Security

Keeping data secure within OKCrowd is of paramount importance to us. We safeguard your data in a number of ways including the infrastructure we use and through our internal processes and policies.

Data storage

Personal information is stored at rest in an encrypted or hashed state. All data sent between you and us is encrypted end-to-end using SSL with AES-256 encryption.

Our hosting infrastructure is updated on an ongoing basis with the latest security patches. We host OKCrowd in a locked-down environment within an ISO27001 accredited facility. ISO27001 is an internationally recognised specification and a popular standard for Information Security Management Systems (ISMS).

We back up the data we hold daily and have in place a Business Continuity Plan in case we or our software suppliers suffer a catastrophic failure. This plan is tested and reviewed regularly.

Firewall, monitoring and software

We have a Web Application Firewall in place to protect against Distributed Denial of Service (DDoS) Attacks and other suspicious activity. We use a number of internal and external systems to monitor applications and databases.

Our software is built using best practices and is under continual review. We monitor underlying open source or other software in use for security incidents and patch when required as well as update libraries on an ongoing basis.

Security incidents

We have a formal incident response plan in the case of security incidents. In the event of the discovery (or if we are notified) of an incident affecting our systems or the services we use, the incident response team will work through the plan in order to analyse, document, contain and respond to the event. You will be notified within 24 hours of an event with follow-ups of any action taken or if action is required by yourself. Our response plan is tested and reviewed annually. So far we have not had any security incidents.

User access and security

We follow the principles of least privilege and authorisation is entirely role-based. When a user is added to the system by yourself or someone within your company you will select which role and set of permissions they will have access to and you have the ability to remove or change a user's permissions and access levels at any point. The concept of least privilege holds true for our employees too.

Accounts are authenticated using an email address and password. We follow NIST guidelines on password length, complexity and rotation and accordingly have restrictions in place for password selection. The system has temporary lock-out mechanisms and monitoring in place to protect against brute-force login attempts. Two Factor Authentication via email is available as a setting within the system.