Tensense Security Statement
Tensense.ai is committed to protecting its information assets to satisfy the company’s business objectives and meet the information security requirements of its customers while maintaining the safety of individuals and protecting their right to privacy. The Information Security Policy expresses the company’s intentions and commitment towards these goals.
This Statement complements Tensense’s Company Security Policy and provides a summary of the company’s internal security policies and procedures which constitute the security baseline that governs the company’s Software as a Service (SaaS) Platform. The Statement’s aim is to provide assurance to interested parties about the security of the SaaS applications, as well as the data contained within them.
If you have any questions or require specific detail about the points below, please contact us at firstname.lastname@example.org
The Tensense server is a configured ‘virtual’ machine providing cloud processing, built on physical devices which reside at IOmart’s Tier 2 Data Centre in Maidenhead, UK. Server configuration and backup is provided by Tensense’s trusted agent, Storm Internet.
Iomart provide a secured environment Data Centre. This includes access control to the premises and to individual servers, provision of continuous power supply and atmosphere control.
Server System patches and upgrades are carried by Storm at the instruction of, and in liaison with, Tensense Technical support and in line with the Tensense’s Security Practice.
Production data backups
Daily backups are taken and stored at Pulsant’s data centre in Maidenhead.
Data Centre Security Practices
IOmart, Pulsant and Storm continually review and revise their security practices in line with ISO 20071-2013 and with evolving threats to data security. We will update this statement to reflect any upgrade of certification to the revised ISO 20071-2022 guidelines published in October 2022.
Find more detailed information about Storm Internet here.
Find more information about IOmart here.
Find more information about Pulsant here.
Tensense System Security
Production System and Database access
Tensense restricts privileged access to databases to authorized users with a business need. Access to the Tensene Administration system is protected by two-factor-authentication.
Access to the personalised Participant Survey Web App page is restricted to an individual, encrypted, link sent to the Participant. This link expires at the end of the survey cycle.
Encryption key access restricted
Tensense restricts access to encryption keys to authorized users with a business need.
Tensense uses encrypted Dropbox storage for all company data. Tensense does not maintain any in-house network infrastructure. Tensense restricts privileged access to Dropbox to authorized users with a business need.
Access by Specific Device
Tensense does not restrict Production System access to specific devices as this would be at odds with the system’s business purpose.
However, development source code access is restricted to the specific set of devices in use by development staff at the current point in time.
Tensense has designed, and continues to maintain, best practice in security in our architecture and code in line with industry (OWASP) standards.
External Attack Penetration Testing
Tensense uses the Pentest Tools set of security scanning tools and a regular basis (minimum monthly) basis to ensure the deployed system is still protected against newly developed threats.
Insider Attack penetration Testing
Tensense uses Pentest Tools ‘Authenticated’ scans to simulate authority escalation attempts from within the system. Tensense does not, as a matter of course, commission ‘expert’ manual pen-tests. However, we are happy to work with any client appointed pen tester.
Client Sensitive Data Protection
Tensense AI security policy prohibits customer data being stored outside the Tensense system. Tensense suggest that, should customers find it necessary or convenient to send sensitive information to Tensense, any file used should for this purpose be encrypted and password locked.
Tensense maintains a log of all user activity within the production system.
Data in Transit
All interaction with the Tensense system is encrypted using SSL/TSL protocol.
Data at Rest
All stored system data is encrypted using kernel level MS SQLServer services.
As a ‘Data Processor’ Tensense retains personal data in line with customer requirements. Tensense reserves the right to retain general, anonymised, aggregated result information with the Tensense knowledgebase as this is required for product improvement.
As a service provider, Tensense (and Data Centre Agents) is classed as a Data Processor.
Tensense has not appointed a named Data Protection Officer. This responsibility is held by Tensense AI’s Executive Board members and discharged through Tensense’s Customer Services department. Any enquiries should be first directed to email@example.com.
Access to personal information is restricted to Tensense and Client system administrators.
Tensense does not transmit personal information outside the UK.
Access to Response information is restricted to Tensense and Client analysts and is available only in aggregate form where the number of contributors is five or more individuals.
For a more comprehensive GDPR statement click here.
Employee background checks
Tensense AI performs DBS background checks on new employees.
Employees are aware of GDPR restrictions on the use of, and security requirement for, personal data.
Employees are constrained by the Tensense Staff Security Policy which is reviewed annually. This policy covers responsible use, and secure storage, of client personal details. This policy is a ‘living’ document. For details please contact firstname.lastname@example.org.
Internal security procedures
Continuity, Backup and Disaster Recovery
Tensense is a distributed organisation and maintains no in-house IT infrastructure but relies on trusted and verified agencies to manage and recover interrupted services.
Production Deployment Access
Tensense AI restricts access to migrate changes to production to authorized personnel.
Change Management Procedures
Tensense AI requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.
Tensense AI has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.
Tensense AI has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.
Data Centre Access
Tensense AI reviews our data centre supplier and their access policy annually.
Tensense AI has written agreements in place with vendors and related third parties. These agreements include confidentiality and privacy commitments applicable to that entity.
Tensense AI has a recognised systems development life cycle (SDLC) methodology in place (SCRUM/Dev-Ops) that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.
Tensense AI maintains £10,000,000 cover for Third Party and Product Liability insurance.
System capacity reviewed
Tensense AI evaluates system capacity on an ongoing basis, and system changes are implemented to help ensure that processing capacity can meet demand.