IntegraCall® security and privacy
Data centre and network security
We ensure the confidentiality and integrity of your data with industry best practice. Our servers are hosted by Amazon Web Services (AWS). AWS complies with ISO27001 and many country data protection acts (including the EU Data Protection Directive). See https://aws.amazon.com/compliance/.
AWS has built its data centre and network architecture to meet the requirements of the most security-sensitive organisations. Your data is encrypted in transiting with Transport Layer Security across all services.
We take steps to ensure secure development and test against security threats to ensure the safety of our client data.
Our development and test environments are separated from the production environment. No actual client data is used in the development or test environment.
We employ third-party tools for dynamic scanning against the OWASP top-ten security flaws prior to each software and patch release.
In addition to the scanning program, we run penetration testing by qualified security experts on major releases.
We use the test results to work with engineering teams to remediate any discovered issues.
Product security features
All communications with Case Manager servers are encrypted using industry standard HTTPS over public networks, meaning all traffic between you and the Case Manager servers is secure.
Anonymous communication between the whistleblower and the investigator is securely transmitted and encrypted. This includes communication via the IntegraCall® mobile application, web reporting portal and Case Manager.
Whistleblowers and investigators can safely upload files to Case Manager or via the IntegraCall® mobile app and files are stored securely on the AWS servers.
Access to Case Manager data is governed by access rights and role with system-level and case-level control, meaning users cannot see cases unless they have been given specific access.
We protect your confidential data as if it is our own data.
General privacy practice
You may give your personal information for investigation purposes when you report an incident via the IntegraCall® hotline, web reporting portal or ComplianceDesktop®. Any personal information related to the case will only be shared with your company’s internal or external investigator on a need-to-know basis.
Access to client data, including personal data, is allowed only by authorised personnel. This is strictly controlled under identity and access-management policies, and is monitored in accordance with The Red Flag Group’s internal privileged user monitoring and auditing programme.
Download our security and data protection document here.