The HelloCoach® CRM platform (back-end management system)
1. Infrastructure security
1.1. Network security
Our network (CRM service provider’s) security and monitoring techniques provide multiple layers of protection and defense. They use firewalls to prevent our network from unauthorized access and undesirable traffic. Their systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting our CRM service provider’s production infrastructure.
Further to this they monitor firewall access with a strict, regular schedule. A network engineer reviews all changes made to the firewall every day. Additionally, these changes are reviewed every three months to update and revise the rules. The Network Operations Center team monitors the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using a proprietary tool and notifications are triggered in any instance of abnormal or suspicious activities in the production environment.
1.2. DDoS prevention
Our CRM service providers use technologies from well-established and trustworthy service providers to prevent DDoS attacks on their servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps our website, App and APIs highly available and performing.
1.3. Data security
1.3.1. Data isolation
Our framework distributes and maintains the cloud space for our customers. Each customer’s service data is logically separated from other customers’ data in a series of Modules and each contact having its own record. This ensures that no customer’s service data becomes accessible to another customer.
The service data is stored on our CRM service providers servers and our customers’ data is owned by you, and not by HelloCoach®. We do not share this data with any third-party without your consent.
1.3.2. Encryption in the ecosystem
In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally, for email, our services leverage opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web we flag all our authentication cookies as secure.
At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We own and maintain the keys using our in-house Key Management Service (KMS). We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.
2. Data retention and disposal
We hold the data in your account as long as you choose to use HelloCoach. If you terminate your HelloCoach User account, your data will get deleted from the active database during the next clean-up that occurs once every 3 months. The data deleted from the active database will be deleted from backups after 3 months.
A verified and authorized vendor carries out the disposal of unusable devices. Until such time, we categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. We degauss failed hard drives and then physically destroy them using a shredder. We crypto-erase and shred failed Solid State Devices (SSDs).
3. Administrative access
We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords and passphrase-protected SSH keys.
4. Vulnerability management
Our CRM platform service providers have a dedicated vulnerability management process that actively scans for security threats using a combination of certified third-party scanning tools and in-house tools, and with automated and manual penetration testing efforts. Furthermore, their security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to spot security incidents that might affect the company’s infrastructure.
Once they identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. They further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.
5. Malware and spam protection used by our CRM Platform service provider
They scan all user files using their automated scanning system that’s designed to stop malware from being spread through our ecosystem. Their custom anti-malware engine receives regular updates from external threat intelligence sources and scans files against blacklisted signatures and malicious patterns.
Incremental backups are run every day and weekly, full backups. All backed up data are retained for a period of three months. If a customer requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved.
6. Incident Management – Reporting
We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.
We respond to the security or privacy incidents you report to us through tech@hellocoach.co.uk , with high priority. For general incidents, we will notify users through our forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organisation administrator registered with us).