Claritum Security - FAQs

Owned by James Leeson (Unlicensed)
Last updated: Aug 12, 2021 by Paul Barker
3 min read

Q: I am a Data Controller based outside the EU/EEA. Do I have to comply with the GDPR?

A: The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.

It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

If you fall into any of the above statements then the GDPR regulation also applies to your organisation.



Q: Have your systems been ISO 27001 certified?

A: Claritum is not ISO 27001 certified but  Rackspace, which are ISO 27001 certified.

Claritum is not certified for ISO 27001 but does have a policy of complying with industry 'best practice’. All data resides on the hosting infrastructure provided by our partner, Rackspace, who is certified ISO 27001, ISO 27002, SSAE1, SOC1, SOC2, SOC3, PCI-DSS, Safe Harbor, Content Protection and Security Standards (CPS).



Q: Have you experienced any cybersecurity incidents in the past 5 years?

A: No.



Q: Are your systems subjected to penetration testing? When was the last penetration test?  What were the results?

A: Claritum performs vulnerability testing by internal personnel. This is performed on a regular basis, once per month. If any weaknesses are revealed, we address them through our regular release cycle. Critical vulnerabilities are resolved as part of an emergency release. Claritum can share the most recent vulnerability scanning report on request.



Q: Does Claritum maintain cybersecurity policies, including a written security policy or plan?

A: Yes. These policy documents are available on the Knowledge Base.



Q: Will any third parties need to process or otherwise have access to our data (e.g. Claritum's contractors or suppliers?)

A: Rackspace are the only 3rd-party where your data touches their systems (for hosting purposes).



Q: What access controls are in place to restrict access to information and uniquely identify users?  Can access to our data be monitored?

A: All user access is controlled via uniquely identifiable logins (email address and password). Some aspects of user activity are audited and logged in detail by the system but not all data access is monitored or logged.



Q: Please describe your encryption practices insofar as they relate to our data.

A: TLS and SSL are used to encrypt all data in transit. Passwords are encrypted with Bcrypt (Blowfish) with random salts and HMAC authentication.

Data at rest (databases) are not encrypted but backups are encrypted using AES256.



Q: Please provide details of encryption and key management.

A: All non-hashed passwords and API credentials are stored AES256 (Blowfish). Claritum sysadmin access is secured using SSH keys (private keys are held on the individual's device). Internally-shared keys and passwords are held centrally in an AES256 (PGP) encrypted file with restricted access.



Q: Where are the vendor’s servers located?  Will any of our data be transferred outside of the UK and/or the EEA?

A: London. No part of the UK hosting infrastructure resides outside of the UK. However, data may be transferred outside the UK/EEA if, for example, you (the data controller), a supplier or a customer do reside outside the UK/EEA.



Q: What are Claritum's policies regarding the secondary use of customer data? Are there technical limitations on the secondary use of our data?

A: Only fully anonymised data is permitted for secondary use (for general analytics purposes) and can only be prepared by authorised personnel.



Q: Please describe how our data will be deleted on completion of the services.

A: All your data is held in a self-contained database schema and file storage containers. Upon completion, the DB schemas and file storage containers are permanently deleted. We can provide encrypted backups of this data to you if requested, prior to deletion.



Q: Does Claritum conduct regular, independent audits of its privacy and information security practices? When was the most recent audit and did it reveal and material risks or issues?

A: This is reviewed annually at the beginning of each year. The last review found no issues.



Q: Describe your security awareness program for personnel.

A: Claritum has a documented Secure Application Development Policy including detailed developer practices. Regular code reviews by senior developers. Regular internal distribution and discussion around relevant security topics.



Q: Test environments must not contain personally identifiable information. Can you confirm this is the case?    

A: Claritum's internal testing environments do not hold PII. The use of PII data on your test platform would be subject to your policies.



For more general GDPR FAQs  please take a look at https://www.eugdpr.org/gdpr-faqs.html