Webio - Information Security and Data Protection

Webio - Information Security and Data Protection

Webio incorporates information security and data protection principles into everything we do.  


Below are some of the ways in which we put this into practice.

Disaster Recovery and Business Continuity - Webio's disaster recovery plan is reviewed annually to ensure it remains fit for purpose.  Business continuity is assessed by the senior management team monthly.  We run an annual test of the disaster recovery plan to check that what we say on paper works in practice.  

Access - we operate on a principle of least privilege.  All employees sign up to individual user agreements that clearly confirm data protection responsibilities, password rules, clear desk policy and the approved access to assets.  Individual user agreements are revised and resigned annually and when moving position/responsibility.  Higher level access can only be approved by the Information Security Manager.

Payment card data: We work with Spreedly to allow you to process payments with WebioPay and be complaint with PCI DSS.  The Webio system doesn't accept card data into the app, ensuring this data isn't captured or presented to your agents during conversations.

Our servers are hosted on AWS, we have instances in the EU and the UK.  Our Amazon Aurora database provides multi-level security, all data is encrypted at rest and in transit using SSL.  Access to the database is restricted to authorised users, via multi-factor authentication and granted on least privilege principles.

Vulnerability and Penetration Testing.  We run regular vulnerability scans and complete an annual external penetration test.  Copies of these can be shared with you (at Webio's discretion) once we have a signed Non Disclosure Agreement.

Backups - we do not have backups of the system.  Instead we live replicate across multiple instances in multiple geographic locations.  We retain snapshots for 7 days. 

GDPR: We are fully compliant with the GDPR.  We have a suite of policies and procedures to ensure our team understand and comply.  We maintain a record of all our processing activities.  We can support you in your requirements for Data Subject Access Requests.

How we do it

Training is critical to ensuring that all the Webio team are aware and engaged with their data and information security rights and responsibilities.  All new starters receive full training as part of their induction.  Quarterly training is completed by all the team and we actively share learnings and awareness.

Information Security Reviews and Data Protection Impact Assessments - these are conducted on all new and changing processes.  They assess risk and ensure that the highest levels of security and data privacy are maintained.


The proof

Webio is proud to have achieved our UKAS ISO27001 certification.  We always worked to high standards but the certification independently verifies that our policies and procedures are secure.  We maintain an Information Security Management System that contains an Information Security Policy approved at board level.  All staff have access to our ISO navigator so they can easily locate the correct policies and procedures for the task at hand.

Webio is proud to host an annual industry round table at ConverCon.  This brings together leading industry figures to discuss the latest security developments and strategies.

Policy Checklist - we have more but our key policies for information security and data protection are:
  1. Disaster Recovery Plan - Detailing Webio's Disaster Recovery and Business Continuity Plan.  Our Disaster Recovery and Business Continuity Plan is tested annually.
  1. Information Security Policy - The Board of Directors and management of Webio, located at 25 Temple Lane South, Dublin which operates a Conversational Middleware Platform, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation in order to preserve its competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance and commercial image. Information and information security requirements will continue to be aligned with Webio’s goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations, for conversational commerce and for reducing information-related risks to acceptable levels.
  1. Information Security Management System Policy - It is the policy of Webio to maintain an information management system designed to meet the requirements of ISO 27001 in pursuit of its primary objectives, the purpose and the context of the organisation.
  1. Security Incident Management Policy - The purpose of this policy is to ensure a consistent and effective approach to the management of Information Security Incidents, including communication on security events and weaknesses. It enables the efficient and effective management of Information Security Incidents by providing a definition of anInformation Security Incident and establishing a structure for the reporting and management of such incidents.
  1. Data Protection Policy - Document contains Webio's Data Protection Policy Statement, responsibilities and roles under GDPR, Data protection principles, data subject's rights, consent, security of data, disclosure of data, retention and disposal of data, data transfers, information asset registers/data inventory
  1. Training Policy - This policy applies to training and awareness programme where relevant to the GDPR, compliance with the GDPR, and other matters relating to data protection and privacy.
  1. Clear Desk Policy - Webio is committed to providing a secure and welcoming environment for visitors and employees. As part of this commitment a Clear Desk policy is being introduced to ensure that all printed/written information is securely stored and that desks can be freely be used by others when not occupied.
We use third parties to manage our business processes and provide our Conversational Middleware.  You can view our current list of third parties at https://knowledge.webio.com/portal/en/kb/articles/data 


    • Related Articles

    • Data Sharing - Third Parties

      Webio takes our data protection responsibilities very seriously.  We protect your data by ensuring it is secure and we manage your data in compliance with GDPR.  When necessary we do share data with carefully selected third parties, but before we do ...
    • Webio Webhooks

      Quick trick: click into organisations, scroll down to Webhooks, click create Webhook, enter the callback URL, select the events you want to subscribe to and click create.   Some bots require data from your system in real-time.  This can be used to ...
    • Webio Webhook - What it does

      Using Webio's webhook you can configure your endpoints within your Webio organisation to post or retrieve data. Identifying the request is from us To identify the request as originating from Webio, first use the API to generate a JWT token.  Haven't ...
    • Daily Data Export Report - Receive It Your Way

      You can now retrieve your Daily Data Export via the API, have it delivered to Webio's SFTP for you to retrieve or download it via the WebApp.   The Daily Data Export is a daily export of all inbound and outbound messages from your Webio ...
    • Webio Reporting

      Webio provides you with a selection of exports and MI reports to allow you to audit and understand your conversations.   Quick Trick - To access Reports, log in, click reports and then select the report you wish to run. Below you can see details of ...