Security at Opus 2

At Opus 2 security is built into the heart of everything we build and do. We are an ISO:27001 certified organisation committed to protecting your data and privacy. Read on to see how we provide a secure alternative to information sharing, process management and collaboration methods that can put clients' data at risk. Please contact our dedicated security team if you have any specific questions or concerns. 

Contact the Opus 2 Security Team

Complete the form to submit your question, query or security concern.

×
compliance

Compliance and certification

We understand that providing a secure environment at least partially depends on measuring yourself against industry standards. We have:

  • Maintained ISO27001:2013 certification since 2015
  • Retained Cyber Essentials Plus certification since 2016
  • Built a comprehensive Privacy Management Framework that we will seek to certify against the prevailing GDPR Compliance Standard once it is available
  • Been listed as a GovCloud provider for data

As a result of our certification efforts, we have been consistently able to satisfy customer security validation needs. View our security policy.

Secure development

pencil-ruler-solid
Secure by design

Security is at the heart of our development process. Whenever a new version of an Opus 2 Product is planned or a new feature is considered, our development teams use a methodology called STRIDE to identify potential threats. When mitigating or eliminating threats we apply a methodology called FAIR in order to quantify the risk.

 

user-cog-solid-1
Testing and verification

We employ a combination of automated and manual testing that involves static binary analysis using Veracode and continuous checks for third-party dependencies. We also carry out regular internal penetration testing and third-party penetration testing at least once a year.

code-solid-1
Consistent builds

The code produced by our development teams is fed into a well-structured Continuous Integration (CI) pipeline so that it can be properly tested. Any issues that are found are verified and fed into the bug tracking system. Where possible we try to find solutions that address complete bug classes rather than point solutions for a single finding.

Secure infrastructure

Standardised configurations

To ensure environments stay the same, we have built environment “templates” that can be deployed automatically. We call this “Infrastructure as Code”. It allows us to build a consistent environment for a client without being prone to human error. It also gives us a standard to measure other environments in order to prevent creep or technical debt.

Geo-specific hosting

In general, we use three approaches for hosting its product infrastructure in Amazon Web Services:

globe-europe-solid

Europe

Primary systems are hosted in availability zone EU-WEST–2. Secondary/Backup Systems are hosted in availability zone EU-WEST–1.

globe-americas-solid

United States

Primary systems are hosted in availability zone US-EAST–2. Secondary/Backup Systems are hosted in availability zone US-EAST–1.

user-check-solid-1

Client-specific hosting requirements

If you have specific hosting needs that are unique to your organisation, we can find an appropriate solution for your needs.

Data protection

Authentication and authorisation

There are a number of authentication methods in place to increase the security of accounts. This includes a defined password policy, required memorable word setup and full multi-factor authentication.

Opus 2 Support

We provide support to our customers on a continuous basis. To perform our responsibilities, a limited number of our employees have access to your environment. This access occurs only through encrypted protocols (SSH, HTTPS) and requires multi-factor authentication for every user. All administrator-level access is logged and continuously monitored to ensure that any anomalies are detected.

User Management

As a client, you have full control over the permissions for each user you register to the platform. You can create, modify, and remove users based on your own internal policies.

Encryption at rest

All customer data is hosted on an encrypted AWS S3 container. Encryption keys are managed through AWS’ default Key Management System (KMS).

Encryption in transit

Each internet-facing application instance is assigned a TLS certificate to ensure that data communicated between your computer and the Opus 2 infrastructure is encrypted using the latest encryption protocols. The certificate is generated through a secure process and only supports encryption protocols and suites that are not currently known to be broken or otherwise compromised.  The same is true for our internal infrastructure. All components communicate with each other over TLS.

 

alert

Incident response

We provide virtual 24/7 security monitoring. Every device, machine, and application involved in the delivery of services to our clients provides a rich set of data points to our centralised log aggregation platform. This data is continuously analysed for anomalies and any events that may indicate a security incident are further investigated.

Third parties

Apart from AWS, we do not rely on any third parties to provide our products and services to our clients. Where third parties are involved, we always sign an NDA, at minimum. We also conduct the same level of background checks for our own employees and also sign a Data Protection Agreement (DPA) as required by GDPR.

We work with independent court reporters who are considered third parties for the services they provide. Each court reporter receives Opus 2’s Employee Security Awareness Training and signs an NDA with Opus 2. Additionally, a number of the court reporters hold security clearances of varying levels for which they have undergone independent background checks. The court reporters are contractually obliged to maintain the security of client information in line with Opus 2’s security classification and data protection policies.

Working together

Connect with our dedicated security team to discuss your security requirements or questionnaires. If you have any questions or concerns or have found something that might impact the security of our services or the products we provide to you, please do not hesitate to reach out to your primary contact at Opus 2 or contact us directly here, providing as much detail as possible.

Contact us

Meet our dedicated security team

Our core information security team consists of three security experts who work with the wider Opus 2 team, from Human Resources to Software Engineering and from Finance to Support, to deliver our products and services as securely as possible.

Andy Sidwell, IT Director

Andy Sidwell

IT Director

825f854c-37fd-4273-869a-f19332b9d0a2

Madiha Assim

Security Engineer