Data Governance

All communications with ESPEN servers are encrypted

All data is encrypted in transit between client application (whether it be an app or desktop / web) and our server infrastructure (hosted on Amazon AWS). We encrypt via TLS, a widely used protocol for ensuring the security of communications while in transit.

Data is encrypted at rest

Our database instances leverage “encryption at rest” which essentially means the data are encrypted at the server level and if the server were to be compromised for any reason the intruder would need a “key” to decrypt the contents. We use the industry standard AES-256 encryption algorithm to encrypt your data. Once your data are stored with Standard Data, authentication and decryption of your data transparently with a minimal impact on performance.

Audit trail

We keep a detailed log of access, updates, or deletes of data. We capture the user performing the action, the IP address, and the date / time of the action. All of this data is available within your account.

Access control

We carefully control who has access to all aspects of our system ranging from the physical servers (accessed via SSH) to our database (no direct access allowed) to our software (which has multiple layers of security).

Data ownership

All data collected are owned by ESPEN and will not be reused, sold, or presented without the express written permission of the client. Additionally, we offer a number of ways that countries can maintain ownership of their data while still using the ESPEN platform.

Systems regularly monitored, updated and patched

Our DevOps team has a series of low and high level monitors in place that keep us aware of system stability at all times. We have a monthly plan to review our servers to determine whether they need to be patched or not.

Data backup plans

Our system has automatic backups that are retained for 7 days.

Incident response plan

We have a detailed incident response plan that involves several core areas:

  • Intrusion detection - we constantly monitor our systems for abnormal behavior or inappropriate access to our underlying data systems.
  • Understanding when an incident occurs - if an intrusion or potential hack occurs, we start by understanding the nature of the issue or outage. Was any data stolen? What crashed the system? We compile the information in real time so we can diagnose the issue once normal business operations are resumed.
  • Alert clients / partners - if an issue has been identified, we work quickly to identify affected clients / partners and inform of them of the issue.
  • Resume normal business operations as quickly as possible - this may include stabilizing the system, rotating passwords, changing keys, or restoring from backup.
  • Document and diagnose the issue - once business operations have resumed we thoroughly document the issue internally and store in our own internal “error log” that keeps a running list of any outages, intrusions, or potential hacks.
  • Send final analysis to clients / partners - we prefer to keep our clients / partners as informed as possible. Once we have a thorough grasp on what happened, to whom, when it started, and when it ended we will distribute a final report.