Business and public service agencies worldwide rely on Maytech to share confidential data in mission critical workflows. This page outlines Maytech’s security and compliance environment.
Maytech Security and Compliance Statement.pdf
In Transit: TLS 1.2 with strict transport security. HTTPS and SFTP. There is also a unique user-friendly PGP encryption feature which offers advanced security for highly confidential data.
At Rest: data is protected with AES-256 bit encryption.
Residency: service can be provisioned at a data centre location of your choice ensuring compliance with local and international data regulations. On sign up, simply select a service hub from the option list and your data will be stored at that location. Learn details of available locations here.
Retention: we do not keep persistent backups of customer data, nor is data ever replicated outside the chosen data centre.
Backup: Maytech services are backed up every hour on the hour locally at your chosen data centre.
Customer Access to Maytech servers is restricted to the supported protocols, we do not offer access over SSH or telnet. All sessions are automatically terminated after 15 minutes of inactivity.
Test and Support Access: where support staff need to access customer accounts in response to customer support tickets, temporary access is granted by support management with a one-time authentication token. Access is limited to file system navigation and does not include rights to read or download files.
Central administrative controls over user provisioning and access rights and a full audit trail. Each user is jailed to their home folder with no visibility outside unless specifically granted.
Firewall and Intrusion Detection: Maytech networks are protected by a stateful packet inspection firewalls. All ports, other than those required for the provision of service are closed. We operate intrusion detection (SNORT). An attempt to gain unauthorised access results in a lockout of offending IP on the firewall.
Monitoring: service is monitored by over 100 monitoring daemons continuously probing for fault conditions at levels ranging from basic hardware health to emulated file transactions. Ports are monitored for suspicious activity such as password scams or Dos attack.
Security Patching: governed by ISMS OP 29 Security and Patching Policy, critical security patches are installed when they become available. A typical time window for non-critical patch release is two working weeks of patches being released.
Virus Scanning: all uploaded files are scanned using ClamAV.
Penetration Testing: annual penetration tests are conducted by a CREST member company and a National Cyber Security Centre (NCSC) CHECK scheme “Green Light” subscriber authorised to conduct testing on government systems under the terms of the CHECK scheme.
Vulnerability Scanning: daily vulnerability scanning and weekly PCI-DSS conformance scanning using McAfee Secure.
Maytech Information Security
Maytech’s Information Security Management System (ISMS) is ISO 27001:2013 certified and audited twice yearly by Lloyd’s Register Quality Assurance, one of the leading global business assurance providers.
Scope of Applicability: information security relating to the design, development, support and provisioning of Maytech’s Saas hosted service.
Statement of Applicability
There are 114 controls in 14 clauses and 35 control categories in ISO 27001: 2013. Our statement of applicability, available on request, details the controls specified in ISO 27001: 2013 and a cross-reference to the document with the Information Security Management System which implements the requirements of each control.
SOC 1 and SOC 2 Compliance
Maytech do not offer SOC 1 or SOC 2 reports. Our information security management systems are instead ISO 27001 certified. The criteria/controls required by the two standards were developed to mitigate similar risks and there is considerable overlap in the criteria defined in the Trust Service Principles of SOC 2 and the controls defined in Annex A of ISO 27001.
Both standards provide independent assurance that the necessary controls are in place and whereas ISO 27001 is an international standard, SOC 2 is created and governed by the American Institute of Certified Public Accountants, AICPA.
Product Compliance
PCI-DSS: your site will pass a PCI penetration test. As a PCI-DSS compliant hosting provider we run daily scanning for over 40,000 vulnerabilities and weekly PCI scans using McAfee, an Approved Scanning Vendor (ASV), ensuring potential risks are identified in a timely manner. Our PCI-DSS SAQ (level D) and Attestation of Compliance are available on request.
HIPAA: our products are compliant with the Health Insurance Portability and Accountability Act (HIPAA) - a US legislation providing data privacy and security provisions for safeguarding medical information.
General Data Protection Regulation (GDPR): while Maytech does not view, use or access your data, if Personal Identifiable Information (PII) is to be stored on our systems we are classed as a Data Processor. Maytech provide a Data Processing Agreement which we will both sign to confirm that appropriate controls and systems are in place for the relevant data processing activities we undertake on your behalf. This demonstrates you have carried out your obligations under GDPR in relation to the secure storage and transfer of your sensitive PII data.
Public Sector File Sharing: Maytech services are suitable for UK public sector customers with data sensitivity levels up to OFFICIAL and including OFFICIAL SENSITIVE. These categories represent up to 85% of data created or processed by the UK public sector.