Close search

DATA PROTECTION

As part of our continued campaigning to make our support services more readily accessible to you, we are now working with Calendly to bring you an online booking system that enables you to book appointments with an experienced BSU Adviser. 

During the process of you booking an appointment, we ask you to provide us with contact information so that our Support Team can follow up your appointment. This includes: E-mail address, Name, and SMS Number if you wish to be contacted via text. 

We do not store this information once your appointment is complete,

To read more about Brighton Students' Unions Data Protection Policy, click here.

 

How are Calendly protecting your data?

  • We’re hosted on Amazon Web Services and Heroku

Calendly uses Heroku, the cloud application platform, to operate and deploy our software. Heroku is hosted and managed in Amazon’s secure data centers using Amazon Web Service (AWS) technology. To ensure compliance with industry best practices, Amazon’s data centers are accredited to conform to these industry standards:

  • ISO 27001

  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

  • PCI Level 1

  • FISMA Moderate

  • Sarbanes-Oxley (SOX) 

For additional information see:
https://aws.amazon.com/security/
https://www.heroku.com/policy/security 

 

  • We keep our systems up-to-date

Calendly uses the latest security patches to keep our systems secure. We use compliance best practices to manage vulnerabilities and monitor security mailing lists to track the latest threats. We automatically scan our code to identify potential vulnerable dependencies.

To isolate processes, memory, and the file system we run our processes in Linux containers (LXC) and use host-based firewalls to prevent applications from establishing local network connections. To further limit potential risks, we configure our services with tight network security constraints. AWS and Heroku regularly conduct internal vulnerability assessments and update underlying systems. Learn more about Heroku

 

  • We encrypt all data

Calendly encrypts at rest all connections from your browser using TLS SHA-256 with RSA encryption. We store user passwords as salted hashes.

 

  • We respond promptly to incidents

We monitor external services and open source libraries for security issues. To ensure we’re promptly notified of data breaches, we sign Data Processing Addendums (DPA) agreement with our vendors.

We use automated tools to continuously scan for service interruptions, performance degradation, and security vulnerabilities and alert our engineers as incidents are detected. Our team determines which systems are involved and quickly contain issues by disconnecting impacted systems and devices. Because all of our services run in containers to isolate processes, memory, and the file system, we often replace impacted systems entirety to inhibit further escalation.

If we find that data is impacted by an incident, we restore that data from a clean backup to ensure that no vulnerabilities remain. For added protection, we store secondary backups in Google Cloud and monitor systems to look for recurrences. We patch ephemeral services and redeploy them to eliminate any chance of malware persistence.

 

  • We test all releases

To ensure system availability and provide the best experience, we review and test all updates to Calendly. For each change, we perform unit, integration, and end-to-end tests, then tests changes on our continuous integration server. Our quality assurance team evaluates and manually tests functions expected to be impacted by a change to ensure they're not negatively impacted (regression test).

After we release a change, we continue to monitor and log exceptions and schedule them for resolution. We use several monitoring services to monitor any impact to performance from changes.

 

  • We ensure our employees to help secure your data

We conduct pre-employment checks on new Calendly employees and require that they sign a confidentiality agreement. During onboarding and on a recurring basis thereafter, we train employees on company policies, security, privacy, and compliance to ensure they all know how to properly use and protect your data.

To ensure that each device follows our information security standards, including encryption, we secure our employees computers using mobile device management. Our employees’ equipment is defended by anti-malware software, and we run routine phishing tests to further educate and train employees.