CRM Data Security, Confidentiality & Compliance
Really Simple Systems guards data for thousands of customers, making sure that their data is secure, backed up and confidential. We understand that we have a high duty of care to protect customer data, and our internal policies and procedure reflect this.
Data Storage and Failover
Our production datacentre uses Google Cloud‘s data storage service and is located in Belgium. The Google platform has advanced security features such as data encryption at rest and automatic failover. We also maintain a real-time failover facility based in our two data centres in Fareham and Maidenhead, 75 miles apart in the United Kingdom, should the production servers hosted by Google fail. The replication time lag between the production and failover data centres is less than one second, so no data is lost in this process. This unique system has enabled us to achieve 99.999% uptime for our CRM over the last three years.
All communication between the servers and client (the user’s browser) is encrypted, so that data travelling over the public Internet cannot be intercepted and read. This is done using RC4 128 bit SSL, the same system that is used for Internet banking. Communications between the web servers and the database servers are also encrypted.
We take snapshot backups of the data at 23:00 GMT every day and hold it off-site at our offices, so we can rebuild a customer’s data as at any day in the past should we need to. The backups are stored in a compressed and encrypted format. After three months the backup data is deleted off all the servers in the data centres and is archived onto portable media and stored in a locked fireproof safe. We also keep another live server with a copy of yesterday’s data, for quick access when customers inadvertently delete data. No Really Simple Systems customer has yet to suffer any data loss.
Confidentiality & Data Access
Really Simple Systems understands that customer data is completely confidential, is of high commercial value to its customers, and that its protection from leakage is paramount. We host data for thousands of users, many of them competitors of each other, and the exposure of their data could cause them severe financial pain and embarrassment. Really Simple Systems support staff will only log on to a customer’s system after obtaining permission from them, confirmed in an email. Logins are tracked and can be monitored by customers from the Set Up/Users tab. By default the support staff have access to all customer data once logged in, but are subject to the same security system that others users are and access can be limited (or removed completely) by the customer. Data that is sent by the customer for uploading or processing is kept for one month after the upload or its return to the customer, and is then deleted. All staff employment contracts reinforce the confidentiality policy, underlining that a policy breach is grave misconduct and cause for instant dismissal. Really Simple Systems has yet to suffer any breaches of customer confidentiality. The company has been validated by many large companies, including IBM.
We explicitly state that legal ownership of the data resides with the customer. Really Simple Systems is registered and regulated under the UK Data Protection Act (registration number Z951270X).
European Data Protection
Under European law, all personal data held on EC citizens must be physically held in the EC. All our servers are based in the EC and data is therefore held in compliance with the European Union Directive on Data Protection and the forthcoming EC GDPR Directive. No customer data ever leaves the EC.
Really Simple Systems is HIPAA compliant, the Health Insurance Portability and Accountability Act designed to protect US citizens’ health insurance and medical electronic data.
Comparison to in-house CRM data security
It is widely accepted that most data theft originates from within an organisation. The security of Really Simple Systems customers’ data is generally better than data held internally by the customer: backups are automated and tested for the ability to restore; customer data is not held on laptops that could be mislaid or stolen; and application continuity is assured. By holding the data off-site within our dedicated secure environment, our customers can minimise the risk of internal data theft and know that their data is completely protected.
Really Simple Systems CRM does not formally comply with ISO standards. However, we are working towards self-certification and compliance with the ISO/IEC 27000-series.