At Firefish, we combine enterprise-class security features with comprehensive annual audits of our applications, systems, and networks to ensure all customer data is fully protected. Our systems are built with a privacy-by-design approach and we deliver our service through a world-leading technology infrastructure.
We periodically update our Data Security and if you have an active Firefish subscription, we will let you know when we do via an email or in-app notification.
Last updated: February 2020
By partnering with Microsoft Azure, we’re able to provide our customers with an ultra-secure cloud-based solution for their recruitment teams. As much as ninety per cent of Fortune 500 businesses trust Microsoft Cloud globally, and the Azure platform is recognised as the most trusted cloud solution for governmental institutions internationally.
In terms of compliance, Azure also meets a broad set of international and industry-specific compliance standards such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2 as well as country-specific standards such as Australia IRAP, UK G-Cloud and Singapore MTCS. Rigorous third-party audits, such as commissioned by the British Standards Institute confirm Azure’s adherence to the strict security controls these standards mandate. Further information on Microsoft’s security overview can be found here.
For those customers choosing to utilise our white label VOIP and SMS messaging tools (Twillio), these were formerly EU Safe Harbour participants (and still maintain Safe Harbour compliance despite recent legal changes) and will enter into EU Data Protection agreements if necessary.
All Firefish physical hardware will be located within secure Microsoft data centres at two locations within Europe. Our primary data centre is located in Microsoft’s West European centre (Netherlands) with a secondary centre in Microsoft’s North Europe region (Ireland). Both of these facilities are secured by a series of measures including (but not limited to) biometric access, security alarm systems and round-the-clock security staff. Additional security information on Microsoft’s data centres can be found here.
At this time, all of our customer data is stored within the Microsoft Azure Platform. Customer live data along with all backups and replicas reside exclusively within the primary and secondary data centres within Europe. Firefish does not pass data to any other third party for processing except when explicitly requested by the client, for example through a 3rd party integration with time sheeting software or for the migration of data from one system to another.
Regarding the very small amounts of data stored on our physical premises, the Firefish offices have a controlled secure-entry system to the building and an additional security barrier into our own offices, which only authorised Firefish employees have access to. The building also has a fitted fire service alarm with instant call-out for three fire engines. Any internal operations data that we store in our shared folders are protected in our own internal comms room which can be accessed exclusively by four authorized key holders – CEO, CTO, Head of Finance and Head of HR.
Firefish Software uses encryption for two main purposes; data storage and data transfer. Firefish Software has procedures in place to ensure personal data is protected to safeguard against the unauthorised or unlawful processing of such data.
Laptops, desktop PCs and mobile devices issued by the company are all encrypted in addition to being configured to automatically lock after a short period of time, meaning the impact of the loss/theft of a machine is greatly reduced. In the event of loss or theft, users will report this immediately so all credentials which that user had access to can be changed.
There are 3 main areas in which data can reside:
1. In transit between the customer's machine and Firefish production servers. All traffic is encrypted using https: sha256RSA algorithm and 2048 Bit key.
2. Firefish has a tiered architecture of servers and the data can be in transit between internal servers. As this is a trusted virtual network, data is not encrypted.
3. At rest. Firefish stores data at rest within the Microsoft Azure infrastructure. Customer accounts created prior to July 2019 use unencrypted file share for documents such as CVs whilst all other data is stored on drives that encrypts the data as it is written to the media. For accounts created on or after July 2019 all data is stored on drives that encrypts the data as it is written to the media.
As our production network is provided by Microsoft Azure, it is protected by redundant firewalls, best-in-class router technology, secure HTTPS transport over public networks, regular audits, and network Intrusion Detection/Prevention technologies (IDS/IPS) which monitor and block malicious traffic and network attacks.
Access to the client data through our production system is only available via Remote Desktop for technical administration and HTTPS to the Firefish application. Remote desktop access to all of our servers is restricted to authorised individuals only and uses multi-factor authentication to ensure the highest level of security is maintained. Authorised users log into our system with their username and password and must also verify their attempt to access each individual server via a registered mobile device. Any attempt to login immediately alerts the mobile device and a fraudulent attempt can be stopped and reported to administrators. Only authorised Firefish technical staff have had mobile devices registered and been provided access to the underlying machines through this process.
Access to our on-premise network (non-production) is via physical, wireless or remote access. Physical access is protected by physical security described above, wireless connection is over a WPA2 authenticated Wi-Fi and remote connections are via a TLS VPN connection. In addition to the requirements to connect to the network, all network resources are protected by a username and password combination to access data. Only Firefish employees and our IT partner PCR IT have credentials for access to on-premise data.
We employ many different layers of security to keep your data safe. These security policies and processes follow industry best practices wherever possible and are periodically reviewed for conformance and compliance.
Some highlights include:
Through the course of our ongoing business operations and providing our service to customers, we may enlist third-party software or software-as-a-service suppliers (i.e video conferencing, issue tracking,accounting or other line-of-business applications) in order to meet our business obligations.
Some of these suppliers may be located outside of the EU and as such are outside the direct jurisdiction of the GDPR. Where this is the case, we both adopt our own standard internal data protection measures and ensure that an equivalent level of Data Protection to GDPR (or potentially better) is in place for the providers we use and that they explicitly comply with GDPR regulatory requirements, either directly in their contractual agreements or by adopting data protection standards such as the EU-U.S. Privacy Shield Framework (See here for detailshttps://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en)
We have several different levels of application monitoring to ensure that services are being rendered according to acceptable performance standards.
We limit access to your data to employees that are required to support the use of our services. (Our customer support and technical support team). These employees have accepted our confidentiality agreement as part of their terms of employment and will have accepted our code of conduct which includes non-disclosure both during and post-employment when handling customer data.
Similarly prior to starting at Firefish, two references are obtained, one from their most recent employer and one from a previous employer. For those who come into contact with our customers’ personal data we also conduct a Disclosure Scotland criminal record check.
We also run a company focus day every six months, ongoing reviews of current processes, and allowances for continuous improvement as business and/or client scenarios evolve.
Microsoft Azure has been certified under EU Data Protection Law and both the primary and secondary data centres operate fully within the European territory (full overview of Microsoft’s privacy policies can be found here).
All of our client databases are backed up using the following strategy:
In the rare event of a data or software issue, loss of data from the database is therefore minimised to 30 minutes max. These backups are stored in such a way that they can provide a full backup for the previous 28 to 35 days dependant on the date the original data was backed up.
The entire file system is also protected by “Geo-redundant storage”. This means that the file system is continuously backed up automatically by Microsoft Azure to multiple data centres within Europe and any transient data corruption is automatically fixed by the Azure framework.
Our primary data centre is Microsoft’s West Europe Data Centre (Amsterdam) and is mirrored with a secondary site at Microsoft’s North Europe Data Centre (Dublin). Three copies of the data are stored at each of the data centres at all times, meaning a minimum of six copies of all data will exist for the full 28-day period.
For the two-way exchange of your data, either at the start or end of your contract, we provide a secure location for you to upload/download the data via a secure HTTPS/ SMB 3.0 Connection.
When you provide source data to Firefish to be imported into your system, we will retain the data after the import has been completed for 5 working days in the case of a standard bulk upload and 40 working days for data migrations.
For exports from Firefish, the data is removed 5 working days from the date of export.
In terms of the Firefish system, a failure requiring disaster recovery can stem from one of four causes:
If any of the above scenarios were to occur, service may be interrupted or unavailable while we resolve the fault. However, any affected clients will be notified by a member of the Happiness team when a problem is encountered and an alert will be provided via our announcements page.
The Incident Manager will then provide any work-around available (if applicable) and an estimate of the duration to resolve/final notification when the issue has been resolved. As Firefish also operates an environment open to continuous improvements, a full team review and any improvements to our processes would also be provided to the customer.