General Data Protection Regulation
- By using ChildDiary can I comply with the General Data Protection Regulation?
A: Yes, it is one of the reasons why a large number of institutions have started using ChildDiary
- What are the criteria for the construction of passwords and what is your process for managing authentication credentials on the portal like?
A: All our passwords must meet certain requirements, namely at least 6 characters, a number, a capital letter and a small letter.
- Do accesses have a time-out mechanism?
A: Yes, combined with sliding window expiration.
- Are there external entities with access to the data that will be inserted in the platform?
A: No, we only share data with entities that are necessary for the proper functioning of the platform. At the moment we only use Microsoft Azure (data hosting and infrastructure) and Amazon Simple Email Service (sending email notifications)
- Are privileged platform administration accesses monitored and reviewed periodically?
- Is the platform subject to periodic vulnerability testing and patching?
A: We use the Microsoft Azure "managed" services which guarantee that patching is done regularly and without impact to our users.
- Do you have DoS controls in place?
A: Yes, it is part of Microsoft's core App Service offering
- What encryption mechanism is used between communications with the platform?
A: We use HTTPS, with SSL certificate
- Is the data entered into the database encrypted? If so, what algorithm is used?
A: Yes, all data is encrypted. We use
- Are encryption mechanisms implemented for data in transit and at rest?
A: Yes, see answer above.
- Has a backup policy been defined for the data inserted in the platform?
A: Yes, you can find more details at https://docs.microsoft.com/en-us/azure/sql-database/sql-database-automated-backups
- Are the backups periodically tested?
A: We trust Microsoft and their backup infrastructure. We have had to resort to a backup using point-in-time restore.