Your data, rigorously guarded.
We know the data you put into your CRM is among the most valuable assets you have. That’s why security and data protection are at the heart of everything we do here at OpenCRM.
Watertight security, by design
Our reputation depends on providing watertight security, and we’d like to assure you that your data is rigorously guarded. From the very beginning, we decided security would be the “magic bullet” to win the confidence of our prospective clients — which is why we take it so seriously.
Security is more than a technical consideration; it’s embedded into our day-to-day operations, from the development team right across the company. It’s not just what we do today, but the continual review of what we need to do for the future. Below are some of the precautions we take and features that let you control access — there are many more we don’t publish, because that wouldn’t be good security policy.
Held in the UK, encrypted end to end
We use the Amazon Web Services (AWS) London region to host all our OpenCRM systems. This means your data — both back-ups and your primary system — is always located within the UK.
Your data is stored within an Amazon RDS database: fast, secure and highly reliable, scaling across multiple AWS datacentres, encrypted at rest and inaccessible outside these networks. Any files you upload are encrypted at rest and stored within Amazon S3, AWS’ dedicated storage system — a secure, durable way to store files so they’re accessible when you need them.
While held in AWS, your entire OpenCRM journey is encrypted. Whenever you log in or upload a file, your data is transmitted securely and encrypted at rest.
Available when you need it
Multiple encrypted copies of your uploads are continuously maintained, so both your database and your files will be available when you need them.
Four layers of data-centre security
AWS is used by some of the biggest names in demanding industries, including Netflix, the Financial Industry Regulatory Authority, and NASA. AWS divides the security of its data centres into four layers:
Perimeter
Security guards, fencing, feeds, and intrusion detection. Access is given only to authorised people, highly controlled and monitored, overseen on a global level.
Infrastructure
The building and the systems that keep it running — back-up power, HVAC and fire suppression — all highly monitored, maintained only by authorised staff.
Data
The most critical layer, holding customer data. Physical and technological access is restricted with separation of privilege, threat detection, surveillance and external audits throughout the year.
Environmental
How sites are selected, built and maintained to mitigate risk from extreme weather and natural disasters, with sensors, response equipment and regular drills.
Each AWS region is a separate geographic area with multiple Availability Zones — isolated locations with their own data centres — giving you the most reliable access to your OpenCRM system. All controls are subject to regular review and monitoring, with contingency measures in place so you can keep doing business no matter what.
Keeping security in our sights
In addition to data-centre and system-access measures, we have a number of policies in place to protect your system and the data within it — modelled on those taken by banks.
- A strict data retention policy when working on ‘client data’ for uploads.
- A full ticket history of work carried out, including comprehensive versioning of core application code and bespoke development.
- Telephone communication protocols with each customer, so only authorised contacts can request amendments, user access changes or development.
- A clean desk policy for all employees.
- A robust policy on printed data and its authorised destruction.
A CRM with muscle
We also have a number of additional technical security measures in place to protect all OpenCRM systems.
- 256-bit AES SSL encryption — the same used for internet banking and large financial services transactions.
- Automated DDoS protection, with all customer networks segregated using a private VLAN.
- Rules to stop brute-force username and password attacks, including limits on failed attempts.
- Automatic log-out after inactivity — a period your admins can set to fit how you work — plus an audit trail of important functions.
- A strict ‘authorised administrator’ policy — any account unlocking or security change must be authorised by a known OpenCRM system administrator.
- Saturation monitoring on network links with automatic alerts, third-party enterprise monitoring tools, and Host-Based Intrusion Detection for log monitoring, policy enforcement and alerting.
Security in the cloud
We work very hard to keep OpenCRM secure. Here are some extra steps you can take as an administrator to protect your system and the data within it:
- IP Whitelist — specify a global whitelist of allowed IP addresses, or a per-user whitelist for specific credentials.
- IP Blacklist — restrict access and bounce attempts from a restricted IP to a predefined page.
- Set data access rules that determine what data can be accessed, and by which users.
- No one accesses your system unless you invite them — remove users any time, in real time, with immediate effect.
Password policy
Users must choose a password to access OpenCRM, and administrators can specify the policy you wish to enforce:
- Non-dictionary words, minimum password length, and forced mixed alphanumeric and mixed case.
- Multi-Factor Authentication for all user accounts, plus automatic log-out of inactive users.
We will never email you or ask you on the telephone for your password — so never divulge it to anyone.
It’s also best practice to create a company-wide security policy covering what employees can access, what they may do with data and company assets, what to do in the event of loss or breach, and how the policy is enforced. Keep your operating system and browser up to date, choose a secure browser, apply caution with any AI browsers or agents that access your systems, and always log in only at https://yourcompanyname.opencrm.co.uk.
Safer than in-house — here’s why
Some people worry that cloud-based software can’t possibly be safer than software they host in-house or install on their computer. But it can — and is:
- Your data isn’t stored on your computer, so if it’s lost or stolen no one can access your data without a login and meeting the rigorous policies in place.
- Online applications can be far more secure than emailing data or handing out discs and USB memory sticks.
- We give you peace of mind with nightly, weekly and monthly snapshots of your data.
With all these procedures and measures in place — within OpenCRM and at the data centres — along with all the options at your fingertips to control your own system security, you can be sure that your data is safe and secure.
Have a question about security?
Talk to our UK-based team — we’re happy to walk you through any of it.