Security

Scorebuddy is heavily invested in your service and data, privacy and security. We use best practices and are continually improving our infrastructure and services inline with industry best practice. We are an ISO 27001:2013 certified organisation.

Types of Data Shared and Stored on Scorebuddy

Scorebuddy stores details of staff, and staff scores. Scorebuddy also allows customers to upload attachments related to service interactions. The scorebuddy system can also be integrated with various CRM and helpdesk systems and may store metadata and conversations related to cases. It is recommended that confidential or sensitive information is not entered into the Scorebuddy system.

The types of data Scorebuddy stores include but are not limited to:

General User

• System ID
• Employee ID
• First name
• Last Name
• Company Email Address

Contact Lists for use with the Surveys Module

• System ID
• First name
• Last Name
• Email Address
• Mobile Number

Further details can be found in the Scorebuddy Terms and conditions.

1. Quality assessments are performed inline with Quality assurance procedures. An Agents name, staff Id and email address may be associated to a score relating to the quality of the interaction. Data related to the interaction including a recording may be uploaded. If the interaction took place in a CRM, service desk or other system then the chat conversation, ticket or recording may be imported. Comments relating to the agents or the agents performance may be stored.
2. Coaching Goals, tasks and objectives as well as 1:1 feedback may be stored as well as the agents progress.
3. Training and learning objectives are created and reported on in scorebuddy and facilitated in the Learning Management System.
4. Surveys are created by a customer to obtain CSAT, NPS or other customer opinion responses.

Data Export
Customers can obtain a raw export of all data stored in scorebuddy, Customers also have access to an Open standard API which can only be accessed using a client generated key. This can be used to retrieve staff and score information.

Customer Service
An Agents name, staff Id and email address may be associated to a quality assessment score relating to the quality of the customers service interaction.

Interactions
Customer service interactions between customers and agents may be uploaded, or imported into Scorebuddy. Customers can choose if they want to upload or import data or not, and it is recommended not to store confidential information. Full control of data deletion, storage or retention are at the disposal of the customer.

Contact
Scorebuddy uses email and inbox systems to communicate with staff for notifications depending on the selected notification settings. Scorebuddy Surveys module can distribute customer surveys to clients customer using email.

Storage

Production data is classified and personally identifiable information (PII) or other potentially confidential information is encrypted and not available outside the production system.

Backups

Production data and infrastructure is regularly snapshotted in-order to ensure recovery from potential disaster. In addition each customers Database is backed up. Periodic testing is performed to ensure the backup and restore procedures are effective.

Access control

Scorebuddy uses a system of least privilege. Access control is granted on a need to know basis, and each specific request for access must be authorized and auditable. Customers can control role based access to the service to granular permissions they prefer, including the ability to configure rules related to security settings.

Encryption

Scorebuddy encrypts all data in transit and transmits the data using HTTPS over TLSv1.2. Data at rest is classified and protected information is encrypted using industry standard strong encryption protocols.

Policies

Scorebuddy maintains a comprehensive suite of policies covering numerous areas designed to assure operational and organisational excellence. Scorebuddy policies support and surpass requirements for ISO 27001 certification.

Change Management

All change in the scorebuddy system is subject to change control. Each item requires an auditable ticket, authorisation, approval and assignation. Changes in source control are linked to the ticket and require peer-review. Changes are automatically tested in a CI system before becoming available.

Incident Management

Scorebuddy maintains a documented incident management policy, with a comprehensive set of procedures. The incident management process is tested throughout the year. The incident plan includes a communication plan for affected customers.

Security Awareness and Training

Scorebuddy operates an on-going continuous security awareness program to ensure that all staff are aware of the importance of security. All employees receive Security awareness and GDPR training on-hire and annually, and engineering and technical staff receive additional training on secure product development and lifecycle, OWASP top ten and best practices and on-going security development.

Secure lifecycle

Scorebuddy operates a secure software development lifecycle which requires that items worked on have approval, complete requirements, impact analyses (including data protection and privacy assessment) user acceptance criteria, design, automated tests, secure coding, security tests, peer-review, user acceptance testing, regression testing and formalised release plan and versioning. Scorebuddy coders operate to a coding standard using OWASP best practices, and are thought to design using security and privacy by design and default.

Separate Environments

Scorebuddy uses the principles of separation of duties and least privilege. Scorebuddy uses separate development, staging, and production environments, and forbids the use of production data in test.

Application Security

The Scorebuddy application is accessed through HTTPS over TLSv1.2. The application uses a secure login which implements strong password complexity rules, password history and lock out periods to prevent brute force attacks. Passwords are never transmitted or stored in the clear and a strong hashing algorithm and password salts are used in conjunction with best industry practice. Alternatively customer can use their Enterprise Single-sign-on-mechanism.

Our APIs and Customer integrations are protected using industry standards such as OAuth.

Each customer has separation of their data from other customers and individual keys for their encrypted data which is encrypted using Industry standard strong encryption protocols.

The Scorebuddy service is coded and tested to withstand common vulnerabilities such as the OWASP top 10 in mind.

Logging & Monitoring

Scorebuddy uses best practice monitoring and alerting practices. Structured logging for information, error conditions, auditing purposes and security conditions is a normal part of application design and exceptional or high priority conditions are alerted to support staff immediately using best in class industry tools.

Scorebuddy’s infrastructure also incorporates logging from numerous sources with are centralised, off sited and maintained for audit. Exceptional events are alerted to operations staff in real-time.

Vulnerability Management

Scorebuddy has a comprehensive vulnerability management system with uses third-party services to continually perform internal, external and web application vulnerability testing and generate tickets for items to be addressed. Patching regularly takes place and high priority vulnerabilities are controlled immediately. Scorebuddy regularly uses the services of third party penetration testers to identify vulnerabilities for remediation.

Authentication, Privileges and Roles

Password protection by user: Each user has an individual login and password. The customer can set a variety of password options including password expiry, and password history requirements.

Single Sign On (SSO): Scorebuddy allows customer to enable or disable their Enterprise single-sign-on offering such as Microsoft AD, Okta, onelogin and Ping.id.

Site level partitioning: each customer has their own instance logically separated from other customers.

User privileges: Scorebuddy uses role based access and permissions system. Each user can be assigned a role which allows them to perform actions appropriate to their position. Scorebuddy also allows for Team and Group permissions for organisational based restrictions.

Platform Configuration Options

Scorebuddy offers a range of configurable options including:

IP restrictions: Customers can limit access to the system based on IP address.

Support Restrictions: Customers can turn on or off the ability to allow support staff to log into their instance.

Application Restrictions: customers have control over role based access permissions, Group and team permissions, security options, data retention policies and company settings

Notifications

Customers can configure whether notifications for events are to be delivered to staff or not.

Payment Security

Scorebuddy uses Global pay to receive customer payments. Details about Globalpay’s PCI compliance can be found here. PCI compliance