Claritum Security - FAQs

Owned by Kasia Czwarkiel (Unlicensed)
Last updated: Mar 23, 2018
3 min read

Here’s a list of some of the more commonly-asked questions (and our answers) regarding our GDPR compliance:


Q: I am a Data Controller based outside the EU/EEA. Do I have to comply with the GDPR?

A: The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.

It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

If you fall into any of the above statements then the GDPR regulation also applies to your organisation.


Q: Have your systems been ISO 27001 certified?

A: Claritum is not ISO 27001 certified but  Rackspace, who are ISO 27001 certified.

Claritum is not certified for ISO 27001 but does have a policy of complying with industry 'best practice’. All data resides on the hosting infrastructure provided by our partner, Rackspace, who is certified ISO 27001, ISO 27002, SSAE1, SOC1, SOC2, SOC3, PCI-DSS, Safe Harbor, Content Protection and Security Standards (CPS).


Q: Have you experienced any cybersecurity incidents in the past 5 years?

A: No.


Q: Are your systems subjected to penetration testing? Is testing performed by internal personnel or outsourced?  When was the last penetration test?  What were the results?

A: Claritum do perform penetration testing by internal personnel. Some minor weaknesses were revealed during the last test and we plan to have these resolved in the next release. We do not share detailed results of these tests.


Q: Does Claritum maintain cybersecurity policies, including a written security policy or plan?

A: Yes. These policy documents are available on the Knowledge Base.


Q: Will any third parties need to process or otherwise have access to our data (e.g. Claritum's contractors or suppliers?)

A: Rackspace are the only 3rd-party where your data touches their systems (for hosting purposes).


Q: What access controls are in place to restrict access to information and uniquely identify users?  Can access to our data be monitored?

A: All user access is controlled via uniquely identifiable logins (email address and password). Some aspects of user activity are audited and logged in detail by the system but not all data access is monitored or logged.


Q: Please describe your encryption practices insofar as they relate to our data.

A: TLS and SSL are used to encrypt all data in transit. Passwords are encrypted with Bcrypt (Blowfish) with random salts and HMAC authentication.

Data at rest is encrypted AES256.


Q: Please provide details of encryption and key management.

A: All non-hashed passwords and API credentials are stored AES256 (Blowfish). Claritum sysadmin access is secured using SSH keys (private keys are held on the individual's device). Internally-shared keys and passwords are held centrally in an AES256 (PGP) encrypted file with restricted access.


Q: Where are the vendor’s servers located?  Will any of our data be transferred outside of the UK and/or the EEA?

A: London. No part of the UK hosting infrastructure resides outside of the UK. However, data may be transferred outside the UK/EEA if, for example, you (the data controller), a supplier or customer do reside outside the UK/EEA.


Q: What are the Claritum's policies regarding the secondary use of customer data? Are there technical limitations on secondary use of our data?

A: Only fully anonymised data is permitted for secondary use (for general analytics purposes) and can only be prepared by authorised personnel.


Q: Please describe how our data will be deleted on completion of the services.

A: All your data is held in a self-contained database schema and file-storage containers. Upon completion, the DB schemas and file storage containers are permanently deleted. We can provide encrypted backups of this data to you if requested, prior to deletion.


Q: Does Claritum conduct regular, independent audits of its privacy and information security practices? When was the most recent audit and did it reveal and material risks or issues?

A: This is reviewed annually at the beginning of each year. The last review found no issues.


Q: Describe your security awareness program for personnel.

A: Claritum have a documented Secure Application Development Policy including detailed developer practices. Regular code reviews by senior developers. Regular internal distribution and discussion around relevant security topics.


Q: Test environments must not contain personally identifiable information. Can you confirm this is the case?    

A: Claritum's internal testing environments do not hold PII. Use of PII data on your test platform would be subject to your policies.


For more general GDPR FAQs  please take a look at https://www.eugdpr.org/gdpr-faqs.html