At myhrtoolkit we understand just how important security and information safe-guarding is to our customers. With that in mind, we employ modern security best practice to ensure that your data is safe. Additionally, myhrtoolkit are registered with the Office of the Information Commissioner as a data processor. The following sections outline our security and support systems.
This web tool monitors and displays the current status of each of our services; the Main Toolkit App, the Mobile App, the API and the www.myhrtoolkit.com web site. It also provides detail of any future maintenance. View it here: https://status.myhrtoolkit.com/
State-of-the-art secure hosting
The best security needs to extend all the way to the hardware level. Myhrtoolkit resides on a cluster of advanced, secure Rackspace servers (www.rackspace.co.uk) that are protected by a sophisticated firewall and intrusion detection/prevention system. All servers are based entirely within the UK. Rackspace are ISO27001 accredited and known for their fanatical support and ensure that all of our servers are kept up to date with the very latest security measures and patches.
Our servers sit behind a CISCO ASA firewall. All services and ports other than standard web ports, are either removed or locked down by IP address. They run a patched and hardened installation of Red Hat Enterprise Linux with intrusion detection and anti-virus applications.
If after reading this document, you require further information regarding Rackspace and the services they provide to us, we would be pleased to pass you on to our account contact.
Myhrtoolkit utilises the best encryption available. Our certificates are encrypted with 256bit encryption and all data that passes between you and our servers is encrypted with industry standard 128bit encryption. All passwords are encrypted using standard AES encryption algorithms. General data is obfuscated but not encrypted as this needs to be searchable and indexed. Encrypting all field level data would impact performance too much and isn’t feasible. This is a standard approach. We regularly update our encryption methods to ensure that we drop support for weak cyphers and apply security patches as soon as they are available. Connections to and from our servers takes place over SSL. We have strengthened our SSL (or accurately TLS) connections significantly and only support strong cipher suites. Weaker SSL v2 and v3 protocols are not supported and TLS 1.0 will be dropped in due course. We recommend a minimum of TLS 1.2.
We are not PCI DSS audited but where possible we use them as best practice. We have achieved an A grade from Qualys SSL Labs, which can be seen at https://www.ssllabs.com/ssltest/analyze.html?d=app.myhrtoolkit.com
- What is the reason why you are not PCI DSS Audited?
We do not seek PCI audit as we do not process or hold payment card data. Such card processing as we undertake is managed for us by a third party merchant, Worldpay; an international card payment company that processes around 31 million payments per day. They are fully PCI compliant.
However, we do look to the PCI standards to guide our internal development and processes.
- All data that passes between yours and our servers is encrypted with industry standard 128bit encryption. Why is this not 256 bit encryption?
There are 2 components to communication encryption; key strength and data in transit.
Our key strength meets the RSA2048 bit standard, and is thus incredibly secure.
The encryption level used for data in transit is browser dependent. That is, it relies on the level of encryption supported by the browser of the user. As such and in line with PCI standards, we currently support connections of between 128 and 256 bit. The lower level will be deprecated in line with current PCI guidelines. At the same time, we will drop support for TLS 1.0 & 1.1 ciphers and mandate TLS 1.2 (SSL having been dropped in 2013).
As a consequence, support for IE version 8, 9, 10 and prior will also be dropped. Microsoft dropped support for all but IE11 and Edge back in January 2016.
2018 will see a major change to internet security.
One of the most longstanding security protocols, Transport Layer Security version 1 (TLS 1.0 and in some cases TLS 1.1), is having support removed later in 2018.
For the majority of people, who are accessing the web via a modern browser, this will not represent an issue. However anyone still using an older browser will find they are unable to access many sites, including myhrtoolkit.
To assist in identifying if you will be affected, we will displaying a message on the login screen where we detect that you are connecting via an older browser that will be effected after June.
The solution is to either upgrade your existing browser, or switch to a more modern version.
To help understand the issue further and offer some guidance, our Technical Director has written this useful article explaining things in more detail.
Each week our server is scanned by Netcraft for vulnerabilities. Any found are patched within days. From the Netcraft website : “Netcraft updates its test suite daily, adding new tests for the latest security exploits. A site with an up to date “Audited by Netcraft” seal is your assurance that the site owner is vigilant and maintaining the security of their site against the latest Internet security vulnerabilities.”
You can see our current Audited by Netcraft status and more information at
Distributed Denial of Service (DDoS) attack
A DDoS attack is an attempt to maliciously disrupt an online service by overwhelming the service with unusually high traffic until the service is no longer able to process genuine requests. Often this may be accompanied by a request for payment to stop the attack. Sadly, this is becoming an increasingly common part of the life of an online business, with companies such as Twitter and Instagram having been recently affected.
To maintain a solid defence against DDoS type attacks, our technical partners Rackspace and CloudFlare utilise sophisticated proprietary systems to both prevent and mitigate an attack of this nature.
Brute Force attack
Our login system has inbuilt protection against attempts to break into the system using automated brute force attack.
Disaster Recovery Data back-up
We understand the importance of regular reliable backups to ensure system availability and continuity; as such, we operate 2 entirely separate backup routines for the purposes of disaster recovery. The first is managed by our hosting partner Rackspace; who make a daily back up of all changes and take a full back up once a week. These are stored in their secure data centre over a 2 week rolling period. Additionally, myhrtoolkit take a full daily back up which is stored for 30 days off-site with a different PCI DSS Level 1 service provider. Before this leaves our servers, the back-up is encrypted, transmitted over a secure connection and remains encrypted whilst it is outside our network. Both facilities are based entirely in the UK. Please note that individual data, records or documents cannot be extracted from this back up.
Upon closure of an account, we archive customer data for a further 30 days before deleting all data rendering it non-recoverable. Prior to this archive, we can assist in data extraction. Following the archive period, account data then resides in the disaster recovery back up for a further 30 days, as mentioned above.
How is customer data classified, handled and stored?
All customer data is treated as confidential when it is received or viewed. Access to this information is restricted to a limited number of personnel on a “need to know” basis, and who are subject to an internal confidentiality agreement.
Our default position is that no-one accesses any identifiable customer data for any reason. However, to allow us to properly diagnose problems and fix bugs, we may occasionally require access to customer data, following a well-defined and permission-focussed process.
All database access is logged and checked regularly by our IT Director. Once issues are resolved, all copies of data are securely destroyed from our development environment and servers, and any paper records shredded. From initial customer data access requests through to the final destruction of retreived data, the whole process is audited and checked regularly by the IT Director.
Hard copy information is disposed of via a fully accredited third party data destruction company.
A full statement about this can be found in our Customer Data Access Policy.
Every Toolkit system features a hub called the Security Centre; providing system Controllers with oversight of and tools to manage their own security.
This includes a Password Builder which allows the Controller to specify the components that make up their passwords, such as minimum length and character type.
More information about the Security Centre can be found here.
Service & Support
Myhrtoolkit comprises a team of professionals who are dedicated to making myhrtoolkit both highly secure and extremely reliable. We are committed to ensuring that when a problem does arise we are responsive and quick to resolve it. At the hardware level, the Rackspace SLA guarantees 100% network uptime and a 1 hour replacement for any hardware failure upon diagnosis. When you do need support, you can find a fully integrated help section within myhrtoolkit. Here you can find a guide to using myhrtoolkit as well a form to send a direct message to the myhrtoolkit Support team. Additionally there are a wide range of support documents and videos on the support areas of our website at https://www.myhrtoolkit.com/support/.
Alternatively, support is available by email from a member of the team within myhrtoolkit business hours: 09:00 – 17:00 Monday to Friday (UK Time).
Myhrtoolkit is compliant with the Data Protection Act (1998).
There is a Resource Centre for the forthcoming General Data Protection Regulations legislation here.
last updated on : 3rd May, 2018 @ 13:20