In short, yes. tested.me uses certified, world-class data storage and hosting cloud services (AWS and Heroku), continuously protected data backups and systems architecture with no single point of failure. Your data is encrypted in storage and during the transfer from your device to our systems. Individuals are in full control of what they share, when they share it and who they share it with. All data always belongs to them, and at any point in time, they can delete their account and all data within it.
We follow industry best practices including:
Our website and mobile application traffic is run entirely over encrypted SSL (HTTPS).
Protection from SQL injection attacks on the tested.me website
Verifying the authenticity of POST, PUT and DELETE requests to prevent CSRF attacks.
We limit a variety of actions on the site (amount of login attempts, scans of Me symbol etc.)
tested.me employees are required to encrypt their hard drives, utilise strong passwords and enable screen locking.
Information systems enforce password length, complexity, ageing and history standards on all passwords (initial passwords, reset passwords, user changed passwords).
User passwords are stored using a Salted Cryptographic Hash following approved cryptographic algorithms.
tested.me has a documented process of secure account creation, disablement and deletion.
tested.me implements account lifetime and inactivity controls (e.g., automatically disable accounts after a set lifespan or after a defined period of inactivity)
All data is encrypted.
All data is kept following the data retention policies that govern its usage, including health data and NHS track and trace policies.
All successful and failed login attempts are logged.
All changes to security policy are logged.
All account creations, deletions, and modifications are logged.
All logs follow logging best practices. Log entries must include the following attributes:
the time and date of the event,
the application associated with the event,
the user or process initiating the event and, if applicable, the subject acted upon,
the remote IP address of the initiating user or process,
success or failure indication,
A detailed description of the event.
Granting, revoking, and modification of privileges and roles are logged.
All failed access attempts to data, functions, and services are logged.
All servers are kept in sync with a time synchronization mechanism.
Default system or administrative accounts (e.g., bootstrap accounts) are all disabled.
Access to the tested.me source code is tightly controlled and supplied only on an as-needed basis.
Changes to source code are managed through a software change control process
For the ID verification stage in the tested.me app, we use Jumio, which operates on the following security standards: https://www.jumio.com/about/technology-security/
Vaccination and Covid-19 tests follow the same data security rules: all secure, all hashed and encrypted, all stored securely, all with individual control to share, add, delete.