In a world with ever-increasing cyber threats, established protocols for data protection and continuous operations are paramount to retaining customer confidence. At Winshuttle we live by our core values to provide superior products and services to our customers. Our customer’s success is our success and we align our company to ensure we deliver it. To this end, we have drawn on established best practices and industry compliance certifications to develop a world-class data security program, one that benefits our own internal operations while providing our valued clients with peace of mind.
Below, you’ll learn more about the systems, controls, and processes Winshuttle is using to ensure exceptional data security and privacy.
Secure cloud computing
Much of our development, testing, and production environments, as well as our supporting infrastructure, live within Microsoft’s Azure cloud computing environment. Microsoft and Winshuttle data centers are geographically disparate and equipped with climate-controlled independent cooling systems, uninterruptable power supply (UPS) and fire suppression to provide the highest level of availability and resiliency. Physical access to sensitive areas is protected with video surveillance and dual-authentication barriers, including biometric scanners. More information about Microsoft Azure’s security compliance can be found at https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001.
Critical systems sit behind multiple levels of protection using leading commercial security solutions, including redundant antivirus/antimalware and file integrity monitoring hardware. Layered technologies, such as web application firewalls (WAF), intrusion detection/prevention systems, and network load balancers, work together to combat modern Denial of Service (DOS) and brute-force attacks.
Customer data stored in our Connect Cloud Service platform is assigned unique key identifiers, logically separated, and securely stored in our data warehouse to ensure information is always kept confidential and isolated. Winshuttle does not store, manage, or have access to customer data within our Studio or Foundation service offerings.
Secure transfer and storage
Confidential information resides in data stores within our secure facility, as well as our trusted cloud service partners, and is protected using a variety of industry-standard access controls and best practices. External web services use strong 2048-bit Transport Layer Security (TLS) keys to encrypt data transmissions.
Winshuttle conducts regular vulnerability and remediation scanning across our in-scope networks and systems. We collaborate with trusted third-parties to perform annual vulnerability testing, confirming that our network perimeter and critical defense systems are always functional and optimized against the latest threats
Our critical production infrastructure is tuned to provide early warning alerts in response to indications of performance issues and potential security incidents. We monitor our critical system environment using security aggregated event logging and detection/prevention intelligence to minimize any impact to availability and thwart unauthorized access.
Software development lifecycle
Winshuttle’s Agile software development methodology uses a progressive Dev/Ops model to enhance speed without sacrificing quality. Our development lifecycle includes rigorous security/privacy-by-design requirements, peer review checks, static code analysis, and information security governance. Furthermore, our developers are trained in secure coding best practices leveraging the OWASP Top 10 application threat model.
Compliance & certification
The entirety of our information security program and infrastructure design is aligned with industry standards regarding security and risk management best practices. These practices include annual data security training, security incident management, change and configuration management, and exercising the principle of least privilege for access control.
Winshuttle has achieved the coveted ISO27001:2013 certification for our Connect Cloud Service offering performed by accredited, independent third-party auditors. This audit ensures that the source organization has designed and implemented a formal information security management system to a given solution applying a baseline of compliance and management controls, security, availability, data protection, and privacy objectives. Our audit report is available to current and potential customers, and our current certification status can be validated by clicking the certification image below.