|
Post by mogzi on Sept 3, 2014 11:21:20 GMT
Hi. Whilst browsing your site I found many spelling and grammar mistakes. Finding out who powers your platform caused me concern and explained why there are so many spelling and grammar mistakes.
I am not racist but I do not trust a software house based in Pakistan with any of my personal details. I am not sure if they have access to it but I presume they do have access to the database in order to carry out development work. Recent events there have shown the level of instability and corruption at the highest levels in Pakistan.
With such sensitive data, do you think it is a good idea to have these IT partners on board? Can you tell me what precautions you have taken to ensure personal data cannot fall into the wrong hands?
Until I get clarification on this I will not be registering.
Thanks.
|
|
|
Post by ablrate on Sept 3, 2014 14:43:52 GMT
Hi. Whilst browsing your site I found many spelling and grammar mistakes. Finding out who powers your platform caused me concern and explained why there are so many spelling and grammar mistakes. I am not racist but I do not trust a software house based in Pakistan with any of my personal details. I am not sure if they have access to it but I presume they do have access to the database in order to carry out development work. Recent events there have shown the level of instability and corruption at the highest levels in Pakistan. With such sensitive data, do you think it is a good idea to have these IT partners on board? Can you tell me what precautions you have taken to ensure personal data cannot fall into the wrong hands? Until I get clarification on this I will not be registering. Thanks. Thank you for your feedback. We are auditing the site for spelling errors etc and it is not necessarily the developers... we wrote the content and it does need auditing for spelling errors. We wrote a lot of content in a short space of time, so errors will inevitably occur. The platform was built by Netsol, who are a NASDAQ listed business specialising in building leasing software for the likes of Mercedes. They use the highest level of security, hence why companies like Mercedes use that company. After the site was built we signed a support contract with the team that built the platform and we monitor access to the site very closely. The choice of Netsol was not on cost (they were by far the most expensive compared to any UK company looked at) but on security, protocols and professionalism. We wanted to make sure that we built a secure system and that the data and information that we put through the platform is secure and protected. We use Rackspace, one of the largest and most secure providers of servers, and we have access to all logs, everybody who has accessed the site and it is only the project manager and the company owner (which is an English company based in Milton Keynes) who has access to the database. We are in the process of taking on our own CTO who will be joining the company shortly. He will be taking on the mantle of in-house security and future development. As for personal data - we do not keep any bank details (as a third party processor who has processed 30 billion+ GBP does that) and we are removing the passport/driving license information after it has been used for verification as there is no need for us to keep it on file and that data is only used by Tracesmart (who are also the company Assetz Capital and others use). This will be in the next update. I would say, however, that our developers have been nothing but professional since we took them on and we have no reason to believe that they are anything other than hard working, professional people who have done, and continue to do, an excellent job. Regards Ablrate
|
|
|
Post by mogzi on Sept 3, 2014 14:57:59 GMT
Thanks for your reply.
In regards to spelling / grammar issues. You must appreciate that if you can't get that right you are not portraying the best impression for me to part with my cash to you. As you are a new entrant it is even more imperative that you don't make these mistakes.
I have no concern with who you host the website with, (Rackspace), and who you use for identity checks, (Tracesmart).
What I was concerned about was the link to a company called Braniacs Tech on the bottom right of your homepage. You state that your site is powered by this company. In your response you don't mention them at all?? It is these who I am concerned about potentially having access to your DB which would obviously contain name, address and DOB amongst other things which is all that is needed to carry out identity fraud. Can you elaborate on what Brainiacs Tech do for you or have done for you please?
|
|
|
Post by ablrate on Sept 3, 2014 15:17:25 GMT
Thanks for your reply. In regards to spelling / grammar issues. You must appreciate that if you can't get that right you are not portraying the best impression for me to part with my cash to you. As you are a new entrant it is even more imperative that you don't make these mistakes. I have no concern with who you host the website with, (Rackspace), and who you use for identity checks, (Tracesmart). What I was concerned about was the link to a company called Braniacs Tech on the bottom right of your homepage. You state that your site is powered by this company. In your response you don't mention them at all?? It is these who I am concerned about potentially having access to your DB which would obviously contain name, address and DOB amongst other things which is all that is needed to carry out identity fraud. Can you elaborate on what Brainiacs Tech do for you or have done for you please? Hi I can understand the spelling/grammar issue and that is being address as we go through the site audit. I mention Rackspace to demonstrate that we have spared no expense in securing our site with the best hoster on a dedicated server and that is reflected also in our attitude to security and who has access to what. Forgive me for not making it clear, when I said "After the site was built we signed a support contract with the team that built the platform and we monitor access to the site very closely" This team is Brainiacs, who came out of Netsol Corp. Netsol successfully cleared ISO 9001, ISO 27001, and SEI CMMI Maturity Level 5 (V1.2) assessments; a distinction shared by fewer than 140 companies worldwide. Which is why we chose them. The Brainiacs team were the developers at Netsol and have formed their own company. As they developed the platform it made sense for us to have our support contract with them in the period where we begin to bring the entire platform, and its development, in house. The company are, in fact, a UK business with the developers based in Pakistan. Regards Ablrate
|
|
|
Post by mogzi on Sept 3, 2014 15:41:42 GMT
Looking at the Brainiacs website I noticed they don't even have their own domain name in their email address. They use a .live address which again does not portray professionalism or integrity.
They may have an operating business entity in the UK but you reinforce my point about the actual developers being based in Pakistan who no doubt need access to your DB to be able to work on your site. You may be able to monitor access to the site but do / can you monitor access to the DB? This is my main concern.
QUOTE: 'The company are, in fact, a UK business with the developers based in Pakistan' - Sorry but I disagree with this statement. Their site says their head office is in Pakistan which leads me to believe the office in the UK is only a satellite office. They are advertising for 2 job roles, both based in Lahore. Also their UK company was setup only 5 months ago in the UK according to Companies House.
Let me clarify, if this was a site that did not use personal data, I would not be concerned that they were involved in the development. I am just very cautious and suspicious of developers outside the UK as no jurisdiction in the world can reach Pakistan in it's current state. How do you know they won't retain a 'back door' into your system and / or maintain access to your DB once you bring the IT in-house? What do you think you could do about this if they did this? Would you even know?
I would feel much better if you could assure me that they have not had access, and will never have access at all, to your DB which contains personal information.
I am just raising a point which I am sure other lenders may be a little put off by and giving you a chance to address it early on.
|
|
|
Post by ablrate on Sept 3, 2014 16:34:06 GMT
I can understand any concerns about security, which has been a major part of building the site, and continues to be so.
As I mentioned the company came out of Netsol, the development company who built the site, hence thier recent formation. We have been working with the team for almost a year now and know the management very well.
The db has restricted access within their company and, I would add, within ours and we are able to see when it is accessed and by whom.
Regarding any back doors.. Our system will be subject to a security audit shortly that will highlight any areas where security can be improved and any recommendations will be implemented. We will be performing this audit every six months as part of our security procedures and there will be no back doors I can assure you of that.
In any business there has to be an element if trust in the people you work with, we performed due diligence on the team, and people who look after our system. There are two people who can access the db, one is in house, the other is the project manager who we have been working with for the past year. When our Cto joins in the coming weeks he will also have access and the db access will then be restricted to just him.
Again I understand any security concerns but be assured it is our top priority.
Regards Ablrate
|
|
|
Post by easteregg on Sept 8, 2014 21:58:07 GMT
I can understand any concerns about security, which has been a major part of building the site, and continues to be so. As I mentioned the company came out of Netsol, the development company who built the site, hence thier recent formation. We have been working with the team for almost a year now and know the management very well. The db has restricted access within their company and, I would add, within ours and we are able to see when it is accessed and by whom. Regarding any back doors.. Our system will be subject to a security audit shortly that will highlight any areas where security can be improved and any recommendations will be implemented. We will be performing this audit every six months as part of our security procedures and there will be no back doors I can assure you of that. In any business there has to be an element if trust in the people you work with, we performed due diligence on the team, and people who look after our system. There are two people who can access the db, one is in house, the other is the project manager who we have been working with for the past year. When our Cto joins in the coming weeks he will also have access and the db access will then be restricted to just him. Again I understand any security concerns but be assured it is our top priority. Regards Ablrate Speaking as someone who works with websites and databases on a daily basis, if the website can access the database, so can any developer who works on the website. If they couldn't access it then they would not be able to support it effectively.
|
|
|
Post by ablrate on Sept 8, 2014 22:20:27 GMT
Hi
Very true and something we have taken into account with the restrictions on access to the development. I met with the management of the company today and went through these points again and we are satisfied that we have the right protocols in place. That being said we are having a security audit done as a matter of course and will be implementing recommendations in the near future... as an aside, to those who have asked, we are implementing the two step login and the time limited non-activity has been implemented.
Regards Ablrate
|
|
|
Post by mogzi on Sept 11, 2014 12:44:36 GMT
Hi. I have looked at your registration with the ICO. It clearly states:
Quote:
'Transfers
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.'
The above states you will ONLY share the data within the European Economic Area (EEA). Is Pakistan in this area? I am highly frustrated at your efforts to avoid my direct concern with personal data being available in Pakistan.
All the changes you mentioned in your previous posts will not solve my issue / concerns I am afraid, as it will already be too late by then. I am not a lawyer, but IMO I feel you have broken your DPA obligations already.
|
|
|
Post by ablrate on Sept 11, 2014 14:19:03 GMT
Hi. I have looked at your registration with the ICO. It clearly states: Quote: 'TransfersIt may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.'The above states you will ONLY share the data within the European Economic Area (EEA). Is Pakistan in this area? I am highly frustrated at your efforts to avoid my direct concern with personal data being available in Pakistan. All the changes you mentioned in your previous posts will not solve my issue / concerns I am afraid, as it will already be too late by then. I am not a lawyer, but IMO I feel you have broken your DPA obligations already. Hi Forgive my seemingly tardy response, but I wanted to speak with the Information Commissioner's Office to run this through with them so I could give you a full and informed response. We wouldn't want to avoid any obligations to customers, or potential customers, to answer questions on privacy or, indeed, to look into those concerns and do something about it, if we are advised so. To answer your question and concern about where information is available; When we were setting up the development of the platform and registering for permissions we consulted the DPA and ICO guidelines on protocols for protecting data and we implemented those protocols. We used Netsol a NASDAQ listed business, knowing that their team were in Pakistan, but who are one of only 140 companies worldwide to receive certain ISO standards, we chose them because of this reason and that very large firms such as Mercedes etc that has deemed the company compliant. Netsol decided, at the sign off of our system, that they would be concentrating on developing the leasing systems that they create and would not be able to support the platform. However, the same team that developed the platform would now provide a support role for the platform, albeit under a different company name but with the same protocols in place and still managed from the UK. I say this to demonstrate that we were looking at how things would be set up from the beginning. We believed then, as now, that the correct protocols were in place to protect data. In order to fully confirm that we have set things up correctly, and answer your direct concerns succinctly, we have spoken with the Information Commissioner's Office on the points you mention in your post. Their response was '... we are aware that many, many companies seek to provision online development services and other services (such as bank and credit card call centres) overseas and just because that company is based overseas does not automatically suggest that obligations under the DPA are being broken. The key is that the data protection protocols are in place that protect that data as per guidance'. We spoke at length about the protocols we have in place, where the data is actually located (on a dedicated secure server in the UK and nowhere else) and how that data is handled. The response was '....the information you have supplied is what we would look for companies to have in place when implementing data protection....' On that point we feel confident that the protocols we have in place are sufficient under DPA as confirmed by ICO. However, there can never be enough security. In my opinion, wherever our developers are based we would have these same protocols in place and, as we have mentioned previously, that does not stop us from looking further at different protocols for our customers' and our comfort. Therefore we are, as part of an ongoing review of security, seeking to put some additional security measures in place. We cannot detail those here on a public forum of course, but we feel that we have more than complied with our DPA obligations and are striving to make sure we do everything to protect the interest of customers. However, an example of one of the protocols that is in place is the development of the site on a dedicated dev server. What this essentially means is that if the development team is performing a particular system-wide upgrade, such as the 'Instant Returns' feature, which requires a number of developers, this is done by a team on that dev server with dummy data. That wider dev team have zero access to any real data, because they do not have access to the live site. When it comes to uploading onto the live server, that is implemented by the project manager on the say so of our team. We deal directly with the project manager on any small issues such as css changes etc. Of course we are aiming to do all of this in-house for speed as well as security, and will be moving all that in-house soon. We are genuinely happy with your feedback missmogzi, it keeps us thinking all the time about what protocols are in place and are they good enough. Others have commented elsewhere on UI processes, etc and we have had a number of calls with Lenders about what they would like to see on the platform. Security is obviously one of those areas that will never be finished on the site and should always be questioned by ourselves when looking at every aspect of the site, from development to who has access to the administration section. Regards Ablrate
|
|
|
Post by mogzi on Sept 11, 2014 17:01:30 GMT
Thank you for your detailed response. That does help clear some of my concerns but not all.
Banks are very different and have far more regulation governing them over and above ICO. They also have much more to lose. AFAIK banks don't use companies in Pakistan, they use established, vetted 3rd party call centres to deal with enquiries in India. I must point out that India and Pakistan are 2 very different places although they are neighbours.
I am pretty sure UK banks do not outsource their IT development to Pakistan nor are they linked to any company there. Your developers own website has spelling and grammar errors so it figures why your site does also. How can I take a software house seriously when their own site has spelling and grammar mistakes?
Although call operators in India may have access to some details they certainly do not have or have HAD access to the banks main databases and the ability to retain a link into it.
I am worried that they may be able to commit identity fraud, unhindered and untouchable from Pakistan.
Your site may be very secure now and your future plans robust, but I'm afraid I am still not comfortable to join and give my sensitive personal details for you to store in a DB.
I do however wish you the best of luck and thank you for trying to address my concerns on here, it is very much appreciated.
|
|
|
Post by ablrate on Sept 11, 2014 17:40:57 GMT
Thank you for your detailed response. That does help clear some of my concerns but not all. Banks are very different and have far more regulation governing them over and above ICO. They also have much more to lose. AFAIK banks don't use companies in Pakistan, they use established, vetted 3rd party call centres to deal with enquiries in India. I must point out that India and Pakistan are 2 very different places although they are neighbours. I am pretty sure UK banks do not outsource their IT development to Pakistan nor are they linked to any company there. Your developers own website has spelling and grammar errors so it figures why your site does also. How can I take a software house seriously when their own site has spelling and grammar mistakes? Although call operators in India may have access to some details they certainly do not have or have HAD access to the banks main databases and the ability to retain a link into it. I am worried that they may be able to commit identity fraud, unhindered and untouchable from Pakistan. Your site may be very secure now and your future plans robust, but I'm afraid I am still not comfortable to join and give my sensitive personal details for you to store in a DB. I do however wish you the best of luck and thank you for trying to address my concerns on here, it is very much appreciated. Hi I can't comment on who banks use or don't use as I don't have those facts, but Netsol and the current team have dealt with very large companies and would not have gained the ISO standards they have if they were not compliant. Having said that, I fully take on board your comments about the site that our developers have, and the grammatical and spelling errors. I passed on your comments to them when I had a meeting with the management and told them they needed to up their game on that if they want to be take seriously as a development house separate to Netsol, especially since there are jurisdictional concerns. I believe that is something they have taken on board, as we said that their site could be a reflection on their customers, this point is well taken. Identity fraud is a concern whoever does the development, which is why we have the protocols in place to restrict access to the DB and client sensitive data. Although the team are in Pakistan, our support contract is with the UK business and its management and any instance of a deviation from protocols and procedures would immediately result in them being fired and they know that, as is the case with all third party providers we use to run the site. I appreciate that you may not be comfortable and that is your absolute prerogative and we wish you all the best and hope you would consider us in the future. I would like to thank you for your feedback and honest comments as feedback and dialogue is very valuable to the progress of the Ablrate. Thanks again Regards Ablrate
|
|