Hosting Platform and GDPR compliance
Because Sinclair Design provides mission-critical business management applications to clients that rely on our systems to be running securely and continuously 24/7/365, our hosting platform is in a completely different league to the average website design firm's facilities - and then some!
Hosting and Server Environment
We operate three dedicated SoftRaid SSD servers, each housed in separate EU data-centres belonging to the top global hyper-scale cloud provider in Europe. Each of our various applications and services are ring-fenced into standalone Virtual Machine (VM) configurations in order to separate them in terms of security, performance, resilience and recovery. Each application is in turn replicated (copied and in-sync to the millisecond) across three VM nodes, each located on a different physical server for triple environmental redundancy.
System Monitoring Platform
Our state-of-the-art custom monitoring platform runs hundreds of performance probes every minute for each individual server, picking up any problems and issuing alerts accordingly. If a primary service is affected, all such services can be redirected to one of the other two servers.
Data Backup Procedures
Encrypted backup archives of all application and website deployments are made throughout the day and night. These are not designed for casual use following the accidental deletion of a data record, but are intended for restoring services following a natural or technical disaster.
As well as a secure production cluster of three VM nodes, we also operate an equally secure development cluster of three additional replicated VM nodes. Although all new system development work is carried out referencing large datasets of real information (to recreate a realistic data environment), all personal data is overwritten with randomised dummy data.
When coding our various business management applications, we work hard to specifically incorporate protection against known potential security vulnerabilities including: Cross Site Scripting (XSS); XML External Entities (XXE); Cross Site Request Forgery (CSRF); injection flaws; malicious file execution and a host of other such recognised issues.
With regards to the various ecommerce solutions offered, we base our products around well used and widely trusted open source engines such as Magento and WooCommerce. These two globally-used systems have over a million live instances between them, and are constantly updated to ensure that any potential vulnerabilities are fixed. Because we offer levels of hosting excellence and expertise way above the average ecommerce vendor, clients can rest assured that their online shop systems will be configured for optimal security, maximum resilience, and high availability.
Article 28(1) of the GDPR states:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Article 32(1) of the GDPR states:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Until the new GDPR regulations are properly tested in court, and a sufficient body of Case Law is developed, there can be no meaningful legal definition of 'sufficient guarantees', 'appropriate technical and organisational measures' or 'appropriate to the risk' in the context of the above regulation. In the meantime, Sinclair Design offers all of the measures explained above to demonstrate that it takes the spirit of the GDPR seriously.