Our Data Security
When accessing our websites, your data is sent using HTTPS utilising Globalsign SSL certificates.
We do NOT store your debit/credit card information at all in any form.
All our card payments are processed through Secure Trading https://www.securetrading.com. They are a PCI Service Provider Level 1 organisation – the most stringent certification level available in the payment industry.
Using Secure Trading means we do not need to store your payment card details, they are sent encrypted direct to Secure Trading, we do not store them anywhere in any form.
You can read more about security at Secure Trading here:
All of our Direct Debit Payments are processed through GOCardless https://gocardless.com. They are authorised by the Financial Conduct Authority (FCA) under the Payment Services Regulation 2009. Any information they store is done so using Military Grade RSA encryption and only communicate over secure channels. Any transactions conducted by the organisation are underwritten by Direct Debit Guarantees meaning that if anything goes wrong you are entitled to an instant refund. Much like with payment cards, using GOCardless means that Elite does not store your bank details bar the last two digits of the account number (to assist you in identifying which bank account you are using) all passing of details to GOCardless is done so using secure, encrypted channels. Further details about GOCardless and their security commitment can be found here: https://gocardless.com/security/
Your passwords are stored on our systems in a hashed format.
We hash your passwords using MD5 but that’s no reason not to create a strong password in the first instance and we provide a “strength meter” on all our systems when you are creating new passwords to assist in this process.
Keeping your data secure
Keeping customer data safe is a huge responsibility and our top priority. We work hard to protect our customer’s data from the latest threats. This is not a one-time effort, it’s a continual process that we monitor and work on. Security and Privacy have always been by design and by default in all Elite solutions.
Security issues come to light through different means and activities, from articles in the technical press, discovered during routine work through to our internal reviews and vulnerability scans.
How we deal with security issues
Without going into too much detail below are the steps we will follow when we have confirmed the discovery of a security issue or breach.
STEP 1: CONTAINMENT AND RECOVERY
The purpose of this stage is to contain any breach, to limit the further damage as far as possible and to seek to recover any lost data.
STEP 2: RISK ASSESSMENT
The aim of this stage is to identify and assess the ongoing risks that may be associated with the breach. In particular, an assessment of:
- Potential adverse consequences for individuals
- Their likelihood, extent and seriousness
STEP 3: NOTIFICATION
Here, we need to consider the necessary notification of organisations, regulators and data subjects. Notifications should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies perform their functions.
STEP 4: EVALUATION AND RESPONSE
Finally, we need to evaluate the effectiveness of Elite’s response to the breach and learn and apply any lessons learnt.
Reporting security problems
Send all security concerns directly to us from the help centre that is found in your portal, or by available using this link https://helpdesk.elite.net.uk. We’ll get back to you as soon as we can, investigate and inform you every step of the way.
Elite uses the git revision control system. Changes to Elite’s code base go through a suite of automated tests and are reviewed and go through a round of manual review. When code changes pass the automated testing system, the changes are first published to a staging server. Here Elite developers are able to test changes before an eventual push to production servers and our customer base. We also add a specific security review for particularly sensitive changes and features. Elite engineers also have the ability to “cherry pick” critical updates and push them immediately to production servers, this is only conducted in the most extreme of cases.
In addition to a list where all access control changes are published, we have a host of automated unit tests that check that access control rules are written correctly and enforced as expected. We also work with third-party security professionals to:
- Test our code for common exploits
- Use network scanning tools against our production servers