Last updated: 18th July 2016
From time to time, companies ask us security questions about Sheep. In general, we don’t like to expose much information about our security practices, because it only helps the very people we’re securing ourselves against. But we realise security is important to you, so we’ve decided to post answers to the questions we feel are most important for our customers to know.
Where do you host Sheep?
Sheep is hosted on Amazon Web Services (AWS). AWS use industry-leading security systems and are trusted by brands including UCAS, Vodafone, Expedia and Siemens – as well as Amazon itself.
Amazon web services are:
- PCI-DSS Level 1 Service Provider
- ISO 27001 certified
- Independently verified and audited
- SAS-70 Type II and SSAE16
Is our data safe and secure?
- Yes. We have appropriate physical, technical and organisational security measures to ensure your data is kept safe and secure.
- All information is transferred securely using 256-bit HTTPS, just like online banking applications.
- Croftsware (our company) is a registered data controller and all data is stored in the EU.
- We manage our database using real time replication. That means that whenever you make a change we save it to in at least three different places. Like a jumbo-jet losing an engine but still flying we can lose two databases and still keep running. We also take a backup of the database every hour.
- We do everything required by law or regulation but we consider that the baseline. We continually evaluate whether we can and should do more.
- We do not sell the personal information of our customers to third parties.
Application Level Security
- Sheep account passwords are hashed. Our own staff can’t even view them. If you lose your password, it can’t be retrieved—it must be reset.
- All login pages (from our website and mobile website) pass data via HTTPS.
- The entire Sheep application is encrypted with HTTPS.
- No payment information (credit cards or bank details) are stored within Sheep.
Internal IT Security
- Our office network has extremely limited exposure to Microsoft Windows. And that’s all we have to say about that.
- All employees sign a Non Disclosure (Privacy) Agreement outlining their responsibility in protecting customer data.
- Access to encryption keys is held by the smallest number of employees possible.
What are my responsibilities?
We can secure ourselves but you have a responsibility to ensure that your own computers are also secure. If your computer or Sheep account get compromised that is bad for us too. If you believe your account may have been compromised please change your password immediately and notify us at email@example.com
- You must choose a strong password that is unique to Sheep and not re-use an existing password.
- You must never tell anyone your password. Sheep employees will never ask for your password.
- You should change your password at least every 90 days
- We recommend using a secure password manager such as LastPass or 1Password. These help you easily create and remember strong, unique passwords.
- Don’t send any confidential data to us using email. Especially data to be imported or account credentials. (Contact us and we will advise on secure sharing)
How do I report a vulnerability?
If you’ve discovered a vulnerability in the Sheep application, please don’t share it publicly. Please contact us at firstname.lastname@example.org and we will respond with our thanks and a secure form to send us the details.