Good security and privacy are critical. We're on it ...

Encrypted data transmission, storage and backups

• Website data is always sent over a secure, encrypted connection using 128-bit TLS 1.2 or 1.3 (a strong protocol), ECDHE_RSA with X25519 (a strong key exchange), and AES_128_GCM (a strong cipher) (the same level of encryption used by leading websites).
• Passwords are stored encrypted - hashed with salt using a strong hashing algorithm.
• By default, Google Compute Engine encrypts all data at rest. The system uses several layers of encryption to protect customer data.
• The servers on which we store personal data, and the teams that process it, are all located within the USA, European Economic Area (“EEA”) and UK.
• Our data is backed up onto encrypted, redundant block storage across multiple availability zones in our data centre using a method that allows us to perform a point-in-time recovery to any time of the day.

Independent penetration tests and security audits

• We conduct annual penetration tests with leading security providers.
• We perform weekly security scans using an independent, third party vulnerability scanner.
• Resource Guru maintains a bug bounty program, allowing security researchers from around the world to ethically and responsibly research and disclose security vulnerabilities to our team.

Operational security

• Resource Guru has been designed to protect against common web attacks and our systems are kept up to date with the latest software versions and security patches. Furthermore, we use code analysis to detect application level security vulnerabilities and monitor dependencies for vulnerabilities on a continuous basis. Any new vulnerability disclosed in any dependency is given the highest priority in our team.
• We have a rigorous code review process that will prevent any malicious code from entering the codebase. Code changes and deployments are all logged. Live application monitoring will alert us to anomalies in normal service.
• We do not access customer data for any reason other than those necessary to fulfill our contractual obligations to you. Furthermore, personnel are not able to log into customer accounts via any user interface and, if access is ever needed to troubleshoot an issue, we will first gain consent from the relevant customer. At that point, customers are welcome to refuse. There is no other user interface available to us apart from raw data in the database which is restricted to authorized persons who only have access to the extent necessary to perform their duties.
  • Any customer data accessed by authorized persons in the performance of their duties is transferred over a secure connection and stored on encrypted hard drives.
• We operate numerous security best practices including the principle of least privilege.
• What information will you provide customers in case of a breach? If we suspect a data breach, we will notify any customers affected as soon as it is practical to do so. We will also, where appropriate, provide details of how it happened and what will be done to prevent any breaches in the future.

General security

• The app has a multi-tenant architecture which ensures that any data retrieved for a user during their session is scoped only to the account they belong to.
• Passwords are stored encrypted - hashed with salt using a strong hashing algorithm.
• Users are required to use strong passwords.
• All credit card details are handled by our PCI-compliant partners. At no point do we receive or store any credit card details.

Permissions and access control

• We know that you need to control who has access to your data. That's why we built in some advanced user permissions which allow you to control who has access to the different sections of your account.
• With SSO-only mode (single sign-on), you can centralise access control. When you deprovision someone in your identity provider (IdP), they will automatically lose access to your Resource Guru account. So, only the right people have access to your data.

Privacy and GDPR compliance

• We take data privacy and protection extremely seriously. Please see our Privacy Policy for details of how we comply with data protection law. We are subject to GDPR law and the Data Protection Act 2018. Under the Data Protection (Charges and Information) Regulations 2018 (the Regulations), Resource Guru also pays an annual data protection fee to the ICO (Information Commissioner's Office). We are registered as a data controller with the ICO under registration number Z3001946.
• GDPR sets out seven key principles which lie at the heart of the general data protection regime. As a data processor on your behalf, Data Protection Law requires us to have in place appropriate technical and organisational measures. Some of these measures include:
  • (a) data processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
    • Where we are a data processor, there are six available lawful bases for processing. In relation to processing data on behalf of our customers, we rely on “Contract” - “the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.” You are the data controller in relation to data you enter into Resource Guru and you must have a lawful basis for processing that data.
    • Data is processed with transparency as illustrated by our Privacy Policy.
• (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  • Please note the following from our Privacy Policy: “If we store or use your information on behalf of your account owner (for instance, your employer), we will only use that information as instructed by your account owner. In those circumstances, we don’t control or decide what information is provided, or how it is used. Your account owner will be responsible for telling you how they use your information, and for responding to any requests you have about that information. You may be able to amend or delete your information directly through our system, but otherwise any requests to access, remove, delete or restrict the use of that information should be directed towards your account owner, as we will not legally be able to make any decisions about how to respond to your request.”
• (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • The data we process and the reasons we process it are outlined in our Privacy Policy.
• (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • Resource Guru users are able to keep the data in their accounts accurate and up to date.
• (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
  • Customer data is automatically deleted 6 months after an account is cancelled. If deletion is required sooner, that can be arranged upon request.
• (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  • Please see the details on this page.

Insurance

• We have £1m public liability and £10m employer's liability insurance with Hiscox.
• We have £1m cyber liability insurance with Hiscox.