This document provides answers to the questions we're most often asked. We hope you'll find the answer to your question here, but if not, or if you require any further information, please contact us at [email protected]. We'll be more than happy to provide you with further details.
TABLE OF CONTENTS
- Introduction
- Legal and compliance
- Does Equinox hold the ISO 27001 certification?
- Is Equinox PCI DSS compliant?
- Is Equinox GDPR compliant?
- Where is Equinox data stored?
- Is Equinox Cyber Essentials Plus certified?
- Are backups of the system taken?
- What is Equinox's data retention policy?
- Does Equinox have a disaster recovery procedure?
- Do you have a dedicated security team or person in your organisation?
- Does Equinox have a data protection officer?
- Who can I contact about information security concerns?
- Vulnerabilities and patching
- Operational security
- Equinox
- Other questions
Legal and compliance
Does Equinox hold the ISO 27001 certification?
We’re currently working towards ISO 27001 certification.
Is Equinox PCI DSS compliant?
No. We don't process transactions or store credit card information.
Is Equinox GDPR compliant?
Yes. Equinox is fully GDPR compliant. Users are entitled to the right:
- To be informed
- Of access
- To rectification
- To erasure
- To data portability
- To object
Where is Equinox data stored?
For UK and EU clients, data (including backups) is stored in UK or EU data centres. For clients across the rest of the world, Equinox data is typically stored as geographically close to you as possible.
Is Equinox Cyber Essentials Plus certified?
We’re currently working towards ISO 27001 certification and are aiming to undertake the Stage 2 audit with the British Assessment Bureau.
Are backups of the system taken?
Yes. Regular backups are taken of both Equinox and any documents that you might upload. Multiple backups are taken and held in different geographic locations. Backups are encrypted both in transit and at rest.
What is Equinox's data retention policy?
Your database (i.e., all details that you enter into the system, except documents that you upload) is backed up hourly for 5 days, then daily for 30 days. Documents that you upload to Equinox are backed up every 4 hours for 5 days, then daily for 30 days.
Does Equinox have a disaster recovery procedure?
Yes. We test this at least every 12 months. More details can be provided upon request.
Do you have a dedicated security team or person in your organisation?
Security is a collaborative effort between our Operations and Development teams, with direct sponsorship from our Managing Director and Product Lead.
Does Equinox have a data protection officer?
Yes. Our named data protection officer is Sam Nicholson. Contact can be made via [email protected]
Who can I contact about information security concerns?
Please get in touch via [email protected]. Our Operations team will be happy to assist with any specific questions.
Vulnerabilities and patching
Does Equinox undertake penetration tests?
Yes. We employ a third party (OutPost 24) to conduct daily penetration tests on both our systems and software. Our Development and Operations teams respond to any findings promptly and any vulnerabilities found are then retested to ensure they have been dealt with.
How quickly are security vulnerabilities resolved?
We aim to resolve all critical vulnerabilities within 7 days and all other vulnerabilities as soon as possible, but within 30 days.
What is Equinox's approach to patching?
Our systems are regularly patched with recommended vendor updates. With a similar approach to penetration test findings, we aim to patch all critical/zero-day vulnerabilities within 7 days, and aim to release all other security update as soon as possible, but within 30 days.
What is Equinox's approach to security?
The security of our systems and service is of paramount importance to us. From the early stages of development, through to deployment and production, our focus on security guides us at every stage. A combination of continual penetration testing, training, and staying abreast of the latest industry security recommendations allows us to maintain confidence in the security and robustness of our systems.
Operational security
Does Equinox use encryption?
Yes. All data residing within our SaaS platform utilise Encryption At Rest and Encryption In Transit, with the industry standard algorithms. The connections to Equinox through an internet browser and Microsoft Office plugin utilise TLS v1.2 over HTTPS.
How is access to systems by Equinox staff managed?
Only Equinox staff whose role requires direct access to Equinox systems and data are granted access. The level of access is also restricted based on the type of activity the role requires. Access is logged and auditable and we have additional processes in place to audit the activity of staff accessing production systems.
Do you provide data- and cybersecurity training to staff?
Staff undergo data- and cybersecurity training as soon as they join Equinox. Our staff undertake a monthly training program, so they have up-to-date knowledge of a range of data- and cybersecurity topics.
Are systems monitored for unusual activity?
Yes. We monitor a range of metrics from both our underlying systems and the Equinox application itself. Logs and alerts on these metrics are sent directly to our Operations and Development teams. This means they're aware of any issues in real-time and can take action promptly should the need arise.
Equinox
What technology does Equinox run on?
Equinox is primarily a PHP application and runs on a LAMP stack (Linux, Apache, MySQL and PHP). We use Linux to host Equinox, enabling us to offer you a secure and reliable service.
How is access to Equinox managed?
Equinox has built-in multi-level role access system, allowing subscribers to provide an appropriate level of access to their staff. Accounts will lock by default after 8 failed attempts. Our authentication and authorisation processes are thoroughly tested by our penetration testing programme.
Is it possible to set a password policy for users?
Subscribers with the correct roles can set a password policy specifically for their staff. Length and complexity can be customised.
Does Equinox support two-factor (2FA) or multi-factor authentication (MFA)?
Yes. Equinox natively supports both email and SMS two-factor authentication. As a subscriber, you're free to choose whichever you prefer. Additional options are available for subscribers with a single-tenant solution (your own dedicated environment), who choose to enable single-sign-on (SSO).
Does Equinox support Single-Sign-On (SSO)
Yes. Single tenant subscribers can choose between Microsoft Active Directory Federated Services SSO or Azure SSO. This lets you set more advanced access policies, such as conditional access and/or MFA options.
Does Equinox keep log files?
Yes. Log files are kept of system activity, for the sole purpose of assisting with troubleshooting. These are typically kept for less than 1 month. Additional log files are kept by the application itself, again for the sole purpose of assisting with troubleshooting.
Other questions
Is Equinox protected against data centre outages?
Equinox uses Microsoft Azure to provide hosting services across a range of geographically separated data centres. Whilst the data centres used employ sophisticated protections against power outages, network outages, weather conditions etc., we can move Equinox instances to another data centre in the event of a major outage or disaster scenario. Further information about Microsoft data centres can be found on their Service Trust Portal: https://servicetrust.microsoft.com