Any company must treat data security as a top priority - and this is exactly what we do at Enable. Our customers trust us to keep their data safe and we take extensive measures to do so. This is reflected throughout our business from the training that we give our engineers to our IT infrastructure and the technologies that we use. This article answers the most common questions regarding our security policies, so you can use our product with confidence. Download a full copy of our Information Security Statement here.
Do you encrypt your traffic?
Yes, all traffic in our system is sent using HTTPS over TLS 1.2 which is the industry standard for security.
Do you insist on strong passwords?
Yes, our system requires passwords of at least ten characters, which are checked against a list of approximately 100,000 common passwords which are not permitted. Our password policy is in line with the United States National Institute for Standards and Technology's guidelines.
How do you store passwords?
Passwords are salted and hashed with a one-way hashing algorithm before they are stored in our database. Passwords are never stored in plaintext or sent by email.
How do you handle login?
After five consecutive invalid login attempts, an account is locked for a short period of time to prevent brute force attacks.
Do you support multi-factor authentication?
Yes, multi-factor authentication is available for Enable user accounts. When activated, as well as providing the correct password the user must enter an authentication code which is sent to them in an email, SMS message or via an authenticator app. All employees of Enable are required to use multi-factor authentication as well as regular password updates.
Where are your applications hosted?
Our applications are hosted in Azure, the cloud hosting platform offered by Microsoft. By hosting with Azure, we are leveraging industry-leading infrastructure which is secure and reliable.
How granular are the permissions within the Enable product?
Permissions within our system are configurable, and work on the principle of least privilege: a user will only be granted the access that they need. If there is no reason for a user to have a particular permission, they will not be grant edit.
How do you back up data, and for how long?
Data on our system is backed up daily and an offline copy made to ensure resilience. Enable retains daily backups for 7days, weekly backups for a month and monthly backups for 6 months. Additionally, the SQL databases in our system have 15-minute snapshots taken and kept on Azure for 7 days.
Does your team have documented information security procedures?
Yes, our information security procedures are clearly set out in our compliance documentation and all staff are required to be familiar with them.
Do you have documented disaster recovery plans? Are they tested?
Yes, Enable has full disaster recovery plans for multiple types of scenarios, which are regularly reviewed and tested by our IT Team to make sure they are fit for purpose. These recovery plans are based on the requirement for rapid recovery of services to our customers in any disaster situation.
Do you carry out penetration tests on your system?
Yes, in the past Enable has engaged the services of a highly respected third-party security provider to carry out penetration testing of our software solution. This involved an expert third party using ‘ethical hacking’ techniques and tools commonly used in malicious attacks to attempt to breach our security defences, in order to alert us to any vulnerabilities in our security so we could rectify them. We also carry out our own internal penetration tests regularly.
What security training do you require for your software engineers?
All our engineers have regular training in information security. They have dedicated time on general security practices and how to guard against common web application attacks. They are also trained on the OWASP Top Ten - an independently compiled list of the most critical security risks for web applications.
Do you have a cyber incident response policy?
Yes, Enable has internal policies regarding the management of Cyber Incidents in alignment with guidance from the UK Information Commissioner’s Office supplemented by industry-standard recommendations such as the United States National Institute for Standards and Technology. Additionally, Enable has a trained team in place to implement any required actions.
Are you ISO 9001 and ISO 27001 certified?
Yes, Enable is regularly audited and complies with ISO Standards 9001 Quality Management and 27001 Information Security. We have a dedicated Compliance team to ensure that this level of good practice is always followed.
Do you have SOC audit reports?
Yes, Enable has SOC 1 Type I & II and SOC 2 Type I & II reports under SSAE-18. These reports are produced by the accredited and recognized US auditing firm Kirkpatrick Price. Annual audits are conducted to ensure continued adherence.
Are you GDPR compliant?
Yes, we ensure that our software and processes are fully compliant with the General Data Protection Regulation (GDPR). We are registered as a Data Controller with the Information Commissioner’s Office in the United Kingdom.
Do you have a quality assurance process you follow prior to releasing new features?
Yes, when new features are built in our product, we automatically assign planning and testing time. This allows us to make sure all changes to our product are carefully considered and tested to ensure they meet the high standards of quality that Enable prides itself upon.
What level of application support do you provide for your customers?
As soon as you join Enable, you have access to our Support Hub. This gives you access to our team of product experts, along with our engineering team, to answer any product queries you may have.
Do you have an SLA?
We have an agreed level of service to our customers - the details of this can be found in the Support offering section.
How quickly do you aim to resolve issues in the software?
We have defined categories of the severity of issues with the software, and a response time target which we aim to meet (or do better than) for each category. We always aim to resolve critical problems within the application within four hours or less.