All operational data within the SCR system is encrypted both at rest and in transit using industry standard techniques. Transit is handled by the secure transport protocol and the database platform manages encryption at rest with our provided keys; these keys are subject to the same security as detailed below.
Personal information stored within the profiles in the application are subject to a second layer of encryption that includes the organisation as a context. No user of the SCR software has the ability to decrypt data for the profiles that aren’t explicitly a member of the organisation and granted permission to do so.
Staff members at SCR are unable to access this data without explicit permission being granted in a support session; any time this scenario is taking place you will be notified within the application that a support session is active. Even technical staff with access to the database for operational reasons cannot access this data.
Keys are managed in the AWS cloud using hardware security modules, this enables us to guarantee that no member of staff from SCR or AWS would ever be able to retrieve plaintext keys from the service. This follows that any access to the service to decrypt profile data is fully tracked and audit record is kept. Security and quality controls in AWS Key Management Service have been validated and certified by the following compliance schemes:
AWS Service Organisation Controls (SOC 1, SOC 2, and SOC 3) Reports. You can download a copy of these reports from AWS Artifact (https://aws.amazon.com/artifact/).