GDPR; A Shared Responsibility

GDPR; A Shared Responsibility

iWeb FTP is committed to compliance with the General Data Protection Regulation (GDPR) which will go into effect on May 25th 2018. The regulation contains significant changes to European data privacy legislation. It is designed to give EU citizens more control over their personally identifiable data and unifies a number of existing privacy and security regulations under one law.

iWeb FTP takes comprehensive measures to protect our infrastructure, network and applications. We train our employees in security and privacy best practices.

While iWeb FTP is responsible for securing each aspect of the service that is under our control, our customers play a key role in ensuring their data is protected and secure. As the admin of an iWeb FTP account you have the ability to configure and use your account to meet your organisation’s security, privacy and compliance needs.

Our customers can trust that we have made GDPR a priority and devoted significant resources towards our efforts to comply with GDPR.

However, data security is a shared responsibility. The overall security is limited by the least secure node.

This document is to help you understand what iWeb FTP does to keep your account safe, and what you can do to control the data stored in your account.

Should you have any questions regarding any aspect of our GDPR compliance, then do please contact us.


iWeb FTP's responsibilities

Many organisations around the world trust us to protect their data. To earn that trust, we work hard to build secure services that you can rely on.

Like many other software companies, we are implementing our company-wide GDPR compliance strategy leading up to 25th May 2018 and beyond. We appreciate that our customers have requirements under GDPR that are directly impacted by their use of iWeb FTP and we are committed to helping our customers fulfil their requirements under GDPR.

Build and maintain a secure network

Strict limitations are maintained between iWeb FTP’s internal network and the public internet. Traffic is carefully controlled through restrictive firewall rules. Access to the production environment is restricted to only authorised IP addresses and requires multi-factor authentication.

Encrypt data

iWeb FTP's customers interact with our systems through the web application, SFTP, FTPS and FTP (if specifically enabled by the account admin). We protect your data in transit (with the exception of the insecure FTP protocol) and at rest.

Data in transit

The data in transit security used differs depending on the protocol used to make the transfer.

FTPS & HTTPS

These protocols use Secure Sockets Layer (SSL) / Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. Additionally, on the web application, we flag all authentication cookies as secure, support perfect forward secrecy.

To prevent man-in-the-middle attacks, authentication of iWeb FTP’s front-end servers is performed through public certificates held by the client. An encrypted connection is negotiated before the transfer of any files and ensures secure delivery to iWeb FTP’s front-end servers.

Our certificate key is a RSA 2048 bit signed with SHA256 with RSA. We currently support TLS 1.0, TLS 1.1 and TLS 1.2. Support for TLS 1.0 will be dropped on the 18th June 2018 to comply with the PCI Data Security Standard (PCI DSS).

iWeb FTP supports Elliptic Curve Diffie-Hellman (ECDH), Diffie-Hellman (DH) and Advanced Encryption Standard (AES) of 128-bit or higher.

SFTP

This protocol uses the Secure SHell (SSH) protocol to provide data encryption for data transfer.

For key exchange, iWeb FTP supports Elliptic Curve Diffie-Hellman (ECDH) of 256-bit or higher.

For encryption, iWeb FTP supports Advanced Encryption Standard (AES) using keys of 128-bit or higher using Counter (CTR) or Cipher block Chaining (CBC) modes.

For Message Authentication Code (MAC), iWeb FTP supports Keyed-Hashing for Message Authentication (HMAC) using Secure Hash Algorithms (SHA) SHA-256 or SHA-512, as well as support for SHA-1.

iWeb FTP supports RSA with SHA-1 algorithm for server host key and we use a 1024-bit public key.

FTP (disabled by default)

FTP does not offer encryption whilst in flight. This method is not recommended, but is included to support legacy systems that cannot interact with newer, secure systems.

Data at rest

Our servers are physically located within a UK based data centre. Access to the servers is protected by CCTV, photographic identification, security tag door entry and padlocks. The equipment used to provide the service is owned by iWeb. Your data, when stored on our servers, is always located within the United Kingdom.

While your files are stored on our servers, the disks which they are stored on contain encrypted file-systems. This protects against theft by physical access: even if someone stole one of our servers they couldn't get at your data without the decryption keys. These keys are known only by our senior system administrators, and they are manually entered every time a server is rebooted.

We also store an encrypted backup in the European Economic Area (EEA) for disaster recovery purposes.

Maintain a reliable service

A storage system is only as good as it is reliable. iWeb FTP has been developed with multiple layers of redundancy to guard against data loss and ensure availability.

Redundant copies of data and metadata are distributed across independent devices. Incremental backups are continually performed.

Limit employee access to systems

We ensure that iWeb FTP employees access to back-end servers is strictly controlled. Access to production servers is granted using SSH key-based authentication, and restricted to teams requiring access as part of their duties. Access to other resources including data centres, server configuration utilities, production servers and source code development are granted through explicit approval by appropriate management.

Maintain employee security and privacy awareness

Part of keeping the iWeb FTP service secure is making sure that employees understand how to be security and privacy conscious, and to recognise suspicious activity. iWeb FTP employees are required to acknowledge security and privacy policies before being granted system access.

Breach notification

iWeb FTP will notify you in the event of a data breach, as required by applicable law. We maintain incident response policies and procedures including a breach notification process which enables us to notify affected customers as needed.

General regulation

We are registered with the Information Commissioners Office under the registration number Z7760712.

As required by GDPR regulations we confirm to you that:

  • all personal data processing involving data uploaded by you to our service is conducted within the European Economic Area (EEA) and not transferred outside the EEA
  • we only process your personal data for the purpose for which it was given to us
  • we do not share your personal data with any third party unless:
    • you have specifically asked us to
    • we are required to by law

We will keep your information for as long as you have a relationship with us. If you disengage as a customer we are required under UK tax law to keep your basic personal data (name, address, tax details) for a period of time,and we will do this for a minimum of six years.

Policies and procedures

iWeb FTP will comply with EU GDPR in relation to the right:

  • to be informed
  • of access
  • to rectification
  • to erasure
  • to restrict processing
  • to object

In the case of a data breach we will report to you, where applicable, and the Information Commissioner’s Office (ICO) within 72 hours.

Our procedures are in place to ensure that we are fully compliant with the GDPR regulations and also that you meet your own obligations when asking us to process personal data on your behalf.

Recruitment

On joining iWeb FTP, a new recruit receives:

  • our handbook
  • a mentor assigned to them to ask for advice

Physical security

Our Offices

Our offices are fitted with CCTV cameras.

Access to the building is restricted by access code

Our datacentre

Our servers are physically located within a UK based data centre.

Access to the servers is protected by CCTV, photographic identification, security tag door entry and padlocks.

Passwords and logins

All laptops are fully encrypted with strong 256-bit encryption.

Company mobile phones and tablets are encrypted and pin protected.


Customer responsibilities

Configure access and sharing permissions

iWeb FTP gives you flexibility to configure permissions to spaces in your account to support your security, collaboration and privacy needs. Admins can review and manage these settings through the web application to reflect their sharing or regulatory environment. When team members collaborate with a space, the admin can choose the appropriate level of access for participants; read, write, share.

Strengthen authentication

Ensure that all users have strong passwords for their accounts.

iWeb FTP has brute force mitigation in place to ban IPs after a few failed attempts. Bans increase in time for each successive attempts. If you have static IPs, we can whitelist them for your account to stop them getting banned.

However, if your password is particularly weak, or has been re-used on another service that has been compromised the brute force protection won’t offer as much protection.

Conduct regular access reviews

Access to your team’s account should be maintained as your team members and their roles change. You should check that only appropriate people have access to the data in your account they need access to.

Team members can be easily added, removed and reviewed by admins through the web application.

Determine encryption needs

The encryption needs of your organisation will likely follow policy based on the sensitivity of the data. If you are going to be transferring particularly sensitive data, then it would be best if you add your own encryption layer before transferring it to our servers to achieve end-to-end encryption. What this means is that you encrypt your files before uploading them, and then the recipient decrypts them.

With this in place, you gain all of the security advantages above, and can be sure that no one else, no matter how trusted, can access your files.

Improved security comes at a price: you will need some software for encrypting your files and your recipients will need the same software to decrypt them. You will also need to give them the password separately, for example over the phone, as sending the password with the files would undermine the security.