Comparison

Data Security: How Makerble Adheres To The UK Government's 14 Cloud Security Principles

Introduction

The UK Government has set out 14 Cloud Security Principles. As a software-as-a-service company, Makerble is steward of confidential information. This article outlines how we address those principles.

For more information on the Cloud Security Principles, visit: https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles

We take data security seriously. We follow industry best practice and have a comprehensive security framework to ensure your data is protected throughout its lifecycle in our cloud environment. This article provides information on the way we address each principle.

1. Data in Transit Protection

  • The Makerble Platform uses encryption at rest and in transit for all data transfers.

  • We employ industry-standard protocols TLS/SSL to safeguard data communication between you and our platform, as well as within our internal network.

2 . Asset Protection and Resilience

  • Data that clients store on The Makerble Platform is securely stored in Microsoft Azure.

  • As an organisation we use a password management tool (Passbolt) with OpenPGP encryption to securely store credentials and manage them.

  • Data on The Makerble Platform is stored in Ireland in the Microsoft Azure regional data centre.

  • Data stored on The Makerble Platform uses AES (Advanced Encryption Standard) encryption to store confidential information. This ensures that sensitive data is protected both in transit and at rest, maintaining the highest level of security.

  • Data sanitisation and equipment disposal, including data storage devices such as hard drives, SSDs, and RAM, are completely handled by Azure. Azure's certified processes ensure that all data is securely erased and storage media are sanitised or destroyed at the end of their lifecycle.

3. Separation Between Customers

  • The Makerble Platform implements logical mechanisms to segregate customer data. Within our software architecture, we use isolation mechanisms to prevent unauthorised access to customer data. This involves writing code that ensures each user can only access their own data and cannot inadvertently or maliciously access another user's information.

  • We perform penetration tests and code reviews every 6 months to ensure the effectiveness of these isolation mechanisms

4. Governance Framework

  • Makerble has defined security policies, procedures and controls that undergo regular review as part of our security governance framework.

  • We are applying for Cyber Essentials Plus certification to further demonstrate its security posture and expect to have this in place by 31 December 2024.

5 . Operational Security

  • Makerble prioritises operational security through a multifaceted approach. We conduct regular penetration testing and use third-party scanning tools such as SYNK and DeepSource to proactively identify vulnerabilities within our systems. 

  • We continuously monitor for software updates from our software providers and apply patches promptly to maintain system integrity.

  • Across The Makerble Platform we use the Cloudflare Web Application Firewall (WAF) to protect against a wide range of cyber threats.

6. Personnel Security

  • Employees undergo a comprehensive security awareness programme as part of their onboarding process. We use an internal project management system to introduce them to key security policies and best practices. This is followed by a periodic assessment every 3 months to ensure employees retain their security awareness and ability to follow best practice.

7. Secure Development

  • The teams working on The Makerble Platform follow secure development practices by adhering to the guidelines outlined in the Ruby on Rails Security Guide. This comprehensive framework helps us build robust and secure applications.

  • We conduct rigorous code reviews (adhering to OWASP Top 10 Best Practice Standards) to identify and address potential security vulnerabilities before deployment. By integrating security considerations into our development process, we maintain our standards of data protection and system integrity.

8. Supply Chain Security

  • As an organisation we acknowledge the shared responsibility model inherent in the cloud computing platforms we use such as AWS and Azure. While these providers offer robust infrastructure and security features, we recognise that the overall security of our systems requires collaboration. As such we work with our cloud service providers to implement their recommendations and make the most of their security tools and services.

9. Secure User Management

  • As an organisation we have identified the specific levels of access to software that each employee requires. This ensures that our employees only have access to the data and permissions that are relevant, based on their role.

  • We are committed to continually improving our user management capabilities. We are currently implementing Authentik to manage IAM (Identity and Access Management).

10. Identity & Authentication

  • Across our organisation and in relation to The Makerble Platform, we safeguard client data through the use of robust identity and authentication protocols. For example, access to The Makerble Platform is restricted through a multi-layered approach that includes:

    • Strong Credentials: Users login using a unique email address and a complex password that meets industry best practices for length and character composition. 

    • Multi-Factor Authentication (MFA) Enabled by Default: To further enhance security, Makerble offers Multi-Factor Authentication (MFA) for all user accounts and organisations. This means every login attempt requires not only a username and password but also a second verification factor, which is a code received via SMS.

  • In addition to this we enforce strong credentials and Multi-Factor Authentication across the software used by our employees.

11. External Interface Protection

12. Secure Service Administration

  • The Makerble Platform runs on Azure which follows enterprise-grade security for administration. Details of compliance are outlined here: https://learn.microsoft.com/en-us/azure/compliance/

  • Building on the point in Principle 10, every Makerble employee uses MFA and follows our standardised security practices in relation to the software applications they use in their role. 

13. Audit Information

  • As an organisation Makerble prioritises transparency and adheres to your right to audit our data processing practices. Our privacy policy outlines your right to request an audit of our security measures. We will promptly provide all relevant information within our control, subject to legal and confidentiality obligations.

  • To further enhance security and threat detection across the organisation, we are implementing a Security Information and Event Management (SIEM) system. This builds on the existing security infrastructure we have with Cloudflare.

14. Secure Use of Service


If you have questions about our approach to data security, contact our Data Protection Officer by emailing [email protected]

ZOHO Forms Alternative: Makerble Vs. ZOHO Forms

Case Management

  • ZOHO Forms is not a case management tool.

  • This means that in order to use ZOHO Forms, you have to maintain a separate system to manage your day to day work with clients, beneficiaries and stakeholders

  • If you want to use surveys to understand your impact, you will have to copy & paste some data between your spreadsheet and ZOHO Forms.

  • This is inefficient, takes up precious time and is susceptible to human error.

Distance Travelled

  • ZOHO Forms is designed to give you a show you the results from a single survey campaign. It is not designed to compare individual people’s survey results over time.

  • On Makerble, every respondent has a profile

  • This means that Makerble can automatically detect their pre-programme, mid-programme and post-programme responses to each question and instantly report the improvement over time for each individual beneficiary but also for the cohort as a whole


There are no insights beyond the questions in your survey

  • ZOHO Forms only looks at the answers to survey questions

  • It does not take into account the operational information you have about your beneficiaries

  • Because you cannot cross-reference your survey data with your operational data, it means that you miss out on valuable insights.

Example

  • If you are a therapy nonprofit, your case management system shows the demographic makeup of your clients and the number of sessions they attend. By cross-referencing this with your client’s survey results (which you can do in Makerble), you could see that:

    • people who attend between 5 & 10 sessions tend to be those that see the biggest improvement

    • Black girls aged from 14 to 17 tend to underperform versus the average

    • Everyone who is counselled by Therapist X tends to see a bigger change over time


Those kinds of insights that tell you about the audiences you're under-serving are only possible when you're able to cross-reference survey responses with operational data about how often you see people, who sees them, demographic details about those people, who referred them, etc.

Conclusion

  • Whilst ZOHO Forms is a powerful surveys tool, it stops at surveys.

  • Whereas on Makerble you will get the context that helps you understand your survey results

Typeform Alternative: Makerble Vs. Typeform

Typeform is an online form builder that helps users build and manage forms.

Case Management

  • Typeform is not a case management tool.

  • This means that in order to use Typeform, you have to maintain a separate system to manage your day to day work with clients, beneficiaries and stakeholders

  • If you want to use surveys to understand your impact, you will have to copy & paste some data between your spreadsheet and Typeform.

  • This is inefficient, takes up precious time and is susceptible to human error.

Distance Travelled

  • Typeform is designed to give you a show you the results from a single survey campaign. It is not designed to compare individual people’s survey results over time.

  • On Makerble, every respondent has a profile

  • This means that Makerble can automatically detect their pre-programme, mid-programme and post-programme responses to each question and instantly report the improvement over time for each individual beneficiary but also for the cohort as a whole


There are no insights beyond the questions in your survey

  • Typeform only looks at the answers to survey questions

  • It does not take into account the operational information you have about your beneficiaries

  • Because you cannot cross-reference your survey data with your operational data, it means that you miss out on valuable insights.

Example

  • If you are a therapy nonprofit, your case management system shows the demographic makeup of your clients and the number of sessions they attend. By cross-referencing this with your client’s survey results (which you can do in Makerble), you could see that:

    • people who attend between 5 & 10 sessions tend to be those that see the biggest improvement

    • Black girls aged from 14 to 17 tend to underperform versus the average

    • Everyone who is counselled by Therapist X tends to see a bigger change over time


Those kinds of insights that tell you about the audiences you're under-serving are only possible when you're able to cross-reference survey responses with operational data about how often you see people, who sees them, demographic details about those people, who referred them, etc.

Conclusion

  • Whilst Typeform is a powerful surveys tool, it stops at surveys.

  • Whereas on Makerble you will get the context that helps you understand your survey results

Google Forms Alternative: Makerble Vs. Google Forms

Google Forms is part of Google suit which lets you create forms online

Case Management

  • Google Forms is not a case management tool.

  • This means that in order to use Google Forms, you have to maintain a separate system to manage your day to day work with clients, beneficiaries and stakeholders

  • If you want to use surveys to understand your impact, you will have to copy & paste some data between your spreadsheet and Google Forms.

  • This is inefficient, takes up precious time and is susceptible to human error.

Distance Travelled

  • Google Forms is designed to give you a show you the results from a single survey campaign. It is not designed to compare individual people’s survey results over time.

  • On Makerble, every respondent has a profile

  • This means that Makerble can automatically detect their pre-programme, mid-programme and post-programme responses to each question and instantly report the improvement over time for each individual beneficiary but also for the cohort as a whole


There are no insights beyond the questions in your survey

  • Google Forms only looks at the answers to survey questions

  • It does not take into account the operational information you have about your beneficiaries

  • Because you cannot cross-reference your survey data with your operational data, it means that you miss out on valuable insights.

Example

  • If you are a therapy nonprofit, your case management system shows the demographic makeup of your clients and the number of sessions they attend. By cross-referencing this with your client’s survey results (which you can do in Makerble), you could see that:

    • people who attend between 5 & 10 sessions tend to be those that see the biggest improvement

    • Black girls aged from 14 to 17 tend to underperform versus the average

    • Everyone who is counselled by Therapist X tends to see a bigger change over time


Those kinds of insights that tell you about the audiences you're under-serving are only possible when you're able to cross-reference survey responses with operational data about how often you see people, who sees them, demographic details about those people, who referred them, etc.

Conclusion

  • Whilst Google Forms is a powerful surveys tool, it stops at surveys.

  • Whereas on Makerble you will get the context that helps you understand your survey results