Mydex Security Model
At Mydex we take security very seriously. We have taken extraordinary steps to maintain the security and integrity of our members’ information. But we understand that you need to know what we are doing to protect your information, so here are the details:
Mydex is designed from the ground-up to be secure. From its platform architecture to our software development and systems administration, security is built into the very fabric of the service and how it is delivered.
In a world of ever-changing threats security can be likened to an arms race, so our approach is always to be as good as the best available or a step ahead. We apply many of the same security practices as your bank including encryption, verification and back-ups.
Secure servers, secure service provision
Mydex uses Eduserv as its hosting provider. So unless you choose otherwise, all your data is stored on UK-based servers managed by a not-for-profit company whose reputation has been built on ensuring the privacy, safety, and security of commercial and public sector customers, especially government, health and education.
Our servers sit inside buildings that are monitored 24x7 and cannot be accessed without security clearance - photo ID, pre-notified in advance - with former Ghurka officers running physical security. Access to any of our systems that hold any of your data is strictly limited. In line with our ISO 27001 certification, our hosting provider has no access to your data in the same way we don’t, which remains encrypted at all times on Mydex servers.
Our platform is constantly monitored and rigorously controlled using ‘zero touch’ deployment tools, static code analysis, code hardening and a hybrid testing model. We also use trusted third-party services to test for potential security weaknesses. We continually monitor threats and extend our testing capability proactively.
Security in the round
Mydex systems are built using open source tools and code, proven in real world application. External scrutiny by a global community of developers provides a level of transparency and assurance that some commercial offerings cannot, in an era when relationships between corporations and nation states can sometimes be too close for comfort.
We are constantly evaluating new and improved security methods and techniques such as rotating ciphers, homomorphic encryption, biometrics and new forms of multi-factor authentication whilst constantly testing usability and convenience for our members.
Security threats go beyond the technology itself and are often targeted at human behaviour and the processes surrounding the technology. Mydex takes a formal approach to information security management and is ISO 27001 and Fair Data certified based on what we actually do day to day. By developing good practice based on practical reality and adopting an integrated, externally-auditable process of continual improvement we maintain the all-round vigilance your personal information deserves.
Encrypted data, encrypted communication
From the moment it is entered your personal information is encrypted using AES 512-bit encryption, the highest standard available today. Mydex is committed to using proven cryptographic methods which are open, readily available and trusted by the security community.
No matter what device you use to access your personal data store (PDS), from your desktop browser to your mobile phone, your data is always sent using 256-bit SSL – the highest standard communication security. So no-one can see or steal your data as it is transmitted to or from your PDS.
When you exchange data with organisations you have agreed to send or receive data from it is encrypted using what are called asymmetric key pairs, these are unique to your connection with that organisation. Asymmetric keys enable data to be verified in terms of who the sender is data encrypted with one key can only be decrypted by the other key.
We distribute these private keys over our secure API’s at the point of first time connection using a separate asymmetric key system which is set up during the verification and certification of connecting organisations. We issue them with a private key and use their public key to encrypt during transmission each private key they will use in connecting with your personal data store after you have given consent for the connection. That part is automatically done. We generate all keys using a secure process and randomly select a key pair in real time. These key pairs are generated in bulk out of band and then stored until used. We keep no record of the key pairs after they have been deployed into your personal data store.
You are in control
Each personal data store is encrypted using a private encryption key held solely by the individual. No-one else can access the data, not even Mydex. Each PDS owner is responsible for their own private key so no-one can force Mydex to decrypt your information. You are truly in control - to the extent that if you lose your key, Mydex cannot recover it. You can change your private encryption yourself at anytime.
Your personal data store is held as a unique self-contained set of files, rather than being stored within a single large database of personal data records. Inside your own encrypted store, each data item is encrypted as well. Mydex provides you with the tools to control what information you store and share; you make all the decisions, Mydex just implements them.
You can disable or delete any one or all of your PDS connections at any time. The minute you do so, those organisations can no longer access your personal data. The log files of every action are stored in your PDS so you can see exactly who has accessed what, and when.
Your PDS needs to be really secure but it also needs to be convenient for you to access and use. Mydex will allow you, in due course to configure additional layers of security - e.g. biometrics, multi-factor authentication - to support specific transactions. You can choose the checks you want above our standard service level, for the things you consider most sensitive.
After extensive testing, we also put features like the time it takes to log-out due to inactivity under your control. No-one likes irritating defaults and people like to work in different ways so, where it won’t compromise security, Mydex allows you to customise the behaviour of your PDS to suit the way you want to use it.
Sharing with confidence
To give you the confidence that you can share your data securely we verify every organisation which connects to Mydex’s platform, each of whom is bound by legal agreement.
Connecting organisations have to prove who they are before they can offer apps or access or exchange any information beyond e-mail with our members. We do not accept access from unknown locations; everyone is verified and every connection has to be white-listed.
Furthermore, the data you do choose to share is uniquely encrypted in its own separate ‘shard’ so that third parties can only ever see the information you have specifically shared with them, encrypted with a key only they hold just for your data and no one else’s.
This double encryption coupled with in transmit encryption using unique asymmetric key means that even if the transmission between your PDS and a connected organisation to be compromised, even if HTTPS the standard for secure communication via the web is compromised, as the encrypted data packets comprising your personal information are themselves uniquely encrypted. Another example of how we ensure our service and your data are secure.