Our website enforces secure communication between you and our servers through 256-bit TSL/SSL encryption technology. You can verify this by clicking on the padlock ? icon to the left of our website URL (tesl-pro.com) at the top of your browser window. Your browser will then tell you whether or not the connection between you and the website you are visiting is secure. This is a good thing to check on any website you visit.
We also use Stripe, a well-know third party payment processor, to handle all debit / credit card payments. We do not (and cannot) store your credit card details. Stripe takes your payment details securely and tells us when a payment is processed. This is all done across encrypted channels by Stripe and they never tell us your card details. We only get your name, email address and, if you supplied it, your address for processing your order.
How we protect your data
Our website security certificate is issued and managed by CloudFlare, who also implement various security mechanisms to prevent attacks on our servers. For both your safety and ours, we never access or store your payment cards details. But, for your added peace of mind (and ours) we also protect your other account data in the following ways:
- Our website runs from a secure data-center in the United Kingdom whose administration account is secured using multi-factor authentication
- The administration account is only accessible by management level staff
- In order to access the administration account, 2 management level staff must both provide their security credentials. This way, no single employee can take over the admin account
- One of the layers of authentication is a Time-Sensitive One-Time-Password, while another is Biometrics based. The third layer is secret
- All staff’s multi-factor authentication keys are automatically revoked (requiring recreation) if ever a member of staff leaves the company. This ensures that data breaches, even by rogue ex-employees, are not possible
- Your payment card details are handled independently by the secure payment processing system at Stripe and can never be accessed (nor stored) by our servers under any circumstances
What about passwords?
We don’t even store your account password. Instead, we use a One Way Hash Function to create a cryptographic ‘shadow’ of your password. This looks like a long, random mess of digits which cannot be turned back into your password. But when you log in with your password, we hash your password and compare it to the password hash we have. This way, we are able to check that your password is genuine, without actually storing your password in our database.
What data breach procedures we have in place
Various forms of security software are employed to monitor and block attempts to attack our servers and prevent data breaches. In the unlikely event of a data breach we would immediately revoke and change all admin-level API keys, passwords and multi-factor authentication codes, restoring our servers from the last safe backup copy. This will not only make further intrusion into our system impossible, but also throw away any potentially insecure recent changes to our system. We would then inform our users of what data was breached and advise that they change their passwords. Finally, we would analyse our server logs to trace the cause of the data breach. Using this information, we can then implement any further measures necessary to prevent further such attacks.