Server Security & Privacy
At Little Fire Digital we take privacy and data security seriously. All of our clients' data is stored on secure, up-to-date servers. The software on which the servers run is regularly updated and access to any software other than those specifically required to provide website services (principally serving websites and email) is prohibited except from specified physical locations and to specific trained personnel. Client data is not stored on off-site devices.
The Little Fire offices are independently alarmed and secured behind multiple insurance grade doors. The estate on which they are located are highly secure being alarmed and continuously monitored by CCTV.
To prevent inappropriate access to our servers and the data stored thereon, Little Fire Digital implement the following:
- Little Fire Digital will only host and maintain websites on servers which they lease directly from UK-based tier 1 data centres - details of the physical data-centre security are available on request.
- For ease of management and optimum security, all our servers are maintained within a single VLAN (Virtual Local Area Network). Beyond the essential services and ports required to host a website (serving websites and email services), all access to the servers is denied by firewall to all but a specified set of IP addresses (physical locations), authorised staff members' home addresses and certain specific client processes.
- Networks within the Little Fire Digital office are secured by industry-standard firewalls and security systems.
- We run software to maintain the security status of all of our servers.
Little Fire Digital maintain two classes of server:
- PCI Compliant Servers – High specification cloud servers tested weekly against current PCI (Payment Card Industry) standards - where evolving standards result in failure an alert is raised and technicians or Little Fire developers are immediately tasked with whatever measures are required to regain PCI compliance. Little Fire PCI servers are maintained on a continuous server management contract, ensuring that the underlying server software is of an appropriately secure and stable configuration. Regardless of whether or not a website collects identifiable user data, all sites hosted by Little Fire Digital run exclusively behind an SSL (Secure Socket Layer) and the encrypted https:// protocol it supports.
Where user data is stored by our clients, we require their data to be kept on these, most secure servers. These are monitored and tested weekly to ensure they meet Payment Card Industry standards of security. All recommendations made by Comodo in the processes of completing these scans are implemented immediately.
- Standard Servers – All our servers are kept up to date with the current, stable-versions of control panel software. Alerts within the software itself notify Little Fire staff of the availability of appropriate updates.
In the case of a serious vulnerability within the server system software (e.g. the Heartbleed vulnerability) patches are applied typically within a week of our providers becoming aware of it.
We attempt to hold the smallest amount of data possible. We store no credit card data. We share user data both about our clients and that owned by our clients with no one.
New websites are developed offline with dummy user accounts.
We do not keep offline copies of real user data except in cases where active development or specific troubleshooting requires it. Where, for whatever reason, development or troubleshooting is not possible using the developer database, a copy of the live database, including the personal data contained thereon will be downloaded, installed on the developer machine and used as the working database for the duration of the development only. It is contrary to company policy to maintain copies of live databases offline.
All data on our servers is automatically backed up on a daily basis. Data in the back up is maintained for 30 days, after which it is automatically deleted.