At WhisperClaims we use a number of third-party tools and applications to host the application, store data and manage payments. All of these tools and applications have their own security and data protection policies. Here we summarise what these tools are and how we secure your data and information.
Who has access to WhisperClaims
Stripe (Subprocessor): We use Stripe via an API to capture, hold and process the payment details of our Customers. This is a PCI Service Provider Level 1. We don't store or process any payment information on our servers, so none of our staff have any access to this information.
GoCardless (Subprocessor) - We use GoCardless via an API to capture, hold and process the payment details of our Customers. This is a PCI Service Provider Level 1. We don't store or process any payment information on our servers, so none of our staff have any access to this information.
Heroku (Subprocessor) - Our application is deployed and hosted on Heroku. This platform as a service handles and ensures the security and stability of our application. The application has a SSL certificate and requests are dealt with via Heroku.
WhisperClaims staff - all sales and customer support staff have individual accounts that are password protected. They can access all customer accounts and claims, but not payment details.
Customers - all customers have individual accounts that are password protected. Customers can only access information about their company and clients. Admin users can also set permissions for their teams to ensure that only designated people can see certain data or incur charges.
Heroku security
Heroku continually undertakes penetration testing and vulnerability assessments. More information on this and on environmental safeguards, network security, data security, system security, vulnerability management can be found in this document:
https://www.heroku.com/policy/security.
The Heroku system, which uses AWS, has the following accreditation:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
All data held by Heroku is continuously back-up. In the event of catastrophic failure, the app can be restored to any point within the last four days.
Service Assurance
We practice change control using Atlassian’s Bitbucket. We use the following best-practice protocols to minimise service disruptions:
- Development is conducted not on the main branch of the software, but on separate branches that are merged into develop after testing.
- New changes are first pushed to a staging environment for further internal testing, and are only pushed live once approved by the Product Owner. This reduces downtime associated with bugs.
- Heroku handles all hardware maintenance to ensure that our application is not affected by upgrades or hardware failures.
Business Continuity Plan
All our data and code is held in the cloud, so in the event of a disaster our business continuity requires only the purchase of new IT equipment. Once machines are set up with the necessary development software and connected to the internet, development can continue. Our application, hosted on Heroku, would continue running in the cloud without any interruption to the service at all.
Subprocessors
Service provider | Description | Safeguard |
Amazon Web Services | Cloud/platform hosting | Privacy Shield |
Heroku | Cloud/platform hosting | Privacy Shield |
Stripe | Payment Processing | Privacy Shield |
GoCardless | Payment Processing | Privacy Shield |
Send | Email Processing | Privacy Shield |
Cookies
WhisperClaims uses cookies to improve user's experience of the app. We use the minimum number of cookies, and none of these are used to track activity for marketing purposes.
Cookie | Uses | Type |
_whisper_session | Session | Session |
stripe.crf | Prevents cross site request forgery | Session |
session | Provides a unique session identifier for dashboard users | Persistent |
machine_identifier | Provides a unique session identifier for authentication | Persistent |
country | Sets a country code as determined by IP address | Persistent |
lang | Sets a language code | Persistent |
cid | Sets a value to track user metrics | Persistent |
checkout-test-session, checkout-dashboard-session | Associates a device with a 'Remember Me' Checkout account | Persistent |