Design Requirements
- Data Encryption Everywhere
- Secure Third-Party Components
- Static Analysis Security Testing (SAST)
- Secure Development and Dynamic Analysis Security Testing (DAST)
- Penetration Testing
- Incident Response Process
If you would like further information about our Secure Development Lifecycle, please fill out our form: