Skip to content

How SenseOn Protects Customer Data

SenseOn, as a security provider, are guardians of considerable amounts of sensitive data and it is vital for our business that care is taken to safeguard both the collected information and the database systems themselves and all actions are in line with our Information Security Policies.

Compliance and Certification

As a security company, it’s critical that we get security right. We consider security over every part of our business. As such, SenseOn has designed its security policies and internal processes based on the following mandates:

SenseOn has a complete Information Security Management System which is externally audited annually by a UKAS Accredited Audit. Sense Is audited to ISO/IEC-27001:2013. Our certification can be verified with UKAS.

SenseOn is a Cyber Essential Plus certified organisation, which is audited on an annual basis by an independent security audit organisation, our certification can be verified with IASME.

Independent penetration testing is performed on all major software updates performed by SenseOn. We employ a full-time CHECK & CREST accredited penetration tester to review and test all changes as well as conduct purple teaming exercises with SenseOn’s internal security team.

All aspects of SenseOn relating to the handling of customer data are designed and operated to be strictly compliant with the requirements of GDPR.

Personnel

All prospective SenseOn employees undergo a rigorous background check process, which includes: detailed reference checks from at least two professional sources, CV review by the hiring manager and where appropriate criminal record checks such as DBS.

Right to work in the UK is confirmed and verified by a copy of either a UK passport or appropriate visa. Copies of passports are obtained and stored on file for all employees. Any overseas employees background checks are performed by a third-party EOR company prior to onboarding.

All employees are, upon hire, provided with training relating to company policies and security awareness. This training is supplemented at regular (at least annual) intervals and on an ad-hoc basis where deemed pertinent or required. This training is then tested internally to ensure compliance and understanding.

Password Policy

SenseOn maintains a detailed password policy, detailing the required standards for the creation of passwords, the protection of those passwords, and the frequency of password changes.

All internal systems use Single Sign On (SSO) for authentication where available this is backed up with mandatory Multi Factor Authentication (MFA) with Role Based Access Control (RBAC) for authorisation.

Roles and their access are regularly reviewed by internal security teams to determine who has access and to ensure they are being used solely for administrative purposes.

For accounts and services that support it, multi factor authentication must be used.

Where appropriate, users are encouraged to use a SenseOn approved, secure password manager.

💡 Password complexity: Whilst SenseOn still has traditional measures of password complexity (e.g. length, types of characters etc) in its policy. Where possible we move to full entropy calculations which analyse the true strength of the password which factor in such as dictionary words, data from password breaches etc.

Physical Security

As SenseOn stores all data collected from cloud hosted customers within an tenant hosted within AWS, SenseOn benefits from the physical security measures utilised within AWS datacentres. Details of which can be found here: https://aws.amazon.com/compliance/data-center/controls/

Logical Protection

Telemetry is collected by the SenseOn Universal sensor locally to the device on which it is installed. This collected information is then compressed and encrypted, before being transported to a hosted appliance using TLS1.2+ over HTTPS.

All telemetry collected from a customer environment is processed and stored within a secure database on a dedicated tenant. This information is encrypted at rest using AES-256. Data can be held in a region of preference. Customers have the option of having their own dedicated instance ensuring that there is no possibility of multiple customers data pooling in the same space.

Each of these tenants is monitored by an industry leading network monitoring and endpoint protection tool. They are also protected by specific AWS Security Groups, as well as a client based WAF to protect against layer 7 attacks.

Access to SenseOn appliances containing customer data is tightly controlled and restricted to a specific subset of approved users within the SenseOn SOC and Security Engineering teams. This list of users is reviewed and updated regularly by internal security functions and team management.

To access SenseOn customer data users must, from an internally monitored device, authenticate via centrally managed SSO, using multifactor authentication to connect to SenseOn’s VPN.

All SenseOn user activity is audited by internal security engineering teams. Additional audit streams from customer appliances are monitored to ensure complete visibility over who has access to customer data.

Service Owners must segregate services, users, and information systems to support business requirements, connectivity, and access control. The segregation must be based on the management of risk, and the security principles of the “segregation of duties” and “least privilege”.

Vulnerability Management

SenseOn makes use of 3rd party vulnerability assessment and penetration testing as well as internal audit and assessment by SenseOn's own security engineering and purple-team experts. The results of which are assessed, triaged and addressed by SenseOn’s internal security teams according to rigid SLA’s relating to the severity of vulnerability found.

Additional risk assessment workshops will be conducted once a year and include threat modelling of actors and their likely attack paths against SenseOn.

Any risks or vulnerabilities, external to this process, detected by any employee are to be reported at the point of discovery directly to the Information Security Manager, through a simple, robust internal reporting process, or through in-person communication.

Disaster Recovery & Backup

All case information, security observations and configurations from customer appliances are backed up and encrypted at rest every 12 hours to a separate AWS availability zone.

SenseOn maintains a detailed disaster recovery and business continuity plans for business-affecting incidents of all kinds, ranging from small scale, single service interruptions up to complete loss of service and natural disaster.

3rd Party Access

SenseOn has a small number of carefully assessed 3rd-party data processors, details of which can be found in our Data Privacy Impact Assessment documentation.

Data Sanitisation

At any point in time, SenseOn customers are entitled to the removal, export or sanitisation of their data. This can be accomplished at the point of request through direct communication with the SenseOn customer success team by verified users within the customer organisation.