Security and data protection

Security and data protection

At WhisperClaims we use a number of third-party tools and applications to host the application, store data and manage payments. All of these tools and applications have their own security and data protection policies. Here we summarise what these tools are and how we secure your data and information.

Who has access to WhisperClaims

Stripe (Subprocessor): We use Stripe via an API to capture, hold and process the payment details of our Customers. This is a PCI Service Provider Level 1. We don't store or process any payment information on our servers, so none of our staff have any access to this information.
GoCardless (Subprocessor) - We use GoCardless via an API to capture, hold and process the payment details of our Customers. This is a PCI Service Provider Level 1. We don't store or process any payment information on our servers, so none of our staff have any access to this information.
Heroku (Subprocessor) - Our application is deployed and hosted on Heroku. This platform as a service handles and ensures the security and stability of our application. The application has a SSL certificate and requests are dealt with via Heroku.  
WhisperClaims staff - all sales and customer support staff have individual accounts that are password protected. They can access all customer accounts and claims, but not payment details.
Customers - all customers have individual accounts that are password protected. Customers can only access information about their company and clients. Admin users can also set permissions for their teams to ensure that only designated people can see certain data or incur charges.

Heroku security

Heroku continually undertakes penetration testing and vulnerability assessments. More information on this and on environmental safeguards, network security, data security, system security, vulnerability management can be found in this document: https://www.heroku.com/policy/security.
The Heroku system, which uses AWS, has the following accreditation: 
  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

All data held by Heroku is continuously back-up. In the event of catastrophic failure, the app can be restored to any point within the last four days.

Service Assurance

We practice change control using Atlassian’s Bitbucket. We use the following best-practice protocols to minimise service disruptions:

  • Development is conducted not on the main branch of the software, but on separate branches that are merged into develop after testing.
  • New changes are first pushed to a staging environment for further internal testing, and are only pushed live once approved by the Product Owner. This reduces downtime associated with bugs.
  • Heroku handles all hardware maintenance to ensure that our application is not affected by upgrades or hardware failures.

Business Continuity Plan

All our data and code is held in the cloud, so in the event of a disaster our business continuity requires only the purchase of new IT equipment. Once machines are set up with the necessary development software and connected to the internet, development can continue. Our application, hosted on Heroku, would continue running in the cloud without any interruption to the service at all.

Subprocessors


Service provider
Description
Safeguard
Amazon Web Services
Cloud/platform hosting
Privacy Shield
Heroku
Cloud/platform hosting
Privacy Shield
Stripe
Payment Processing
Privacy Shield 
GoCardless
Payment Processing
Privacy Shield
Send
Email Processing
Privacy Shield

Cookies

WhisperClaims uses cookies to improve user's experience of the app. We use the minimum number of cookies, and none of these are used to track activity for marketing purposes. 

Cookie
Uses
Type
_whisper_session
Session
Session
stripe.crf
Prevents cross site request forgery
Session
session
Provides a unique session identifier for dashboard users
Persistent
machine_identifier
Provides a unique session identifier for authentication
Persistent
country
Sets a country code as determined by IP address
Persistent
lang
Sets a language code
Persistent
cid
Sets a value to track user metrics
Persistent
checkout-test-session, checkout-dashboard-session
Associates a device with a 'Remember Me' Checkout account
Persistent


    • Related Articles

    • Uploading .csv files of R&D costs

      To upload a .csv file of staff, EPW or subcontractor costs to a claim, you must be logged into the WhisperClaims system using either: The user to which the client is allocated, or An account that has access to view All clients & claims If you need to ...
    • Adding a new client

      To add a new client, you must be logged into the WhisperClaims system Click the link (top row of the WhisperClaims window) You are shown a list of all clients whose accounts you can access Click the button This displays the Add Client form Start ...
    • Editing client information

      To edit the information for a Client, you must be logged into the WhisperClaims system using either: The user account to which the client is allocated, or An account that has access to view All clients & claims If you need access to information for a ...