Security and compliance Last updated - November 2023
Everyone at CoverageBook is committed to maintaining the best possible service for our customers. Whether it is protecting your data, or ensuring our service stays fast, reliable and secure, we work hard to provide the best service possible.
This guide is designed as an accompanying document to our DPA above. We get asked about completing security questionnaires for compliance and vendor onboarding, and we’ve collected some of the most common compliance questions here for you (we’ll keep this page updated periodically).
We hope this guide will help with all the information you need.
Unfortunately we can’t complete individual compliance questionnaires, but hope that this information will help your IT security teams carry out an assessment of CoverageBook. We are of course happy to help with any questions, and if you are looking for custom onboarding and compliance, please get in touch to ask about our Enterprise options.
Castle Square House
9 Castle Square
Find us at Companies House.
Who is responsible for maintaining and issuing security policies?
Andy Croll (CTO) and David Whitner (Head of Support)
Who is your data protection officer (DPO)?
Gary Preston (CEO and founder)
How to contact us
Email [email protected] for all enquiries and we’ll reply usually within one business day. Unfortunately we can’t offer telephone support.
Can CoverageBook sign a non disclosure agreement or sign an individual contract?
With many customers worldwide, we offer a standardised, single terms of service agreement which we hope will meet the majority of our customers’ expectations. Unfortunately we cannot enter into bespoke contracts or sign additional NDA’s. However, we are committed to protecting your data and privacy and have all the information on this in our DPA.
Can CoverageBook share any of its policies and documentation?
All our policies are internal only documents which we store in our project management platform. All relevant documentation and policies are available for all staff, but we cannot share them with anyone outside our organisation.
Does CoverageBook manage any on premises data centres, servers or other physical infrastructure?
CoverageBook doesn’t own any physical hardware like servers. We’re fully digital (no filing cabinets full of paperwork!) and all our data is hosted and managed by trusted industry leading cloud providers like AWS, Crunchy Bridge and Heroku. We also don’t store or process any of your payment information locally, this is all managed through Stripe who are PCI DSS compliant.
Can you describe your physical security procedures, alarm systems and equipment maintenance?
Does CoverageBook hold any compliance accreditations like ISO, SOC2 or HIPAA?
For more information on our cloud services own compliance and security measures you can view those here:
CoverageBook’s office in Brighton is secure (accessed via keycard and physical key) and maintenance is managed by our building’s facilitator. We don’t keep any sensitive or personal data (including any locally stored data) on the premises.
Any visitors or contractors are by prior appointment and do not have access to any sensitive information.
Where do you host CoverageBook? Do you use cloud providers, or manage your own on premises infrastructure?
CoverageBook uses redundant cloud based providers (including Amazon AWS, Heroku and Crunchy Bridge). We have full details of sub-processors in our DPA.
Does CoverageBook have a documented security policy? How often do you update your policies?
Our main Information Security policy is reviewed yearly, or whenever there’s a need to update it sooner. We also carry out continuous security scans, periodic reviews of our systems and processes, and the last annual penetration test was carried out in April 2023 by Glitch Secure, who also perform monthly penetration tests for us.
Are all security policies and standards readily available to all users?
Yes, we store all our policies in our project management platform which is available to all staff.
Have you met the formal and organisational requirements to make an information security response?
Yes, we cover this in more detail in Appendix 3 of our DPA.
Incident Response policy
After an incident, are policies and procedures reviewed to determine if modifications need to be made?
We have a documented process for investigating incidents (through to resolution) and all relevant staff are aware of this process. Throughout an incident we record and communicate in our Emergency and Operations channels, and we carry out a post-incident debrief which is documented, discussed, and further action taken where necessary.
We also run a 24 hour on call rota and have a monitoring service in place which will contact one of our on call developers in the event of an emergency outside office hours.
How quickly do you act on and solve any findings after an incident?
We’ll priorisise and take action to remedy any incidents in a timely manner. In the event of a serious incident we have emergency procedures in place, including the ability to revert to backup fail safes via our cloud providers. Any other non urgent issues or areas we identify for remediation are dealt with through our regular bug and incident management processes.
Do you provide specific training to developers and incident response team members?
We have a documented process and all relevant staff are aware. We also review and discuss our processes regularly and post any incidents to ensure we’re acting appropriately.
Does your Organisation have a documented business continuity and disaster recovery management?
We have an incident management policy and our cloud providers have backup fail-safes in place for recovery in the event of a serious incident.
Are incident recovery plans stored in such a way that they are accessible when needed?
Our internal processes are accessible through our project management platform. Further guidance on recovery is available through our cloud service providers who provide backup fail-safes for us.
Does your Organisation regularly test recovery plans to be effective and reviewed to determine if modifications need to be made?
Our cloud providers manage this on our behalf.
Does your Organisation have a formal security change Management policy?
All code is peer reviewed for security, and we have annual security reviews conducted by an external provider, and monthly automated security/penetration scans. We also carry out automated security checks on our codebase and when adding updates to our staging and production databases. We have a QA testing and release cycle that enables us to quickly release updates and fixes where necessary, with the ability to revert a release immediately if required.
Does CoverageBook issue any personal equipment to staff, and how are your assets managed?
Every team member is issued with a laptop, and for some, a work issued mobile phone. All staff are aware of our security policy and best practices for keeping their equipment safe and secure. Any access to systems and data is based on role, where only approved staff are given access to the areas they need to perform their role. Any system we use that contains personal, sensitive or critical data is protected by mandatory 2fa sign on (at the required level of access needed).
Equipment such as laptops and phones that may be used to access data can be remote wiped and disabled. Our CEO and CTO administer systems access levels and permissions for the team.
When required, access can be immediately revoked to any of our systems.
How does CoverageBook verify the skills and level of training of your technical team members?
We have a comprehensive hiring process to ensure our technical team has the relevant skills and ability (including a practical assessment where relevant). We promote and encourage personal development through internal and external training and mentoring.
We also have a code review process, where all code is peer reviewed and any new updates require approval before reaching our testing environment, where we carry out thorough QA and research prior to release.
Do you conduct formal information security awareness training for all users, including upper management?
Our CEO, Gary, is our DPO. We don’t carry out formal training sessions but all staff are aware of their security responsibilities (including GDPR). We communicate any updates that our team needs to be aware of in regular team meetings and published on our project management platform.
Do terms and conditions of employment clearly define information security requirements, including non-disclosure provisions for separated employees and contractors?
Our contracts contain clauses for both data protection and confidentiality (including company property such as laptops and any issues mobile phones).
We also have a set disciplinary procedure in place for all employees.
Are all employees required to sign a confidentiality agreement?
Yes, our standard contracts of employment contain a confidentiality clause.
Describe the screening process for all users (employees, contractors, vendors, and other third-parties)?
Do you require additional training for system administrators, developers, and other users with privileged usage?
We use role based access to ensure our team only has access to the systems they require to perform their role (and at the correct access level). We have the ability to revoke or update team permissions as required.
Are technical employees and contractors informed on data privacy regulations and required to attend data privacy training?
We don't provide formal training, but all our team are aware of their responsibilities (including GDPR), and we have a policy in place to ensure we handle subject access requests and data deletions within the set timeframes. Any updates or changes are communicated in our regular team meetings and published on our project management platform.
From time to time we may work with external contractors who are not given access to any of our critical systems or data (we have separate staging and testing environments we can use). They are required to sign confidentiality agreements.
Is CoverageBook compliant with EU-GDPR/EU-DSGVO?
We are GDPR compliant. We use sub-processors to ensure our customers' data is kept secure. Stripe is our payment processor and is PCI-DSS compliant.
Our cloud providers manage:
The hardening, provisioning, configuration, administration and maintenance of networking devices.
Product lifecycles and end-of-life dates are factored into change planning and capacity management.
Active network components are included in patch management.
Is your network segmented to isolate the used service from services used by other customers?
Our cloud providers isolate our network from other users, but at CoverageBook we don't keep separate databases or file stores for each customer.
Our cloud service providers manage:
All aspects of server maintenance, setup, security and configuration.
Patch management for operating systems, services and firmware.
Implementing only one primary function per server to prevent functions that require different security levels from coexisting on the same server.
Enabling only necessary services, protocols, daemons etc, as required for the function of the system.
Implementing additional security features for any required services, protocols or daemons that are considered to be insecure.
Configuring system security parameters to prevent misuse.
Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Are policies and procedures in place regarding the design, architecture, development, deployment and testing of software?
We have a separate staging and testing environment. Updates go through a secondary review and approval process with automated security checks in place. This then goes through our QA testing process which is documented and reviewed. We deploy on a regular cycle, with the ability to rollback a deploy if required.
Do you adopt OWASP’s Top 10 Security Best Practices?
OWASP recommendations are all managed and incorporated into our automated security testing and penetration tests.
Can end users sign into CoverageBook using Multi Factor Authentication/SSO?
Yes, we support social sign in using Google and Microsoft. For our customers accessing their account using a password, we apply OWASP’s recommended password complexity (12 minimum characters with at least one capital and number).
Do you have an automated login timeout and session limits for end users?
Yes. We will automatically sign out a user after 4 hours of inactivity. We also only allow one user to be signed in at a time (we provide built in team logins for all our plans to ensure everyone can login separately).
Does your Organisation follow a secure software development lifecycle?
We carry out thorough research, including user testing and reviews, and product design and planning phases for new features and updates to our product.
Is your Software regularly tested against vulnerabilities?
We perform continuous application monitoring for threats, and we carry out monthly and annual Penetration tests (provided by Glitch Secure). Alongside this, we are continually carrying out internal QA of CoverageBook (automated and manually).
If a bug is identified, are you able to fix it quickly?
Yes, any identified bugs or vulnerabilities are investigated and resolved in a timely manner. We also have a 24 hour on call rota for our technical staff to respond to and investigate any highlighted issues (we employ continuous application monitoring).
Do you offer a bug bounty program?
No, CoverageBook doesn’t offer a bug bounty program at this time.
Do you make access to your admin interfaces mandatory for SSO/2FA?
We have an admin interface that is mandatory 2FA enabled, where only relevant staff have access to this system to perform their role (eg customer support).
Multi factor authentication is enabled automatically, and is mandatory for all our team members who access any systems containing application, sensitive or personal data.
Do you have audit logging and monitoring in place?
We use security screening software (Cloudflare) to monitor for any potential threats or unusual activity, with automated rules to block or restrict access. We also utilise other continuous application monitoring and logging internally.
Do you have the ability to block access, or rate limit user logins?
Yes, our security screening systems will automatically disable access for potential malicious activity, and we have limits for the number of logins (for repeated attempts and number of sign ins over a set time period).
Does the service support customer facing exports of audit logs?
We do store some logging data but only for internal purposes, we currently do not offer customer facing audit logs for users on your CoverageBook account.
Are policies and procedures in place to safeguard the customer data at transit, while processing and at rest?
We use https and RSA to encrypt data in transit and rest.
Is there a data lifecycle management in place?
We keep your data saved and accessible for as long as you are an active customer. If your plan is cancelled for any reason your data will be deleted (please see our terms of service for more information).
Customers and users of our service can also request their data be deleted under GDPR.
Are all customer data cryptographically erased if they are no longer needed for business or legal reasons?
This is managed through our cloud service providers (Crunchy Bridge and Heroku).