Security
GDPR
We are fully GDPR compliant. AORA acts as a GDPR data processor; there are no sub-processors. We use data centres in London to store and process our customers’ data. No data leaves the UK.
Annual third-party cyber security awareness training and testing (SATT) service and GDPR training commenced for all staff.
We are registered with the Information Commissioner’s Office (ICO), registration number: ZB493154.
Encryption
All data is encrypted in transit (with TLS 1.3 or SSH 2).
Persistent data is stored in secure, internal servers (not within the DMZ). Sensitive data (e.g., completed questionnaires) is encrypted at rest using enterprise-grade encryption standards.
Database backups are performed daily, encrypted (again), and stored with a separate cloud storage provider (also within UK datacentres).
Certifications
We have Cyber Essentials Plus certification, which is an independent third-party technical audit of our IT systems.
We perform application and external infrastructure penetration testing annually using a CREST-approved supplier (OnSecurity). Our hosting provider (DigitalOcean) manages the physical network on which our cloud services are hosted and performs separate penetration testing of this infrastructure. Ongoing vulnerability testing is provided by CyberSmart and Pen Underwriting.
PI and Cyber insurance (£1m cover) provided by Pen Underwriting
Data retention
We never use our customers’ data for training or testing purposes. Data retention is governed by our customers’ individual GDPR processes. Where a customer has integrated AORA with their CMS, closing a case on the CMS results in corresponding data on AORA being deleted.
SSO access
As a default, we provide 2 Factor Authentication by email and/or text message.
In addition, we enable easy SSO integration with Microsoft 365.
Get in touch today for a demonstration of how AORA can enhance the performance and profitability of YOUR practice.
