How secure is my web site?
Firstly, it's important to say that we take security seriously. Brendan Neville, the founder & owner of Endis, ran a financial services software company in the US before Endis began. Approximately 50% of all banking transactions in the US during this period passed through software created by the company. Consequently, the company has been built from an understanding of the significance of security.
The personal info that your organisation has is far more secure on the Insight system than stored on a personal PC or in paper format – PC's can be stolen and accessed by others and paper copies could potentially fall into anybody's hands.
The information on your web site is safely stored on servers in a data centre in Stratford, East London. Security levels are very high at these facilities – not dissimilar from banks – and they’re also fire, flood and bomb proof.
Personal details that are stored on the web site can only be accessed by logging in using a unique user name and secure password. Even then contact details in the Address Book can only be accessed by a user who has the required level of involvement in your organisation (see the Address book guide for more details about setting your Address book policy). Full user details can only be accessed through the Web Office by those staff members who have been granted the required permissions.
You can't say that something can never be hacked, just as you can’t say that you will never be knocked down if you cross the street – it doesn’t stop you from crossing the road, but you’re careful to weigh the risk vs the benefit (getting to the other side of the street!) and take appropriate precautions. In this case, all the necessary security protocols are in place and these are updated regularly. Also what is the value of the data to a potential hacker to make it worth their while? What would they get? Not much data in practice. In fact, there are much more tempting targets for hackers – ones where credit card information is stored.
Technical details
For those that are interested here's some more detailed information about the security measures we use.
Where passwords are sent in plain text we use SSL to ensure that these are not compromised, i.e. on the login failed page (if you type invalid junk into the login pop-up you will be redirected there). In the instances where we request login details on non-SSL pages we first encrypt them in the javascript with a session specific challenge string. This approach allows us to ensure the security of the password without over using the SSL protocol with its additional overheads, we do though allow a plain text SSL route upon failure, in case the browser in question can't support our client side encryption.
Passwords are encrypted before being stored in the database. The encryption used is a 1-way encryption to enhance security, and ensure that, even with access to the database, passwords cannot be stolen. In addition different levels of password security can be selected by the organisation, relevant to their needs. e.g. These may force the user to create a password of a certain length and use numbers etc. Even if a user logs in using the 'log me in automatically' feature a user must always subsequently login manually to gain access to the Web Office where user's details could be accessed.
The system is built on Microsoft .NET architecture with MS SQL Server as the database backend. Our dedicated servers are fully security patched up to date and are to be found in a highly-secure co-location centre in London. These servers are accessed via VPN by the technical team from Cambridge. Administrator passwords are regularly changed, and always changed at point of staff turnover. | 
