Elementary’s Standards
in Web Security
Elementary's commitment to Security
We acknowledge that absolute security is unattainable, and instead, we focus our efforts on implementing robust and adaptive strategies to mitigate potential risks and attacks. Our commitment to cybersecurity is unwavering. We adhere to the strictest industry standards and continually evolve our practices in response to emerging threats. Our emphasis is on proactive defence, keeping abreast of the latest advancements in security technologies and threats.
We believe in a layered approach to security that encompasses physical, technical, and administrative measures. This holistic strategy, combined with regular audits and updates, allows us to offer resilient defences and respond quickly should a breach occur. At Elementary, your security is our priority, and we work tirelessly to protect your digital assets and maintain your trust.
Data Protection Measures at Elementary
We take the responsibility of handling and protecting your data very seriously.
Encryption All sensitive data, including personal information and financial details, is encrypted both at rest and during transmission. This means that even if a data breach occurs, the information will be unreadable to unauthorized individuals.
Data Minimisation We collect only the essential data needed to provide our services. Limiting the amount of data we hold reduces the potential impact of a data breach.
Access Controls Strict access control measures are in place to ensure that only authorized personnel have access to sensitive data. This reduces the risk of internal threats.
Regular Audits We conduct regular audits of our systems and processes to identify any potential vulnerabilities or areas for improvement. This proactive approach allows us to stay ahead of new threats.
Data Backup and Recovery We regularly back up all data and have robust recovery procedures in place. This means that in a data loss incident, we can restore data quickly with minimal disruption.
Data Breach Response Plan In the unlikely event of a data breach, we have a detailed response plan. This includes notifying affected parties, investigating the breach, and preventing future breaches.
Compliance with Data Protection Regulations We ensure our practices are in line with global data protection standards, such as the General Data Protection Regulation (GDPR).
Secure Infrastructure
Our digital assets are hosted on two reliable platforms – Amazon Web Services (AWS) and Afrihost, a leading web host in South Africa.
AWS is renowned for its commitment to security. They provide many inbuilt security features, including network firewalls built into Amazon VPC, and web application firewall capabilities in AWS WAF that protect your website from web exploits. AWS also ensures encryption at rest and in transit, and provides advanced threat detection measures. AWS’s scalability, reliability, and robust security controls make it a great platform for hosting and protecting our digital services.
Afrihost, on the other hand, is known for its local expertise in South Africa. They offer robust server security, regular updates, and solid data protection policies. They also have excellent customer service, ensuring issues are addressed promptly and effectively.
By leveraging the security strengths of these two hosts, Elementary can offer you a robust, scalable, and secure platform. We continuously monitor and update our security measures in line with best practices and industry standards, ensuring that your data and digital presence remain secure.
Secure Software Development
To ensure our software remains robust against potential cyber threats, we adopt a Secure Software Development Life Cycle (SSDLC). This approach integrates security considerations into every stage of software development, from design and coding to testing and maintenance.
During the Design Phase, we incorporate threat modelling and risk assessments to identify potential vulnerabilities and define necessary security controls. This allows us to proactively consider and address security threats before writing any code.
In the Coding Phase, our developers follow secure coding practices to minimize the occurrence of security flaws. We regularly conduct code reviews and utilize static and dynamic analysis tools to catch and rectify any security-related errors in the code.
In the Testing Phase, we conduct comprehensive security tests, including penetration testing, vulnerability scanning, and security regression tests. These rigorous checks ensure our software is resistant to known attack vectors.
Finally, we monitor and respond to new threats and vulnerabilities during the Deployment and Maintenance Phase. Regular patch management and system updates ensure our software remains secure in an ever-evolving threat landscape.
Regulatory Compliance
Elementary is dedicated to maintaining compliance with all relevant cybersecurity and privacy regulations. While we do not hold ISO 27001 certification, we follow the processes outlined in this internationally recognised information security standard.
Data protection and privacy are our top priorities. We comply with global privacy legislation, including:
General Data Protection Regulation (GDPR): A European Union regulation that protects the privacy and personal data of EU citizens.
Protection of Personal Information Act (POPIA): A South African law that regulates the collection, processing, storage, and sharing of personal information.
California Consumer Privacy Act (CCPA): A state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
Personal Information Protection and Electronic Documents Act (PIPEDA): The federal privacy law for private-sector organizations in Canada sets out the ground rules for how businesses must handle personal information during commercial activity.
Regarding payment security, Elementary does not directly handle cardholder data. Instead, we utilize Payment Card Industry (PCI) compliant gateways for all transactions. This means that the cardholder data is managed by service providers that adhere to the stringent security standards set by the PCI Security Standards Council, significantly reducing the risk of data breaches.
While we fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA), we are dedicated to maintaining the confidentiality, integrity, and availability of all electronically protected health information we encounter while providing our services.
We are committed to continuously monitoring the regulatory landscape to ensure our compliance with new and updated regulations, delivering peace of mind to our clients that their data is handled with the utmost care and responsibility.
Secure User Access
We’ve implemented rigorous policies and protocols to ensure that only authorised individuals gain access to our systems and your data.
We employ a principle of least privilege (PoLP), meaning users are granted the minimum access levels necessary to perform their roles. This strategy minimizes the risk of accidental data exposure or intentional misuse of information.
Two-factor authentication (2FA) is a requirement for all users, adding an extra layer of security to the login process. This means that even if a password is compromised, unauthorized users won’t be able to gain access without the second verification factor.
We also enforce strong password policies, including minimum length, complexity requirements, and regular password changes. This reduces the risk of brute force or dictionary attacks being successful.
We monitor user activity continuously, allowing us to detect and respond to any suspicious behaviour quickly. Regular audits of user access rights ensure that only those who need access have it and that it is revoked when no longer needed, such as when an employee changes roles or leaves the company.
Security Updates and Patch Management
Our team monitors various sources, including official software release notes, security advisories, and specialized forums to stay informed about the latest vulnerabilities and available patches. As soon as an update or patch is released, our team tests it in a secure environment to ensure it doesn’t interfere with system functionality or stability.
Once tested, the patches are swiftly deployed across our systems, minimizing the window of opportunity for any potential exploits. This process is generally automated to ensure consistency and speed, but we also conduct manual checks to confirm the successful application of patches.
To make certain no vulnerabilities linger, we also conduct periodic audits of our systems to verify that all necessary patches have been applied and are functioning correctly.
Customer Education. Empowering Your Cybersecurity
While we dedicate ourselves to protecting our infrastructure and your data, we also aim to empower you with knowledge and tools to safeguard your digital presence.
-
Cybersecurity Awareness We provide resources that help you understand the landscape of digital threats, from phishing scams to malware attacks. Regular updates on emerging threats and best practices for online safety are shared to keep you informed.
-
Safe Practices We offer guidance on how to use our services safely and securely. This includes creating strong passwords, setting up two-factor authentication, recognizing and reporting suspicious activities, and understanding privacy settings.
-
Data Privacy Education We educate our customers about their data rights and how to manage their personal data effectively. This includes understanding our privacy policy, how we handle your data, and steps you can take to control your personal information.
-
Support and Consultation Our team is always ready to assist with any security-related concerns or inquiries. We’re here to guide you through any challenges and help you make the most of our security features.