Pabau data is always backed up daily. Backups are redundantly stored in multiple physical locations.
Accreditations and Certifications
We choose our partners carefully. Our hosting partner has achieved the following accreditations and certifications: - PCI DSS Level 1 - ISO 27001 (Information Security Management System) We ourselves are ISO 9001 accredited & registered with the ICO.
Our design provides the ability to rapidly restore all Pabau services, should a catastrophic loss occur. To ensure availability of our systems should we encounter a serious problem at our primary data center, we engineered a DR plan where we regularly run tests. We perform real-time file replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center. Disaster recovery tests verify our projected recovery times and the integrity of customer data.
The Pabau networks are monitored to protect our perimeter against potential threats. Possible threats include hackers, data breaches, adware, spyware, pop-ups, browser exploits and phishing attempts. All secure servers are protected by layer 7 firewalls, best-of-class router technology, TLS encryption, file integrity monitoring and network intrusion detection that identifies malicious traffic and network attacks. Network security scanning helps us quickly identify out-of-compliance systems. All networks are monitored using a Security Incident Event Management (SIEM) system that gathers logs from all network systems and creates alert triggers based on correlated events. In addition to our own capabilities, and those of our hosting providers, we contract with on-demand Distributed Denial of Service (DDoS) scrubbing providers that allow us to mitigate DDoS attacks. Intrusion detection sensors throughout our internal network report events to the SIEM system for logging, alerts and reports. Our database and file attachments are encrypted at rest, using the industry standard AES-256 encryption algorithm.
Incident and Breach Notification
Content regarding Pabau;s lines of defense is well documented and made available to our clients upon request. Pabau maintains runbooks with over 500 procedures on how to respond to system alerts and events, including security events. A Crisis Communications Plan is maintained companywide that includes instructions on how to notify customers, should a large-scale event occur. Any confirmed, unauthorized access resulting in compromised data launches an Incident Response Team that utilizes a defined and audited notification process.
We use datacenter facilities that are built in clusters in various locations. In case of failure, automated processes move customer data traffic away from the affected area and into other sites. We are very open about our uptime, you can see all the details at our System Status page.
We are GDPR compliant, Some points from our side include: - Database encryption at storage level. - Having breach policies in place. - Ability for auditing specific circumstances such as a patient record being accessed. - Permissions surrounding user groups and what they can access on a client card. - Hosted within the EU. - Ability to pull out a record in its entirety if a patient was to request. - Date and audit stamps for most activity.