Security Policy
Ledgerscope Services Limited understands that the security of information it controls or processes is vital. We therefore ensure that all information we disseminate, produce, manage or store, is subject to best practice security and confidentiality procedures. We protect our data from internal, external, deliberate or accidental threats.
To pursue these goals we will:
Ensure that all information is treated with appropriate confidentiality
Maintain the integrity of all such information
Comply with all applicable statutory and regulatory requirements
Ensure that we have business continuity management procedures in place
Increase staff awareness of information security management through education and training
Perform penetration tests to prevent unauthorised access to our systems
Under this policy:
All breaches of information security, actual or suspected, will be reported to and investigated by our Technical Director
Information Security documents and training will be made available to all employees in our company
All managers will ensure that every staff member adheres to our policies and procedures
Security Infrastructure
Ledgerscope Services Limited provides state-of-the-art security to ensure that customer data is never compromised. Security measures include:
Experienced, professional engineers and security specialists dedicated to data and systems protection
Continuous deployment of proven, up-to-date security technologies
Ongoing evaluation of emerging security developments and threats
Redundancy throughout our online infrastructure
Our software is configured by experts and rigorously tested before going into production. By using Microsoft Azure hosting facilities (in Dublin and Amsterdam) we adhere to world-class security policies including proven, up-to-date firewall protection, intrusion detection systems, TLS encryption, physical and other security controls.
Data Encryption
We use the strongest encryption products to protect customer data and communications, using industry standard encryption algorithms and transport layer security.
User Authentication
User access to our services is only with a valid username and password combination, which is encrypted via transport layer security while in transmission. Users are prevented from choosing weak or obvious passwords. An encrypted session ID cookie is used to uniquely identify each user. For added security, the session key is automatically scrambled and re-established in the background at regular intervals. User passwords are hashed before being stored, meaning that they cannot be read.
Application Security
Our robust application security model prevents one customer from accessing another's data. This security model is reapplied with every request and enforced across all servers for the entire duration of a user session.
Internal Systems Security
Inside of the perimeter firewalls, our systems are safeguarded by network address translation, port redirection, IP masquerading, and non-routable IP addressing.
Operating System Security
We enforce tight operating system-level security by having the minimal number of access points to all production servers. We protect all operating system accounts with strong passwords, and two-factor authentication. All operating systems are maintained at each vendor's recommended patch levels for security and are hardened by disabling and/or removing any unnecessary users, protocols, and processes. Anti virus protection and malware detection are maintained and monitored from a central location.
Database Security
Whenever possible, database access is controlled at the operating system and database connection level for additional security. Access to production databases is restricted to a limited number of points, and production databases do not share a master password database. All database volumes are encrypted. All access to databases is authorised using certificate based authentication.
Data location
We use Microsoft datacentres in Dublin and Amsterdam compliant with data protection policies. Data is encrypted during transit (TLS 1.2) from Xero's servers in the US, and then stored encrypted (using 256-bit AES) to protect from unauthorised access. By storing 6 separate copies of all of your backups, in at least 2 different countries, we ensure that the data is protected against outages and disasters.
Employee Access
All data entered into our software by a customer is owned by that customer. Our employees do not have direct access to customer data except where necessary for customer support, system management, maintenance, monitoring, and backups.
Reliability and Backup
All networking components, NAT instances, Load Balancers, and Application Servers are deployed with high-availability and redundancy features. All customer data is stored on encrypted, fault tolerant volumes. All customer production database data is automatically backed up from to the last committed transaction, together with snapshots which are taken on a daily basis and stored in Azure with encryption and geo-replication features enabled. When hardware needs to be replaced, disk drives are shredded before behind disposed of.
Disaster Recovery
The Microsoft Azure hosting platform has safeguards in place for every type of disaster. The nature of our services means that customers will always have the security of their own, original copy of data as supplied to us for processing.