Tensense Security Statement

Tensense.ai is committed to protecting its information assets to satisfy the company’s business objectives and meet the information security requirements of its customers while maintaining the safety of individuals and protecting their right to privacy. The Information Security Policy expresses the company’s intentions and commitment towards these goals.

This Statement complements Tensense’s Company Security Policy and provides a summary of the company’s internal security policies and procedures which constitute the security baseline that governs the company’s Software as a Service (SaaS) Platform. The Statement’s aim is to provide assurance to interested parties about the security of the SaaS applications, as well as the data contained within them.

If you have any questions or require specific detail about the points below, please contact us at info@tensense.ai

Infrastructure security

Service infrastructure

The Tensense server is a configured ‘virtual’ machine providing cloud processing, built on physical devices which reside at IOmart’s Tier 2 Data Centre in Maidenhead, UK. Server configuration and backup is provided by Tensense’s trusted agent, Storm Internet.

Physical security

Iomart provide a secured environment Data Centre. This includes access control to the premises and to individual servers, provision of continuous power supply and atmosphere control.

Software Security

Server System patches and upgrades are carried by Storm at the instruction of, and in liaison with, Tensense Technical support and in line with the Tensense’s Security Practice.

Production data backups

Daily backups are taken and stored at Pulsant’s data centre in Maidenhead.

Data Centre Security Practices

IOmart, Pulsant and Storm continually review and revise their security practices in line with ISO 20071-2013 and with evolving threats to data security. We will update this statement to reflect any upgrade of certification to the revised ISO 20071-2022 guidelines published in October 2022.

Find more detailed information about Storm Internet here.

Find more information about IOmart here.

Find more information about Pulsant here.

Tensense System Security

Production System and Database access

Tensense restricts privileged access to databases to authorized users with a business need. Access to the Tensene Administration system is protected by two-factor-authentication.

Access to the personalised Participant Survey Web App page is restricted to an individual, encrypted, link sent to the Participant. This link expires at the end of the survey cycle.

Encryption key access restricted

Tensense restricts access to encryption keys to authorized users with a business need.

Network Protection

Tensense uses encrypted Dropbox storage for all company data. Tensense does not maintain any in-house network infrastructure. Tensense restricts privileged access to Dropbox to authorized users with a business need.

Access by Specific Device

Tensense does not restrict Production System access to specific devices as this would be at odds with the system’s business purpose.

However, development source code access is restricted to the specific set of devices in use by development staff at the current point in time.

Penetration testing

Defensive Security

Tensense has designed, and continues to maintain, best practice in security in our architecture and code in line with industry (OWASP) standards.

External Attack Penetration Testing

Tensense uses the Pentest Tools set of security scanning tools and a regular basis (minimum monthly) basis to ensure the deployed system is still protected against newly developed threats.

Insider Attack penetration Testing

Tensense uses Pentest Tools ‘Authenticated’ scans to simulate authority escalation attempts from within the system. Tensense does not, as a matter of course, commission ‘expert’ manual pen-tests. However, we are happy to work with any client appointed pen tester.

Client Data

Client Sensitive Data Protection

Tensense AI security policy prohibits customer data being stored outside the Tensense system. Tensense suggest that, should customers find it necessary or convenient to send sensitive information to Tensense, any file used should for this purpose be encrypted and password locked.

Log management

Tensense maintains a log of all user activity within the production system.

Data in Transit

All interaction with the Tensense system is encrypted using SSL/TSL protocol.

Data at Rest

All stored system data is encrypted using kernel level MS SQLServer services.

Data retention

As a ‘Data Processor’ Tensense retains personal data in line with customer requirements. Tensense reserves the right to retain general, anonymised, aggregated result information with the Tensense knowledgebase as this is required for product improvement.

GDPR Considerations

As a service provider, Tensense (and Data Centre Agents) is classed as a Data Processor.

Tensense has not appointed a named Data Protection Officer. This responsibility is held by Tensense AI’s Executive Board members and discharged through Tensense’s Customer Services department. Any enquiries should be first directed to info@tensense.ai.

Access to personal information is restricted to Tensense and Client system administrators.

Tensense does not transmit personal information outside the UK.

Access to Response information is restricted to Tensense and Client analysts and is available only in aggregate form where the number of contributors is five or more individuals.

For a more comprehensive GDPR statement click here.

Organisational security

Employee background checks

Tensense AI performs DBS background checks on new employees.

Employee Training

Employees are aware of GDPR restrictions on the use of, and security requirement for, personal data.

Employees are constrained by the Tensense Staff Security Policy which is reviewed annually. This policy covers responsible use, and secure storage, of client personal details. This policy is a ‘living’ document. For details please contact info@tensense.ai.

Internal security procedures

Continuity, Backup and Disaster Recovery

Tensense is a distributed organisation and maintains no in-house IT infrastructure but relies on trusted and verified agencies to manage and recover interrupted services.

Production Deployment Access

Tensense AI restricts access to migrate changes to production to authorized personnel.

Change Management Procedures

Tensense AI requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.

Configuration Management

Tensense AI has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

Support System

Tensense AI has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

Data Centre Access

Tensense AI reviews our data centre supplier and their access policy annually.

Third-party agreements

Tensense AI has written agreements in place with vendors and related third parties. These agreements include confidentiality and privacy commitments applicable to that entity.

Development Lifecycle

Tensense AI has a recognised systems development life cycle (SDLC) methodology in place (SCRUM/Dev-Ops) that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Cybersecurity Insurance

Tensense AI maintains £10,000,000 cover for Third Party and Product Liability insurance.

System capacity reviewed

Tensense AI evaluates system capacity on an ongoing basis, and system changes are implemented to help ensure that processing capacity can meet demand.