Make an Enquiry






SHOCKLOGIC POLICIES & PROCESSES

SHOCKLOGIC TECHNICAL FAQs

DATA POLICIES & PROCESSES

What is the programming language/platform which your system is built on? Our systems were originally built in ASP, but are now based on PHP and Laravel, with JavaScript, JQuery, Node.js.

  • Current front-end development is created using React.js and Bootstrap.
  • Our database is powered by the MSSQL DBMS.

Is the system fully hosted in the cloud?

  • Yes all of our data and systems are stored in the cloud.
  • We manage the physical machines ourselves, and the systems are isolation into their own virtual machines.
  • We are in a position to easily and quickly scale up if necessary to meet the needs of our clients.

What are the minimum requirements of the equipment to run your software?
As of all of our software is on the cloud as SaaS (Software as a Service) there is no minimum requirement for the computers to be used. All of the software run on a browser.
So, as long as you can run Microsoft Office efficiently, the computer should suffice.
Chrome as a browser is the best option on the admin side and any browser would be OK on the public side.


What are the terms of ownership over data?
Our clients own all data processed. Shocklogic does not disclose any data that is managed in their systems to any 3rd parties unless specified by the client.


Are you hosting yourself? What about backup, failover?
Our systems are hosted by UKFast. Shocklogic have two single nodes hosted with UKFast (one for development and one for production). We have a 1 hour hardware replacement agreement of the nodes, and then any associated restore time from our managed backups which could be from 2-6 hours. Full Backups of our database take place on Monday at 2AM with hourly backups of transaction logs. All systems are updated weekly to keep up with the latest patches and improvements from software vendors.


What are UKFast’s data access and security procedures?

  • Access to the data centre is restricted to authorised personnel who hold Photo ID security passes.
  • On arrival at the data centre, all visitors MUST sign in.
  • Photo ID security passes are handed to a member of data centre staff who exchanges them for a key fob to access the relevant server room(s).
  • Key fobs have different levels of access. The levels only allow access to pre-arranged areas within the data centre.
  • Within each server room, racks of servers are secured within large cages. Each cage has a unique 4-digit code in order to gain access.
  • Visits to the data centre for non-authorised personnel (UKFast customers and non-authorised members of staff) must be arranged with data centre staff at least 24 hours in advance.
  • Clients taken on data centre tours must bring and show a valid form of photographic ID.
  • Because of security protocol, access will be denied to anyone attempting to gain entry without a valid form of photographic ID.
  • In addition, an authorised photo ID holder must accompany visitors at all times during their visit.
  • Visitors must wear visitor passes at all times during the in data centre visit.

Follow this link to see UKFast’s data centre tour:
https://www.ukfast.co.uk/datacentre-tour-pdf.html


What steps does the company take in regards to vulnerability scans, penetration testing and risk analysis?

Vulnerability assessment

We perform regular vulnerability assessments internally and with our datacenter providers, including our virtual machines, physical machines and the winder network. We use industry proven software such as Metasploit to make a sufficient analysis of whether we are vulnerable to existing security threats or not. If any vulnerabilities are discovered we’ll take the necessary steps to protect and inform our clients. We work very closely with our providers and use both software and close collaboration to make sure that we are up to date on the latest vulnerabilities and the steps needs to be protected against them.

Penetration test

Our penetration testers take the output of a network scan or a vulnerability assessment and take it to 11 – they probe an open port and see what can be exploited.
For example, let’s say a server is vulnerable to Heartbleed. Many websites still are. It’s one thing to run a scan and say “you are vulnerable to Heartbleed” and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference – the website or service is actually being penetrated.
Similar to a vulnerability scan, the results are usually ranked by severity and exploitability with remediation steps provided. Furthermore we automatically run tests on the code written by our team to feed random “dangerous” data into our test environment, which makes sure we are protected against XSS, CSRF and JS Injection attacks.

Risk analysis

A risk analysis doesn’t require any scanning tools or applications – it’s a discipline that we implement to analyse specific vulnerabilities (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others – to the company if the vulnerability were to be exploited.
Our analysts first look at the vulnerable server, where it is on the network infrastructure and the type of data it stores. A server sitting on an internal network without outside connectivity, storing no data but vulnerable to Heartbleed has a much different risk posture than a customer-facing web server that stores credit card data and is also vulnerable to Heartbleed. A vulnerability scan does not make these distinctions. Next, our analysts examine threats that are likely to exploit the vulnerability, such as organized crime or insiders, and builds a profile of capabilities, motivations and objectives.
A risk analysis, when completed, will have a final risk rating with mitigating controls that can further reduce the risk.


Are your systems compliant with data protection regulations?

Appxcell Limited T/A Shocklogic is registered with the Information Commissioner under the Data Protection Act 2018. The company, on behalf of its customers, takes all reasonable steps necessary to ensure that all personal data held on any of its systems – including our events management systems – is kept secure against unauthorised access, loss or destruction.
Shocklogic stores data as defined by the Customer, the system itself does not determine the level and type of data stored. Each event must be configured by the Customer to capture and store data the Customer considers necessary to operate the event efficiently. Access to data pertaining to personal, financial and registration information can be controlled by the Customer using the access rights module. Shocklogic provides a hosted and managed service for Customers. UKFAST holds the following certifications:

  • ISO9001
  • ISO14001
  • ISO27001
  • PAS2060
  • PCI Compliance

Shocklogic is committed to ensuring the longevity and protection of our client data. We regularly send our technical team to security seminars so that they are familiar with new laws, regulations, and which steps need to be taken to bring us into compliance before they take effect. The EU has placed new requirements on SMEs (Small Medium Enterprises) in regards to data protection, essentially rewriting and essentially hardlining previous recommendations and introducing many new steps to protect the data of EU citizens. This is called the General Data Protection Regulation (GDPR) and it came into effect towards on 25th May in 2018. Shocklogic has taken all the necessary steps beforehand to confirm our compliance with these new regulations well in advance.


What processes do you have in place to achieve GDPR compliance?

The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO).
Shocklogic is in regular contact with the Information Commissioner’s Office (ICO) and assigned an internal DPO that meticulously follows the guidelines and updates from ICO: https://ico.org.uk/for-organisations/data-protection-reform/
All our clients are required to assign their own internal DPO to oversee data security strategy and GDPR compliance. Our clients will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request.
Shocklogic will make sure to provide and implement encrypted environments during data exchange, data processing and data delivery. This will safeguard the data from unauthorised use by third parties. Cyberattacks and data breaches are still possible but Shocklogic carries out every necessary process to diminish the impact of these attacks. See more above about vulnerability scans, penetration testing and risk analysis.
Shocklogic will document and monitor data changes and report inaccuracies in the data to the client upon request. Shocklogic’s systems already provide opt-in facilities and functionalities that allow users to authorise the use of their data. The terms and conditions as well as the privacy notice for the collection, storage and use of the data will have to be defined by the client.

We recommend reading ICO’s Privacy notices code of practice:

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

See also UKFast’s GDPR checklist:
https://www.ukfast.co.uk/your-guide-to-the-gdpr.html?utm_source=ukfastmailer&utm_medium=email&utm_campaign=17Q1-gdpr


What about Brexit? Will GDPR still apply?

For the time being, forget about Brexit. Your business’s focus should be on becoming compliant with this legislation until we’re told very clearly otherwise.
Even though Article 50 has been triggered? Yes. The GDPR does not just apply to businesses in the EU. It applies to any organisation that controls or processes EU data, wherever they are in the world.


Is the mail server hosted by you?

Yes our mail server is hosted by us. We run behind a protected environment and all our applications run behind this. Furthermore we are not on any mailing blacklists and manage all of the relevant DNS records.


Would it be possible to integrate your system with an existing database?

Yes. Through our API data can be sent to, and retrieved from our database. You can have a closer look at our REST API documentation here for further information:
https://api.shocklogic.com


How possible is to customise your system without the intervention of developers?

All of our forms, templates and saved data are fully customisable without the intervention of a developer in terms of the look and feel of the forms. The requirement of additional functionalities in the system would require a developer to be involved.


How possible is to link the system to any accountancy software (BOB)?

There are various methods that we have used to connect to our customers Accounting software:

  • Our API: We have a very strong API so we have connected their accounting systems through our API
  • The accounting system’s API: We have connected our systems to our customer’s accounting software through the software’s API.
  • Import/Export: We can produce a variety of file types from our systems – XLS, CSV, JSON, XML. We can also extract any element of data from the database.
    Our customers provide us with a template or method that the accounting system can consume and we will produce the output from our systems. The dependency and limitation is normally on the side of the accounting software.
  • PAS2060
  • We would be happy to explore any of the above or a new possibility in relation to your accounting software.

Would it be possible to also build our website with your system?

Yes. We have an area in our system for creating standalone web pages.


How big is your development team? Do they all speak English?

Our development team consists of 9 people. They all speak English and will all have a second language too. These include: Spanish, Gujarati, Hindi, Albanian, Nepalese and Lithuanian.


What about licensing?

It is standard practice for us to license our software. We have two types of standard license: A per project license and a yearly license. Single project, Multi-project licenses and single-year and multi-year licenses are also available.


What about technical support, SLA (Service Level Agreement)?

Our contracts usually state 8 hours SLA, however if you have entered an incident in the helpdesk our current average response time is within 4 hours. If you don’t get an immediate resolution to your incident (which is the most likely case), response can in some cases be an assurance that the problem has been escalated to the technical team or similar.


How flexible are you? Would you be able to work in a short notice (a few days) and handle last minute requests/changes?

We are extremely flexible. We can work at short notice, though to guarantee quality we prefer as much notification as possible. We will always be honest and give you the best possible assessment so we can together make realistic decisions on the next step or course of action.
We will always have in mind the best outcome of your situation, incident or project.






Join a meeting
Download Zoom

+44 (0) 207 326 0286

info@shocklogic.com
©All rights reserved to Shocklogic Worldwide Limited. Registered company number: 09493751. Address: The Link, Unit 46, 49 Effra Road, London SW2 1BZ. VAT number: 247277385.