IT Security Statement

IT Commitment

It is Salt’s policy to carry out business safely and in a transparent manner in accordance with relevant data protection laws.

In accordance with the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) that came into effect on 25 May 2018, we updated our data privacy policies:

Privacy Policy

The GDPR is a regulation which aims to harmonize data protection legislation across EU member states, enhancing privacy rights for individuals and providing a strict framework under which commercial organizations can legally operate.

IT security and Privacy by Design are hereby of paramount importance. Salt’s IT security and maintenance is outsourced to a third-party managed services provider (‘MSP’) who provides remote and on-site assistance and who may also be responsible for hardware procurement. Our MSP and Salt have entered into a data processor agreement.

Below we have outlined which IT security requirements we have in place by way of providing our customers and candidates with the most frequently asked questions:

 Question Answer
Who/What do you use for your Hosting? Our MSP hosts our emails and documents in Microsoft Office 365. Our in-house server has a shared drive for our accounting department. We also use Dropbox for internal file sharing.
What does our MSP do with our data? Our MSP store the data in the Microsoft cloud and/or on our server(s). They back up any data outside of the Microsoft cloud into a number of secure data centres. Data stored in Microsoft Azure is backed up and snapshots are taken by Microsoft. Our MSP also provides admin functions on some customer data as directed by Salt.
Is Salt data segregated? Data in the Microsoft cloud is segregated from other Microsoft customers. Microsoft uses logical isolation to segregate customers to ensure complete confidentiality and separation.
Is traffic encrypted? Data on the Salt network is not encrypted; however, data is kept behind a secure company firewall. Data in the Microsoft cloud is encrypted in transit and at rest.
Is data encrypted?  Data in the Microsoft cloud is encrypted in transit and at rest. Our MSP uses IT’s backup Partners (MITOL and Solarwinds) who use encryption (AES256) for all data stored.
Are Salt computers encrypted? Directors, Accounts and HR departments all have their portable devices encrypted through EM+S.
Are Salt’s files or emails encrypted? Office 365 allows Salt to encrypt files and emails using Azure Rights Management.
How are Passwords stored? Our MSP does not store any passwords. Regarding the processing of our core data, we use Jobscience (Salesforce), this is an industry standard CRM and Helpdesk system and the data is stored in the Microsoft Cloud. Access to this system is via MFA (Multi-Factor authentication) only and so only authorised personnel are able to access this system. We furthermore have a Password Policy in place to manage how passwords are updated, shared and saved within our business.
How does Salt monitor Breaches / How do we monitor unusual activity / How do we report data breaches? Our MSP have a Network Operations team (NOC) who monitor the safety of our accounts proactively on a daily basis. Our MSP uses an industry standard system provided by Solarwinds. In addition, Microsoft provides alerts and reporting on access and activity. Salt furthermore has a Data Breach Policy in place to adequately manage and report a breach to the competent authorities.
What is Salt’s backup policy? Our in-house server has a nightly backup with a 30-day retention. Microsoft data (Office 365) is backed up and retained for 30 days. Our CRM system and Dropbox are webhosted applications in the Cloud.

All backups are logged and failed backups or missed backups are monitored by the Network Operations Team (NOC).

What is our Disaster Recovery procedure? Our MSP has everything in the cloud in terms of emails, files, remote monitoring, and CRM and Ticketing. Phones are VoIP and so in the event of a disaster, the MSP team would work from home / remote offices.

From a Salt point of view, we are a Microsoft Office 365 customer and for this reason, we use a cloud-based CRM system, Salt users can work from anywhere in the event of a disaster where an internet connection is available.

Microsoft has 40+ data centres, as part of Microsoft Office 365, there is multiple site replication.

In addition, Salt has a Disaster Recovery Plan in place which can be requested from the IT/ Project Manager.

   
What training has been provided for GDPR/ IT security? Salt has provided in-house training to their staff on data protection and IT security. Salt has introduced a Code of Conduct that outlines how staff members need to manage data and people’s knowledge is tested by doing a GDPR/IT Security competency test.
How does Salt protect access to their servers? Microsoft servers are secured via access control. Only authorised personnel are allowed in to Microsoft Data Centres. MITOL and Solarwinds servers are secured via access control. Only authorised personnel are allowed into Microsoft Data Centres.
What Certifications and accreditations do you hold? Our MSP have ITIL and Microsoft trained staff.

Our MSP partners with a number of suppliers for the hosting, back up and storage of data. Microsoft holds a number of certifications including ISO27001. All of these can be found here:

Microsoft Compliance Offerings

Mitol and Solarwinds are also ISO 27001 certified.

How does Salt control access to their data? Salt uses Office 365 and Dropbox which are both protected by MFA (Multi-Factor authentication). This ensures that staff are the only ones that can log in.
Who can request information or changes by our MSP? Our MSP defines an approver list at the outset of working with Salt. Only approved users are able to request new users, leavers, password changes from our MSP.

Hardware, Software, and Networking

Does Salt have a firewall? Our MSP have a DELL Sonicwall in place at their London Office and Salt have a Dell Sonicwall at our London office which is managed by our MSP. Our other offices around the world are situated within serviced offices who have their own firewalls.
Who keeps the firewalls up to date? Our MSP have a Network Operations Team (NOC) who update Firewall firmware on a regular basis.
How are our computers and networks kept secure? Our MSP have a Network Operations Team (NOC) who schedule PC and Server updates each month. Critical updates are rolled out automatically. Our MSP has deployed Bitdefender on all PCs and Servers which provides Anti-Virus protection.

Salt uses Jobscience (Salesforce) as its main CRM database. Salesforce policies regarding data & IT security can be found on www.salesforce.com.

Salt also uses Intime as its contractor timesheet system which is owned by RSM. The relevant policies can be found on https://www.rsmuk.com/products/intime.

In addition to this IT Security Statement, Salt has rules in place that govern the use of data & IT equipment and these can be found in the below documents which are updated from time:

  • Employee Handbook
  • Code of Conduct
  • Disaster Recovery Plan

If you have any other questions about this IT security statement and/or the use of your (personal) data, please email GDPR@welovesalt.com.

Last updated on 16th January 2020

IT Security Statement
×
UK

Upload your CV

Upload your CV to our database.

  • Max. file size: 5 MB.
  • Hidden
  • This field is for validation purposes and should be left unchanged.

IT Security Statement

Please let us know where you are, or where you would like to be in the world so we can point you in the right direction.