Webio - Information Security and Data Protection

Webio - Information Security and Data Protection

Webio incorporates information security and data protection principles into everything we do.  


Below are some of the ways in which we put this into practice.

Disaster Recovery and Business Continuity - Webio's disaster recovery plan is reviewed annually to ensure it remains fit for purpose.  Business continuity is assessed by the senior management team monthly.  We run an annual test of the disaster recovery plan to check that what we say on paper works in practice.  

Access - we operate on a principle of least privilege.  All employees sign up to individual user agreements that clearly confirm data protection responsibilities, password rules, clear desk policy and the approved access to assets.  Individual user agreements are revised and resigned annually and when moving position/responsibility.  Higher level access can only be approved by the Information Security Manager.

Payment card data: We enable you to process payments with WebioPay and be compliant with PCI DSS.  The Webio system doesn't accept card data into the app, ensuring this data isn't captured or presented to your agents during conversations.

Our servers are hosted on AWS, in the EU.  Our Amazon Aurora database provides multi-level security, all data is encrypted both at rest and in transit.  Access to the database is restricted to authorised users and granted on least privilege principles.

Vulnerability and Penetration Testing.  We run regular vulnerability scans and complete an annual external penetration test.  Copies of these can be shared with you (at Webio's discretion) once we have a signed Non Disclosure Agreement.

Backups - we do not have backups of the system.  Instead we live replicate across multiple instances in multiple geographic locations.  We retain snapshots for 7 days. 

GDPR: We are fully compliant with the GDPR.  We have a suite of policies and procedures to ensure our team understand and comply.  We maintain a record of all our processing activities.  We can support you in your requirements for Data Subject Access Requests.

How we do it

Training is critical to ensuring that all the Webio team are aware and engaged with their data and information security rights and responsibilities.  All new starters receive full training as part of their induction.  Quarterly training is completed by all the team and we actively share learnings and awareness.

Information Security Reviews and Data Protection Impact Assessments - these are conducted on all new and changing processes.  They assess risk and ensure that the highest levels of security and data privacy are maintained.


The proof

Webio is proud to have achieved our UKAS ISO27001 certification.  We always worked to high standards but the certification independently verifies that our policies and procedures are secure.  We maintain an Information Security Management System that contains an Information Security Policy approved at board level.  All staff have access to our ISO navigator so they can easily locate the correct policies and procedures for the task at hand.

Webio is proud to host an annual industry round table at ConverCon.  This brings together leading industry figures to discuss the latest security developments and strategies.

Policy Checklist - we have more but our key policies for information security and data protection are:
  1. Disaster Recovery Plan - Detailing Webio's Disaster Recovery and Business Continuity Plan.  Our Disaster Recovery and Business Continuity Plan is tested annually.
  1. Information Security Policy - The Board of Directors and management of Webio, located at 25 Temple Lane South, Dublin which operates a Conversational Middleware Platform, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation in order to preserve its competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance and commercial image. Information and information security requirements will continue to be aligned with Webio’s goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations, for conversational commerce and for reducing information-related risks to acceptable levels.
  1. Information Security Management System Policy - It is the policy of Webio to maintain an information management system designed to meet the requirements of ISO 27001 in pursuit of its primary objectives, the purpose and the context of the organisation.
  1. Security Incident Management Policy - The purpose of this policy is to ensure a consistent and effective approach to the management of Information Security Incidents, including communication on security events and weaknesses. It enables the efficient and effective management of Information Security Incidents by providing a definition of anInformation Security Incident and establishing a structure for the reporting and management of such incidents.
  1. Data Protection Policy - Document contains Webio's Data Protection Policy Statement, responsibilities and roles under GDPR, Data protection principles, data subject's rights, consent, security of data, disclosure of data, retention and disposal of data, data transfers, information asset registers/data inventory
  1. Training Policy - This policy applies to training and awareness programme where relevant to the GDPR, compliance with the GDPR, and other matters relating to data protection and privacy.
  1. Clear Desk Policy - Webio is committed to providing a secure and welcoming environment for visitors and employees. As part of this commitment a Clear Desk policy is being introduced to ensure that all printed/written information is securely stored and that desks can be freely be used by others when not occupied.
We use third parties to manage our business processes and provide our Conversational Middleware.  You can view our current list of third parties at https://knowledge.webio.com/portal/en/kb/articles/data 


    • Related Articles

    • Data Processing Overview

      Webio empowers users to create and manage their conversation journeys.  The data we process is dependant on the conversation design, the data imported and the data provided by the people in the conversation.   Overview Webio doesn't monitor the ...
    • Data Sharing - Third Parties

      Webio takes our data protection responsibilities very seriously. We protect your data by ensuring it is secure and we manage your data in compliance with GDPR. When necessary we do share data with carefully selected third parties, but before we do we ...
    • Webio Webhooks

      Quick trick: click into organisations, scroll down to Webhooks, click create Webhook, enter the callback URL, select the events you want to subscribe to and click create. This documentation covers Webhooks creation process on on our Old UI. If you ...
    • Webio Reporting

      Webio provides you with a selection of exports and MI reports to allow you to audit and understand your conversations. Quick Trick - To access Reports, log in, click reports and then select the report you wish to run. This documentation covers the ...
    • Webio Webhook - What it does

      Using Webio's webhook you can configure your endpoints within your Webio organisation to post or retrieve data. Identifying the request is from us To identify the request as originating from Webio, first use the API to generate a JWT token. Haven't ...