Security - Overview
Curo provides a secure, robust, resilient and reliable software-as-a-service (SaaS) solution, hosted from our ISO 27001 certified, secure data centre locations and running on physical infrastructure that is wholly owned and managed by our own vetted staff.
Security - Detail
Curo are bound by the UK Data Protection Act (1998) which conforms to the EU Data Protection Directive and equivalent US requirements under the provision of Safe Harbor. We are voluntarily registered with the Information Commissioner's Office (ICO) in the UK. We take security very seriously and have developed a comprehensive set of practices, technologies and policies to help ensure your data is secure. This page outlines some of the mechanisms and processes we have implemented to help ensure that your data is protected. Our security practices are grouped into four different areas: Physical Security; Network Security; People Processes; and Redundancy & Business Continuity.
The data centres we use are ISO 27001 certified and are some of the most secure facilities in the UK. Site locations are geographically separated and protected from physical and logical attack as well as from natural disaster.
- 7x24x365 Security. The data centres that host your data are manned seven days a week, 24 hours a day, each and every day of the year.
- Video Monitoring. Each data centre is monitored 7x24x365 using High Definition CCTV with imagery retained for a minimum of 6 months.
- Controlled Entrance. Access to the data centres is tightly restricted to a small group of pre-authorised individuals.
- Two-Factor Authentication. Two forms of authentication must be used together at the same time to enter one of our data centres.
- Dedicated. All equipment is housed in dedicated, locked racks and solely used by Curo for the purpose of providing our compensation and benefits technology solution to you.
Our network security team and infrastructure helps protect your data against the most sophisticated electronic attacks. The following is a subset of our network security practices. These are intentionally stated in a general way, so as not to expose your data to any unnecessary risk.
- Secure Communication. All data transmitted to Curo services is encrypted over HTTPS using TLS 1.2 protocols, 256 bit/128 bit keys and we use SHA 256 certificates ensuring that our users have a secure connection from their browsers to our service. We use the latest, strong ciphers like AES_CBC/AES_GCM for encryption, SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism. Known weak and vulnerable ciphers are explicitly disabled.
- IDS/IPS. Our network is gated and screened by industry standard Intrusion Detection and Intrusion Prevention Systems technologies.
- Control and Audit. All access is controlled and auditable, both to Curo networks and your data.
- Secured / Hardened. The CuroComp application runs inside a secured and hardened architecture environment engineered for security to help minimise vulnerabilities according to industry standard best practice.
- Virus Scanning. Traffic coming into Curo servers is automatically scanned for harmful viruses using state of the art virus scanning protocols which are updated on a daily basis.
- Penetration Testing. The CuroComp application is penetration tested, at least annually, by an independent, external supplier that is both CHECK and CREST certified. We are also happy to facilitate client commissioned testing as and when required.
- Infrastructure Vulnerability Assessment. We perform an automated infrastructure vulnerability assessment, conformant to PCI standards, on a daily basis through an Approved Scanning Vendor.
- Single Sign-on (SSO). We can leverage SAML 2.0 compliant authentication service(s) to provide seamless access to the CuroComp system for your employees.
Curo prides itself on employing the right staff with a wealth of experience in providing HR data-based technology solutions to numerous clients worldwide and across many different industry sectors.
- Employee Screening. All Curo staff are vetted according to BSI 7858:2012 standard by a UKAS approved supplier.
- Select Employees. Only employees with the necessary rights and roles have pre-authorised access to our data centre facilities and your data. Employee access is unique, logged and uses strong password policies. We limit access to customer data to a select few employees who need such access to provide support and troubleshooting on our customers' behalf.
- As-Needed Basis. Accessing customer data is done on an as-needed only basis, and only when approved by the customer (i.e. as part of a support incident), or by senior security management to provide support and maintenance.
- Audits. Regular audits are performed and the whole process is reviewed by management to ensure only the right people have the right access to necessary data on an ongoing basis.
- Privacy, Security & Awareness. All employees must sign confidentiality agreements and annually attest to following Curo policies and guidelines whilst also passing online Security Awareness Training.
Redundancy & Business Continuity
One of the fundamental philosophies of computing is the acknowledgment and assumption that computer resources will at some point fail. We have designed our systems and infrastructure with that in mind.
- Equipment Redundancy. Curo utilises DRBD block-level replication to guard against data loss due to potential equipment failure in our primary processing facility. Additionally, a fully available disaster recovery environment is online at all times to cover the potential risk of a total loss of the primary facility.
- Data Replication. Customer data is replicated in real-time to a separate geographic location for Disaster Recovery and Business Continuity purposes. Our DR process is tested and monitored daily.
- Data Protection & Back-up. Separate client data is individually backed-up and encrypted regularly and held according to defined retention policies, helping protect the data in the event of hardware failure or disaster.
- Power Redundancy. Curo configures its servers for power redundancy – from power supply to power delivery. Power is supplied in a 2N configuration with in-line UPS.
- Internet Redundancy. Internet connectivity is provided through multiple Tier-1 ISPs. So if one fails or experiences a delay, you can still reliably get to your application and information.
- Redundant Network Devices. Curo runs on redundant network devices (switches, routers, security gateways) to avoid any single point of failure at any level on the internal network.
- Redundant Cooling and Temperature. Computing resources generate a lot of heat, and thus need to be cooled to guarantee a smooth operation. Curo servers are backed by N+1 redundant HVAC systems and temperature control systems.
- Fire Prevention. The Curo data centres are guarded by industry-standard fire prevention and control systems.
In the US, SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the American Institute of CPA’s (AICPA) Trust Services Principles criteria. The following are the Trust Service Principles:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized. • Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.
Curo follows industry standard best practice in adopting a number of technical and organisational measures to ensure the above. However, as a UK based provider, we do not currently provide SSAE16 Type II reporting. Full ISO 27001 certification and statements of applicability can be made available upon request.