Data Security and Compliance


Data Security and Compliance

Engineered for the Enterprise

Elements has been built from the ground up with the security and integrity of your data as paramount. We use industry best practice to deliver a software and security infrastructure that provides an extremely scalable, and highly reliable platform for our customers.

Data Centre Compliance

We use the industry leading Amazon Web Services (AWS) data centres, which are considered to be the world’s best by industry analyst firm Forrester. They provide a broad set of capabilities in terms of data center security, network security, and a significant number of certifications. This level of data center and operational security allows us to be compliant with many of the most stringent industry standards.

We also comply with the US & EU Safe Harbor Frameworks for protecting the privacy of data flowing from the EU to the United States, as set forth by the US Department of Commerce.

We comply with the US & EU Safe Harbor Frameworks for protecting the privacy of data flowing from the EU to the United States, as set forth by the US Department of Commerce. In providing our Service, we do not own, control or direct the use of the information stored or processed on our platform at the direction of our customers, and in fact we are largely unaware of what information is being stored on our platform and only access such information as authorized by our customers or as required by law.

Only you or your customers are entitled to access, retrieve and direct the use of such information. As such, we are only the “data processors” and not the “data controllers” of the information on our platform for purposes of the EU Directive on Data Protection (Directive 95/46/EC).

To learn more about the Safe Harbor program

.      data security-2 Our datacenter partner Amazon publishes a Service Organization Controls 1 (SOC 1), Type II report. The SOC 1 Type II report covers controls in place at a Service Organization intended to meet the needs of the user entity. The type II report additionally includes an auditors overview of the operating effectiveness of the controls in place to achieve the control objectives.
data security-1 In addition to the SOC 1 report, Amazon publishes a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations.
data security-3 You can also review the Service Organization Controls 3 (SOC 3) report. The SOC 3 report is a public summary of Amazon’s SOC 2 report.
data security-4 ISO 9001:2008 is the international standard for Quality Management Systems (QMS), published by ISO (the International Organization for Standardization). AWS has undergone a systematic, independent examination of their quality system to determine whether the activities and activity outputs comply with ISO 9001 requirements.
data security-5


ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management systems. In order to maintain this certification, a company must demonstrate that it has systematic policies in place to maintain an on-going approach of managing information security risks that affect the confidentiality and availability of customer information. The AWS ISO 27001 certification verifies that they have these systematic policies in place

Penetration and Vulnerability Testing

We take data security very seriously and proactively monitor and test the network, data center infrastructure, and application. The IT operations team constantly monitor the AWS environment using cloudwatch alarms and the DevOps team monitor the application performance and behaviour using a range of monitoring tools.

We undergo monthly (or more often if a system configuration change has occurred), network perimeter and web application vulnerability scanning using leading third party providers. The scans are designed to pre-emptively notify us of any potential vulnerabilities.

Customer penetration and vulnerability testing

If a customer wishes to do their own penetration test and security vulnerability scan this can be requested. A specific fee will be charged for this service. Since penetration tests are often indistinguishable from network attacks, all customer-initiated tests must have permission requested and granted in writing by our technical staff prior to being run.

  • Was this article helpful ?