Security & Technical Information

At WhosOffice, information security is at the core of what we do, because of this we have put together the following information to alleviate questions some of our customers and their data security teams may have.

Contents


Disclaimer

The purpose of this document is to show our users/customers how we implement Information Security for the WhosOffice platform. This document does not constitute a contract between customer and supplier, nor does it constitute towards the Terms and Conditions of the WhosOffice service.

We are unable to sign, agree to or otherwise endorse any of our customers' own terms and conditions nor their own security related questionnaires and documents.

We hope this document will show we take Information Security seriously at the highest level and enable you to use the service with confidence.

X:drive Computing Limited

WhosOffice is wholly owned at operated by X:drive Computing Limited.

Registered Office:
Office D+E, Beer Cart Building
1 Beer Cart Lane
Canterbury
Kent
CT1 2NY

Trade marks

The WhosOffice trademark is the sole property of X:drive Computing Limited

UK Trade mark
Number: UK00003050686
Classes: 9, 16, 35, 38, 42

US Trade mark
Serial: 85102767, Registration: 3943798
Basis: 44E


HIGH ACCESSIBILITY

Platform & Data Centres

The WhosOffice platform is a web based application, residing on servers owned by us, only accessible by our management team.

We use Microsoft Hyper-V technology to replicate data between data centres in the event of failure. Load balanced servers ensure we can provide a quality delivered online service even throughout high demand periods.

Servers are connected to Enterprise level databases and Enterprise level mail servers.

All of our physical servers are covered with appropriate on-site engineer support/warranties.

Managed firewalls prevent unauthorised access with an intrusion detection system to monitor network activity.

We are able to monitor all of our servers from within our office via screens constantly displaying disk space, cpu usage, temperatures and activity. Any out-of-range alerts get notified to senior managers via SMS to cover out of office times.

New features are considered by the management team and, if approved, developed and tested thoroughly before implementation. We do not employ 3rd Party developers, nor do we allow any third party to connect to our servers.

First class data centres

Our first class data centres are based in the UK and have Tier 3 (TIA-942) classification, with alignment to Tier 4 standards.

The data centre locations are manned 24/7, razor-wire ring fenced and are monitored with CCTV. The data centre buildings themselves are card access only and also CCTV monitored.

Data centres are equipped with environmental controls, multiple power and internet connectivity, along with generator back up power supply.

Data Center Tier Classification

INTEGRITY & AVAILABILITY

Data Storage & Failover

WhosOffice supports integration with Active Directory.

PCI DSS Compliance

Vulnerability scans are carried out every 3 months to ensure we are compliant for PCI DSS standards.

Security testing / vulnerabilities

Vulnerability scans are carried out to fall in-line with new security requirements from bodies such as OWASP/Cyber Essentials/NCSC, with any remedial work carried out within 2-4 weeks dependant on assessment/impact level.

Failover testing

Our fail over procedures are tested every 6 months. These tests are in place to ensure our procedures allow for every eventuality and help us restore service for our customers in the event of power loss, internet loss, as well as total data centre loss.


DATA PROCESSING

Online Payments

We do not store any credit/debit cards for online payments. Our payment provider "Pay360 by Capita" are PCI DSS Level 1 certified and are responsible for managing payments on behalf of WhosOff.

Pay360 by Capita
PCI DSS Level 1 Certified

LEGAL

Data Protection & GDPR

The Data Protection Act 1998, due to be replaced by the General Data Protection Regulation (EU) 2016/679 from May 2018.

We are a "Data-Processor", we process data on your behalf as part of your use of our service. We are committed GDPR and our customer's GDPR compliance efforts.

Our Terms and Conditions, along with our Privacy Policy have been updated to include the clauses and principles relating to Data Processing in accordance with the General Data Protection Regulation (GDPR), and this forms the Data Processing Agreement between us.

We will NOT be able to sign any additional agreements/contracts/documents.

GDPR - General Data Protection Regulation
Data Protection Act 1998


PAST & PRESENT

Accreditations & Achievements

ISO27001:2013 Logo
ISO27001:2013 Logo

ISO27001:2013

Certificate No: 197436

Xdrive Computing Limited, the owners and operators of WhosOffice.com, are certified for the International Standard ISO27001:2013 in respect of Information Security. This means we have robust procedures in place for information and data confidentiality, integrity and availability.



ICO - Information Commissioners Office

Information Commissioners Office

Reg. Number: Z2383418

Crown Commercial Service Supplier

Crown Commercial Service Supplier

Service ID: 5315 8353 6212 146


Since 2016, WhosOffice has been recognised at a Crown Commercial Service (CCS) supplier within the G-Cloud 9 Digital Marketplace, this allows WhosOffice can be used by organisations across the UK public sector including central government, local government, health, education, devolved administrations, emergency services, defence and not-for-profit organisations.


OTHER PROVIDERS

3rd Party Apps / Vendors

Google Analytics

We used anonomised statistical data to understand traffic/usage across the "Public" pages of our platform.

Pay360 by Capita

Our payment provider "Pay360 by Capita" are PCI DSS Level 1 certified and are responsible for managing payments on behalf of WhosOff.

SotaConnect

Our data centres are owned & operated by SotaCONNECT, a UK based ISO27001 accredited company. We own and operate our own servers located within these data centres (see Platform & Data Centres).

Emails / Support Systems

We don't use 3rd Party support / ticketing systems. (Which very often lead to customer data being stored on other vendor's platform outside of the EU).

We build and operate our own email/ticketing/support platform and your data will NEVER leave the UK.


ARE YOU COVERED?

What you could/should be asking your provider

The following questions are examples of what you should be asking your current/future provider. Answers from WhosOffice are in italics under the question.

Who owns our data?
You. As a WhosOffice customer, you own your data. WhosOffice is classed as a 'Data Processor', as our customer you are classed as the 'Data Controller'.


Where will the servers be based on which our data would be stored?
All data is stored within our data centres located within the UK


Is there any possibility of it being transferred outside the EU?
No, we do not transfer any data outside of the UK.


Do you use any subcontractors for the storing of our data and if so, who are they and where are they based; if any are based in the US, are they a member of the US Safe Harbor Scheme?
We only use first class data centres located in the UK, who are also ISO27001 certified.


Are you ISO 27001 and/or 9001 and/or 27017/8 certified and/or certified by any other data security organisation? Please supply a copy of any relevant certificates.
We are certified for ISO27001 and externally audited by The British Assessment Bureau, see above section for certification.


Have you ever had a security breach and was any client data lost or accessed?
We have had no data breaches since operations began in 2006. We have had 2 unscheduled down times of no more than 30 minutes each.


How is our data encrypted?
Passwords are encrypted with a 1 Way Salt.


Is our data backed up?
Data is replicated between our data centres every 5 minutes, with an off-site back up taken every 4 hours.


Who can access my data?
Both yourself and the support team at WhosOffice can access your data. Our support team will only ever access your data to perform support based tasks on request from you or someone within your organisation.


What if a server crashes?
After assessment by one of our senior managers, our fail over procedures will be instigated to another server within our network.

Will we need to sign a data prrocessing agreement under GDPR?
Our Terms and Conditions, along with our Privacy Policy have been updated to include the clauses and principles relating to Data Processing in accordance with the General Data Protection Regulation (GDPR), and this forms the Data Processing Agreement between us. We will NOT be able to sign any additional agreements, contracts or documents.


Do/Would you sell our data?
No, never.


Do you use 3rd parties for development?
No, never.


Would your organisation be prepared to enter into a data processing agreement?
We believe our terms and conditions are sufficient and we are unable to enter into any other individual agreements or contracts.


Can you please send me your terms of business and any other terms which we would have to sign up to in order to receive the hosted service?
Our terms and conditions are available here.


What is the position and process regarding the return of our organisation’s data in the event that the agreement was terminated?
Your data can be exported from within the WhosOffice application at any time.


Are You PCI-DSS Compliant?
Yes, although we do not store any credit card details on our servers, with the exception of the card expiry date and last four numbers of the card. Payments are managed by our payment provider, Pay360 by Capita.


How Long Do You Keep My Data For?
In the event you cancel your account, from the date of cancellation, your data will be stored on WhosOffice's servers for a further 6 months. After this point it is deleted permanently.


When was your last fail over test?
Our last test was conducted in January 2018 with a successful outcome.


NEED MORE?

Further information and support

If you have any queries regarding the technical & information storage of WhosOffice, please address your queries in writing to the following address:

Chief Security Officer, WhosOffice, Office D+E, Beer Cart Building, 1 Beer Cart Lane, Canterbury, Kent CT1 2NY


Stay connected - Latest blog posts

STAY CONNECTED WITH THE LATEST FROM THE TEAM


Posted on Fri, 24th Aug 2018 Features and updates coming this Autumn to WhosOffice We are pleased to announce a number of new features and updates coming to WhosOffice shortly. Here we list each update which are currently undergoing final testing before launch to our live platform.
Posted on Wed, 04th Jul 2018 WhosOffice has answered France's leave conundrum Over years of helping companies manage their staff leave all over the world, we’ve experienced different leave policies and regulations that companies / countries must follow. Lots of these rules are very different to our own here in the UK.
Posted on Wed, 25th Apr 2018 Service updates 25th April 2018 We have published a number of updates to the WhosOffice platform, as well as updating our Security and Technical guide for customers with questions relating to GDPR.
Posted on Mon, 08th Jan 2018 Service updates for January 2018 We have published a few updates to the WhosOffice platform today, including Password requirements, Work Team View options and an update to the Work Planner viewing options.

Start your long trial today get until Sunday, 25th Nov 2018 absolutely FREE! No credit card, no setup fees and no hidden costs!