Tel | Email info@bcerta.com

Privacy Statement | Bcerta

Protecting your personal details - Data Protection Registration No : Z2017535
Last updated: February 2010

We are extremely concerned to protect your privacy and confidentiality. We understand that all users of our site are quite rightly concerned to know that their data will not be used for any purpose unintended by them, and will not fall into the hands of a third party. Our policy is both specific and strict. If you think our policy falls short of your expectations or that we are failing to abide by our policy, do please tell us.

Information may be unlawfully available to hackers and snoopers. We take no responsibility for this. The risk is no different from a similar risk in a bricks and mortar establishment. Except as set out below, we do not share, or sell, or disclose to a third party, any personally identifiable information collected at this site.

Here is a list of the information we collect, and why it is necessary to collect it:

Basic identification and contact information, such as your name and contact details.

This information is used:

  • to provide you with the services which you request
  • to maintain our accounts
  • for billing
  • to enable us to answer your enquiries
  • for verifying your identity for security purposes
  • for marketing our services and products
  • to help make our web site as useful to you as possible
  • information which does not identify any individual may be used in a general way by us or third parties, to provide class information, for example relating to demographics or usage of a particular page or service.

Your domain name and e mail address
Your IP address recognised by our servers and the pages that you visit are recorded. This information is used:

  • in a collective way not referable to any particular individual, for the purpose of quality control and improvement of our site;
  • to send you news about the services to which you have signed up;
  • to tell you about other of our services.

Note: your Internet browser may produce a warning message. This is automatic and does not reflect on the high level of security built into our system.

Information volunteered by you
for a particular purpose, for example a personal profile, survey, job application form, or contest. This information will be used exclusively for the purpose for which you have provided it. Information is disclosed to third parties only where the third party concerned qualifies in whatever way the web site page requires.

Affiliate information
This is information given to us in the course of your business and ours as you have applied to join our affiliate scheme. Such information is retained for business use only. We undertake to preserve the confidentiality of the information and of the terms of our relationship. This information is used :

  • to maintain our accounts and affiliate records;
  • for billing;
  • to enable us to answer your enquiries;
  • for verifying your identity for security purposes;
  • to send you news about the services to which you have signed up;
  • to tell you about other services we provide.

Business information
This is information given to us in the course of your business and ours, such as in relation to your application to partner with us or advertise with us. Such information is retained for business use only. We undertake to preserve the confidentiality of the information and of the terms of our relationship. It is not used for any other purpose. We expect you and any partner to reciprocate this policy.

Disclosure to Government and their agencies
We are subject to the law like everyone else. We may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order.

Information request
At any time you may review or update the personally identifiable information that we hold about you, by contacting us at the address below. To better safeguard your information, we will also take reasonable steps to verify your identity before granting access or making corrections to your information.

This confidentiality policy has been compiled so as to comply with current UK, US and EU legislation, so far as we are aware. If you have any question regarding the confidentiality policy, please contact us at:

Bcerta
134-138 West Regent Street
Glasgow
Renfrewshire
G2 2RQ

Tel: +44 (0) 141 243 2592
Email: info@bcerta.com

PerfectForms™ Application Security

The systems architecture of PerfectForms™ has been designed with optimal security built in from the ground up. All communications channels have been encrypted using SSL (Secure Sockets Layer), effectively preventing replay attacks. All user input is white list validated, which prevents SQL injection even in cases of escaped alternate encodings like Unicode. During communication between client and server, our application uses a HTTPS (HTML Transfer Protocol over Secure Socket Layer) session with 128-bit encryption.

Adding more security to Perfectforms™ SSL is the use of custom keys. All user sessions have a custom key for each request and PerfectForms™ sends a unique response key for each request. Each generated key is used only once in order to guard against automated load attacks.

Because systems are only as secure as their weakest link, real product security is achieved by implementing processes around product development and deployment, and a culture of security is important to maintaining security over time. At PerfectForms™, we understand that security is an ongoing process and we have taken steps to ensure that it is a core competency of our company. We have periodic developer training on security best practices.

We adhere to rigorous certification processes to maintain this standard. All code undergoes a peer review process, which can reveal simple and complex security assumptions. Our entire code base undergoes continuous testing and daily automated testing using multiple simulated user environments and network organisations. This approach catches potential timing, processor speed, memory and network related vulnerabilities. In addition, our code undergoes third party static analysis nightly which can reveal a host of potential security vulnerabilities including buffer overflows, user input validation or memory management issues. Our sub-system and deployment architectures undergo periodic review by an internal panel of experts. Finally, we employ a lightweight, rapid development process that allows us to quickly detect, correct and deploy fixes for any software vulnerabilities.

The PerfectForms™ Web servers are protected via firewall. This prevents compromise through management channels, as only ports 80, 443 and 1935 are open to TCP communication. The Web servers are updated whenever a patch is available and a roll back mechanism is in place to make sure any bad patches can be quickly reverted. The Web servers are also behind a load balancer, meaning servers are rotated in and out of service as needed, ensuring continuous service even during maintenance. In addition, load balancing allows any server with unusual behaviour to be isolated rapidly and removed from service.

Backend servers are further isolated from the internet and will only respond to requests from known, authenticated, internal web servers. This includes mail servers, SQL servers and the Flash media servers. These servers are not directly accessible and are also protected by firewall and load balancing.

Any Web application which results in the generation of e-mail will be attacked by spammers looking for an open mail relay. PerfectForms™ has been designed to prevent compromise of the mail server. The mail server is protected by a firewall that blocks all incoming requests to the mail server. The firewall only allows outbound mail and the mail server only accepts authenticated mail requests from firewall protected, internal Web servers. These mail requests must have the right credentials and type of data to be accepted. Mass mail requests – both emails with too many destinations and emails repeated with only “To:” address changed – can be blocked and will not propagate.

Finally, the database is further isolated from direct external visibility. It is only accessible via secure, private channel within the network and known, specified systems [Web servers]. Packets from all other hosts are dropped by the firewall before they even get to the database. This helps prevent side channel attacks because the databases are only accessible to the SQL server via direct, known channels. The client data on the forms database is in a protected, masked, format that cannot be read by the human eye.

PerfectForms™ utilises industry best practices to help ensure the security of its client is not compromised. PerfectForms™ has been designed to eliminate many threats and limit exposure to other threats. While, no useful Web product can ever be assumed “100% secure”, PerfectForms™ strikes a strong balance, offering an easy-to-use product that protects its users from detectable vulnerabilities.