Security Policy

Last Updated: 1st November 2024

1. Data Encryption

We use industry-standard encryption to protect your data:

• Data in Transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS). This ensures that your information cannot be intercepted or read by unauthorized parties during transmission. You can verify this by checking for the padlock icon in your browser's address bar.
• Data at Rest: Sensitive data stored on our servers is encrypted using industry-standard encryption algorithms. This includes your personal information, funeral preferences, and account credentials.
• Password Security: Your passwords are never stored in plain text. We use industry-standard hashing algorithms to securely store password information, making it virtually impossible to recover your original password even if our database were compromised.

2. Secure Data Storage

Your data is stored securely in the European Union (EU), ensuring compliance with GDPR and UK data protection regulations:

• Geographic Location: All primary data storage is located within the EU, providing you with the highest level of data protection under European regulations.
• Data Centers: Our data is stored in secure, professionally managed data centers that meet industry standards for physical security, environmental controls, and redundancy.
• Backup Systems: Encrypted backups are performed to ensure data availability and recovery in the event of system failures.

3. Access Controls and Authentication

We implement multiple layers of access control to protect your account:

• User Authentication: Access to your account requires a valid email address and a strong password. We enforce password complexity requirements to ensure your account security.
• Session Management: User sessions are managed securely with automatic timeout after periods of inactivity. Session tokens are encrypted and cannot be easily replicated.
• Access Restrictions: Only you and your designated Goodbye Guardians can access your information. Our system enforces strict access controls to prevent unauthorized access.
• Account Protection: We implement measures to protect against unauthorized access attempts, including monitoring for suspicious login activity.

4. Network Security

We protect our infrastructure with comprehensive network security measures:

• HTTPS/SSL: All connections to our website are secured using HTTPS (Hypertext Transfer Protocol Secure) with valid SSL/TLS certificates. You can verify this by checking for the padlock icon in your browser's address bar.
• Firewall Protection: Our servers are protected by firewalls that monitor and control incoming and outgoing network traffic, blocking unauthorized access attempts.
• Service Availability: We work with our hosting providers to maintain service availability and protect against common threats.
• Security Updates: We maintain our systems with security updates to protect against known vulnerabilities.

5. Application Security

We follow security best practices in our application development and deployment:

• Secure Coding Practices: Our development team follows secure coding guidelines to prevent common vulnerabilities such as SQL injection, cross-site scripting (XSS), and other security risks.
• Input Validation: All user inputs are validated and sanitized to prevent malicious data from entering our systems.
• Security Reviews: We conduct security reviews and assessments of our application and infrastructure as needed.
• Third-Party Security: We carefully vet and monitor third-party services and libraries used in our application to ensure they meet our security standards.

6. Physical Security

While we use cloud-based infrastructure managed by professional hosting providers, we ensure that:

• Data Center Security: Our hosting providers maintain physical security measures including 24/7 monitoring, access controls, and environmental protections at their data centers.
• Access Controls: Physical access to servers is restricted to authorized personnel only, with comprehensive logging and monitoring.

7. Monitoring and Incident Response

We actively monitor our systems for security threats and have procedures in place to respond to incidents:

• Security Monitoring: We continuously monitor our systems for suspicious activity, unauthorized access attempts, and potential security threats.
• Incident Response Plan: We have established procedures for responding to security incidents, including containment, investigation, and remediation.
• Breach Notification: In the event of a data breach that affects your personal information, we will notify you and relevant authorities in accordance with GDPR and UK data protection regulations, typically within 72 hours of becoming aware of the breach.
• Logging and Auditing: We maintain comprehensive logs of system access and user activities for security auditing and incident investigation purposes.

8. Third-Party Services and Vendors

We work with trusted third-party service providers and ensure they meet our security standards:

• Vendor Assessment: We assess the security practices of third-party vendors before engaging their services.
• Data Processing Agreements: We have appropriate agreements in place with third-party processors to ensure they handle your data securely and in compliance with data protection regulations.
• Limited Data Sharing: We only share data with third parties when necessary for service provision, and we limit the data shared to what is strictly required.

9. User Responsibilities

While we implement comprehensive security measures, you also play an important role in protecting your account:

• Strong Passwords: Choose a strong, unique password for your Goodbye Guide account. Avoid using passwords you use for other services.
• Account Security: Do not share your account credentials with anyone. Goodbye Guardians do not need your password to access your wishes when the time comes.
• Secure Devices: Ensure the devices you use to access Goodbye Guide are secure, up-to-date, and protected with appropriate security software.
• Recognize Phishing: Be cautious of emails or messages claiming to be from Goodbye Guide. We will never ask you to provide your password via email or text message.
• Report Suspicious Activity: If you notice any suspicious activity on your account or believe your account may have been compromised, contact us immediately at support@goodbyeguide.com.

10. Compliance and Certifications

We are committed to maintaining compliance with relevant security and data protection standards:

• GDPR Compliance: We comply with the General Data Protection Regulation (GDPR) and UK data protection laws, ensuring your rights are protected.
• Data Protection Impact Assessments: We conduct assessments to identify and mitigate privacy and security risks in our systems and processes.
• Regular Reviews: We regularly review and update our security practices to align with industry best practices and evolving threats.

11. Security Updates and Improvements

Security is an ongoing process, and we continuously work to improve our security measures:

• Regular Updates: We regularly update our security policies and practices based on emerging threats and industry best practices.
• Security Training: Our team receives ongoing training on security best practices and threat awareness.
• Technology Upgrades: We invest in security technologies and tools to enhance our protection capabilities.

12. Reporting Security Issues

If you discover a security vulnerability or have concerns about our security practices, we encourage you to report it:

• Email: support@goodbyeguide.com
• Subject Line: Please use "Security Concern" or "Security Vulnerability" in your subject line
• Response Time: We will acknowledge your report within 48 hours and work to address any legitimate security concerns promptly.

Important: Please do not attempt to exploit any vulnerabilities you discover. We appreciate responsible disclosure and will work with you to address security issues appropriately.

13. Contact Us

If you have questions about our security practices or this Security Policy, please contact us:

• Email: support@goodbyeguide.com
• Mail: Goodbye Guide, Unit 146614, PO Box 7169, Poole, BH15 9EL