Logging in to Birdie is secured by a one-time authentication link.
We enable permission levels within the app to be set for your staff so that only carers who've been invited by you can access a client’s information. These are defaulted to the most secure permission levels and can only be enabled by an affirmative action by you.
We have uptime of 99.9% or higher.
Network and application security
Data Hosting and Storage
Birdie services and data are hosted in Amazon Web Services (AWS) facilities (eu-west-2) in the UK.
Failover and DR
Birdie was built with disaster recovery in mind. All of our infrastructure and data are spread across 2 AWS availability zones and will continue to work should any one of those data centers fail.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
Database backups of Birdie’s production system are taken regularly and prior to any major upgrade or configuration change to Birdie’s production environment. These backups allow, in the event of a disaster, the creation of a replica environment within a minimal period of time. Backups are stored in a different AWS environment and region (eu-west-1).
Birdie uses multiple internal and 3rd-party tools for monitoring its production environment and protecting it against potential threats or errors:
An internal notification mechanism is in place to alert Birdie operations and support teams on different anomalies detected in production.
AWS analytics tool is configured to continuously monitor Birdie’s production environment status, including server availability, CPU, memory, disk space and other key metrics; the Cloud Monitoring tool also sends alerts to Birdie’s operations team based on preconfigured policies.
ELK is used for continuous log monitoring and archiving
New Relic is used for live production monitoring
Sentry is used for live production bug and regression tracking
An internal production monitoring dashboard aggregates information from Birdie’s multiple systems and provides Birdie operations personnel with a clear view of Birdie’s production environment status. Birdie also operates a support ticketing system allowing administrators and end-users to report any issues or errors they encounter while using Birdie’s web-based solution.
Permissions and Authentication
Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required.
All-access to personal confidential data on IT systems can be attributed to individuals and logged. The principle of ‘least privilege’ is applied, so that users do not have access to data they have no business need to see.
We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS to ensure access to cloud services are protected.
All data sent to or from Birdie is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only and score an “A” rating on Qualys SSL Labs‘ tests. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Our dedicated infrastructure team is in charge of ensuring our platform is secure and available at all times. Once a year we engage third-party security experts to perform detailed penetration tests on the Birdie application and infrastructure (Last penetration test has been performed in November 2020 by KPMG).
24/7 Incident Response
We recognise that Birdie may be critical to the well-being of your customers and business. That's the reason why we have on-call engineers available at all times.
Birdie implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Additional Security features
All employees complete Security and Awareness training annually as part of the commitment to NHS DSP toolkit.
Our staff by whom the shared personal data is to be handled and processed are appropriately trained to do so in accordance with the Data Protection legislation.
Birdie has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
All employee contracts include a confidentiality agreement.
Data protection by design
Data protection by design and default is built into all the work we do at Birdie.
We don’t ask for or collect personal data unless it’s absolutely necessary. All of our systems are built to meet the latest regulations. To do so we follow ICO recommendations. We have a dedicated DPO to oversee and advise on our data management (email@example.com).
Where possible, we process anonymised data. For example, all data processed by the hardware data pipeline is anonymized. Data is consolidated at the application level.
Data Protection Impact Assessment (DPIA)
DPIAs are performed prior to any new project where data processing is “likely to result in a high risk to the rights and freedoms of data subjects”. We do this to make sure that we’re always in control of our risks and we have procedures in place to mitigate them. We are also on hand to support you with your DPIAs if needed.
We don’t use data without the consent of the individual
Birdie does not control the data inputted by your staff, but rather processes on your behalf. We do use tools (e.g. product analytics) to deliver our services to you and improve the product. If we provide additional services (e.g. hardware monitoring) we do ask for consent from the individual or his/her POA before collecting data as it may be used with our algorithms to deliver the service. If we use the data for research purposes it will be on an anonymised basis and we will communicate and get the necessary consent from the customer.
Data Sharing and Transfers
Like most companies, we use a number of third parties as part of our data processing, for example cloud services and technology services. We have a due diligence process with all our vendors and all sub processors of personal data have a Data Processing Agreement in place. Those DPAs are scrutinized by our DPO and must be approved by the senior leadership team prior to signing. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clause and associated due diligence.
We do not sell your data to anybody.
We have coordinated with our vendors
We’ve reviewed all our vendors, finding out about their GDPR position and signed Data Processing Agreements with them accordingly.
If you think you may have found a security vulnerability, please get in touch with our team at firstname.lastname@example.org.