FAQ:Data and Security

From Hornbill
Jump to navigation Jump to search

What If I need a copy of my data what is involved, and how frequently can I get hold of it?

Firstly it's your data so by definition you are entitled to ask for a copy. Should you need a copy all you need to do is provide Hornbill with notice that you require this, typically no less than 14 days notice is required, and we will make available a copy of your data. Hornbill will provide a copy of your data by request once every 90 days at no additional cost. Your data will archived, compressed, encrypted and placed on our servers and you will be notified via email when its available and will have 7 days to download it to your servers. If you want these more frequently then you should consider the Hornbill Data Assurity service.

Should you require a more regular, scheduled push of your data we offer an optional chargeable subscription add-on service called Hornbill Data Assurity where we proactively archive and deliver a complete copy of your customer data to a cloud service of your choosing that you control (Amazon S3 for example) on a scheduled regular basis, typically once a month.

Who is entitled to ask for a copy of my data to be provided?

Only the named Account Authority for your instance can make a request for a copy of your customer data to the Hornbill Cloud team. Any other requests will be referred back to the named Account Authority.

My security team have asked to know where the data is held?

All data is held in the geographical legal entity associated with the instance. Therefore if your instance is in Europe your data remains in Europe, if your instance is in North America your data remains in North America.

Is the data encrypted and secure both in motion and at rest?

Data is encrypted where possible\practical but remains secure at all times (Choice of data centre\infrastructure\product architecture\processes and ethos ensure that data is secure). All backups are fully encrypted and specific fields are encrypted at rest. Full at rest encryption, of the database, is available for Enterprise customers. All data in motion is encrypted either via HTTPS\SSL or other means.

Does Hornbill regularly undertake penetration testing against the service?

Yes. As well as frequent tests undertaken by Hornbill we utilise external security companies to validate our results and services at least annually. Results of tests are available on request.

Under Data Protection legislation, my legal team want to know who will have access to the data?

Access to data is restricted to your employees (with granular access rights available to limit subsets of data to different teams) and anyone you grant access to. The Hornbill cloud team have access to the servers\databases, however ISO requirements and processes mean that we would first need to obtain authorisation from your nominated contacts before accessing your instance data (All access to servers are logged and reviewed to ensure that this requirement is met).

How much storage do I get on my Hornbill instance, and what happens if I need more?

By default your instance is automatically provisioned with 30GB of Storage. Additional storage is available should you require it and is charged at £0.20 per GB.

How long does Hornbill retain the data for if we cancel our subscription?

In the event you choose to terminate your agreement Hornbill will retain your customer Data for a period of 30 Days from the Date of Termination. We will of course provide you with a copy of this data upon request in an industry standard machine readable format.

Does Hornbill perform background checks on personnel with administrative access to servers, applications and customer data?

Yes.

What measures are in place for Data Transfer Security?

All data in motion between instance and client (Web Browser) is encrypted via HTTPS\SSL. All other data in transit is encrypted via other secure protocols. No data is ever transmitted in clear text.


What Happens with Data Should we choose to leave

Upon any termination, Hornbill shall use reasonable endeavours to assist in the migration of the Customer’s data and documents to another system within 20 working days. Such assistance to be subject to Hornbill’s terms for time and materials consultancy services and its associated standard day rates. Hornbill also agrees that such estimates for work will be reasonable and appropriate to the scale of request received for such data. Hornbill will delete (see below) the Customer Data between 30 and 60 days after the termination date. This includes all backups and data relating to those backups (Replications, Keys, Catalogs etc.

A SQL data dump will be provided of your instance (All SQL Create\Insert statements for your data) and copy of File Atthacments via Secure FTP within a password encrypted ZIP. An email is then sent to the primary technical contact for the instance containing information about the data drop along with the key required to unencrypted the content.

Delete v Wipe

Hornbill does not simply "delete" data as this can be restored, we destroy data via wiping and this is achieved by overwriting all data blocks associated to a given file\logical volume or storage device firstly with 1s and then 0s. No data is left intact.

Physical disks (Used by underlying hardware not virtual disks that the instances run on) under go the same process as above and are then destroyed on premise with certificate of destruction obtained.