Data security at Sona

Frequently asked questions

How do you protect data in transit and at rest?

All connections to Sona are over https using a minimum of TLS v1.2. All data is stored in our Google Cloud Postgres Databases using GCP's encryption at rest at a minimum of AES256 bit.

What is Sona’s data centre security?

Sona is hosted in Google Cloud Platform. Please see this link for details of their security.

What security governance do you have in place?

Governance is managed by the Information Security Working Group that meets regularly to discuss opportunities to improve our information security posture. The ISWG is chaired and coordinated by our contracted Information Security Officer who is a qualified ISO 27001 lead auditor and GDPR practitioner.

Additionally, Sona is working with a global leader in security compliance automation in order to progress our ISO27001 implementation and accreditation.

What user management is in place to prevent unauthorised access?

At the company level we have an access control process that operates on the principle of least privilege and subject to regular reviews (frequency depends on the criticality of individual systems). Employees are prohibited from sharing credentials and all passwords are stored in our company password management solution. Wherever possible, we have reporting enabled in our cloud services to alert users where there are login attempts that are suspicious along with features such as automatic locking where possible. MFA is in place for all critical systems such as infrastructure interfaces. All of the above technical controls and training have been verified as compliant with Cyber Essentials, of which Sona are accredited as of 21 August 2023.

Within the app - Access to app features and data within is tied to a permissions matrix that is referenced by user roles. Each user is assigned to a role that has specific permissions in line with the role and prevents users from accessing features or data that they are not entitled to review. Users are authenticated to access the app by entering a token that is sent as a challenge to a validated telephone number. The token expires after 10 minutes. All users have unique username and password credentials, alternatively we can provide an SSO solution. This method of authorised telephone number verification and use of One Time Password; (throttling) is verified as a key mechanism which protects against the risk of brute-force attacks per the NCSC's Cyber Essentials scheme guidance.

What security is built into the mobile app to protect our data, privacy and devices?

All in flight data to the App is encrypted over http using a minimum of TLS v1.2. All data stored locally is encrypted using the local device's native encryption mechanism. All Android and iOS versions supported by the app use the AES 256 algorithm to encrypt the device’s file system. The app requests a time-sensitive authentication token upon login which is used to authenticate all subsequent requests. The authentication token is stripped from the response and stored in the encrypted file system of the local device and never cached in memory.

What is Sona’s uptime?

We have uptime of 99.9% or higher.