Hey! At Spark, we know that trust is everything. Everything we do in our Peer Support Group is kept within the group, or the organisation. We’re super strict on that because we know that a lot of the time, people only speak about things in the group as they know it won’t go any further. The only time that we’ll break this is if there’s a credible danger to life, but then our members understand that, and the decision is only ever taken with backing from both the CEO (me) and the manager of the group (Emma).
Outside of the group, we do try our very best to make sure that everything we do is secure. When I’m not working with Spark and I’m doing my day job, I’m actually heavily involved with the IT security where I work, so it’s something that really runs deep with me and I try to instil that into the ethos of Spark.
Naturally, you don’t always get to see a lot of this – so I thought that being data privacy day, it’s a fantastic opportunity to tell you about how we keep your data private outside of the group, as well as inside!
Let’s start with the bones of what we have – the servers – and how we keep them secure. All of our servers are with Microsoft Azure, in their cloud datacentre, based in West EU (in fact, we’d love to thank Microsoft for their generous donation of Azure credit!), and we manage these ourselves. In a move that some of you might find a bit scary, we don’t actually use passwords to access our servers! However, we use something that’s considerably more secure called an SSH key. This essentially is a file that we must be in physical possession of before we can log onto the servers. Simply put, the file contains a 1,592 character password! Partly to make things faster and partly for security, we’ve separated the website server and the database server – meaning that the server storing the info itself is actually inaccessible from the internet! Yep, we rock that much ;). We run updates on our servers automatically every day – we have the philosophy that we’d rather the website was offline briefly than get hit by any nasties! Naturally, we have backups of everything, so we can be back online pretty quickly, should anything go wrong.
Down to the website itself – we use WordPress as the platform. It’s one of those pieces of software that is constantly updated and being that it powers about 1/3 of the internet, it gets rather well tested! We automatically apply any security updates and plugin updates daily. We also use a fantastic service called Detectify – which scans our website once a week for any known vulnerabilities and lets us know, so we can fix them before the bad guys get to them! Our current Detectify score is 0.0 – being like Pointless, where lower is better! I’m personally rather proud of, as it’s taken me quite a while to get it down to nothing! Naturally, we use SSL certificates everywhere we can, meaning that any data you send us and we send you is encrypted – with an A+ rating from Qualys’ SSL Labs! (Check here if you don’t believe me!) We made a conscious decision to NEVER store credit card data ourselves. We use Stripe, who are one of the world’s leading providers of credit card charging services, who deal with all of that side for us – we literally never even see any of your card data.
Now – I’m not stupid when it comes to these things. I’m NOT saying that our website is impenetrable or the most securest thing EVER, but equally, I think we do alright and I honestly am pretty proud of our setup.
Everything we do runs two-factor authentication (Factors are something you have, something you know, or something you are (think fingerprint, retina scans etc!) – two factor authentication asks you for two out of three), and I’m working towards getting everything
running through one login system, meaning that should we ever have to cut anyone off, it’s very fast and we’re very sure that there’s no way that they’re getting any data out!
The main system that we use other than the website is Office 365 – again, we use two-factor authentication for this and are very careful with the data that gets stored on there. Microsoft again keep this secure and up-to-date for us, which we believe is always going to be more beneficial than attempting to run it ourselves, as it means we can deploy resources elsewhere that we would be stuck managing that instead.
We don’t rest on our laurels though – this is always going to be one of those jobs that never ends. There’s always something better that we can do, there’s always a new method that we can do things to make sure that we truly are the best we can be. Just recently, we made the decision to stop using Facebook Messenger to discuss things between managers and moderators, and switch to Wickr Messenger, which is infinitely more secure and provides much, much greater protection for the data we send, keeping it well away from prying eyes. (If you want to find out more about Wickr, www.wickr.com)
So, in conclusion, we do not take any chances with your privacy. It’s not in our nature or our culture. And we never, ever will.
If you want to know any of the technical details behind what we’re doing, please feel free to drop me an email – gareth[at]sparksupport.co.uk, or you can message me on Wickr – sparkgareth.
Shine bright 🙂
