The global pandemic has encouraged more and more businesses to take their software into the cloud. With staff working from home, traditional office-based servers have been unable to support this new working reality. Indeed, many businesses, including resorts, are unlikely to return to full on-site working any time soon.

While the opportunities and benefits offered by SaaS providers are now being understood, business managers may have concerns about security and data safety.

So, for this Merlin Spotlight, we asked Merlin Software’s Director of Technology, Kyle Pnematicatos, some key security questions you should ask any cloud-based software provider.

Where are Merlin’s servers located?

All Merlin services are hosted within secure datacentres provided by RackSpace in London, UK; Sydney, Australia with a Disaster Recovery Solution hosted in the Dallas Fort Worth Datacentre. 

RackSpace is an industry leader in the managed server and cloud hosting environment. The company is responsible for providing physical security, power, cooling, HVAC, monitoring and network guarantees for all services and devices on which Merlin is hosted. 

Each data centre is restricted by biometric authentication and 24x7x365 surveillance, allowing only authorized personnel access to the datacentre facility and the physical devices which Merlin uses. 

Uninterruptible power supplies provide against power outages and protect against sags, surges, swells, spikes and electrical noise. N+2 redundant chiller configuration and redundant water sources ensure consistent temperatures are maintained throughout all RackSpace facilities. 

Each facility has redundant HVAC systems designed for immediate failover and is equipped with air handling units to remove dust and contaminants. They also offer a robust network which includes four transit providers allowing them to shift traffic as necessary and guards against any single points of failure — all of which are ranked by Dyn in the top five globally. 

The RackSpace Service Level Agreement that we have in place guarantees that our services receive the most uptime possible in this type of hosted environment. In the event of hardware or infrastructure failures, the Service Level Agreement covers the time to remedy such failures.

Can you tell me about Merlin’s redundancy?

All Merlin Servers have as much built-in redundancy as is available at the hardware level. All client data stored in our SQL Database is housed in a RackSpace Storage Area Network, ensuring uptime and data consistency. 

Our SQL Instances are run on an Active/Passive SQL Cluster, ensuring optimal uptime in the event single Server Hardware failure. There are additional 15-minute incremental backups on the SQL Database. 

These backups are then shipped off-site to the Disaster Recovery Solution in the USA. 

All web servers are monitored and can ‘failover’ to passive web servers in the event of single server hardware failover. 

Merlin also employs a Private Cloud Server solution which allows us to scale out our web server footprint when required.  

All Merlin Servers are hosted and managed by RackSpace, with sufficient on-site monitoring of each server to ensure that any issues are detected and resolved. 

Also, Merlin has deployed its performance, SQL monitoring and bug reporting solutions to ensure that their applications are running optimally.

Do you provide Transport Layer Security (TLS)?

Yes, we employ TLS which encrypts all data between our servers and the end user’s browser when transferring any data over the internet.

How often do you perform penetration tests?

As part of Merlin’s commitment to providing a secure platform for our customers, we regularly undergo vulnerability scans on our software systems performed by a third-party agency, Security Metrics. 

Merlin also regularly performs penetration tests on the dedicated and local networks to ensure that we are aware of any potential vulnerabilities in our systems. 

Testing of staff for social engineering and phishing attacks is also performed at random intervals to ensure that there are no human vulnerabilities in our environment.

Is the data encrypted?

Yes, we encrypt sensitive data within the Merlin databases once it has been stored. This prevents reading data out of the database on any other machine other than the original system where this data was entered – being the Merlin servers.

Who has access to my data in your platform?

Via the Merlin Software front end, you have access to your data. We have built Merlin in a way which prevents the ability for our customers to see each other’s data. 

Access to any production data hosted on the Merlin servers is strictly controlled. There are only two Merlin staff members who have access to the Production Merlin Servers and the data contained within. 

These staff members are trusted vital personnel and have been in the employment of Merlin for 14 and 27 years, respectively. 

Our software developers only have access to a development environment where all client data has been obfuscated to hide personal information of our clients and their customers. 

No customer data is stored on a developer’s local machine. Merlin’s development life cycle ensures there are adequate staging and quality assurance instances from where we continuously test our software. This ensures any bugs and potential issues with our development are picked up and resolved before being released to production. 

Appropriate change and version control mechanisms are implemented to ensure that all modifications to our software are tracked accordingly.

Merlin support staff have access to the production data of our customers. This interaction is typically initiated via a support ticket requesting assistance, or when performing project management duties which require access to the data. 

All Merlin staff are required to sign various non-disclosure agreements and abide by company security policies when viewing any customer data. 

In addition, Merlin is compliant and abides by GDPR, PCI Compliance, POPI Act and various Privacy Acts. No customer data should exist on any Merlin staff member’s personal computer from accessing any part of Merlin Software. When building reports, this is always done with data from a development server where personal information has been obfuscated.

Who owns this data if we stop using you as a supplier?

Our customers own all their data. We are simply the processing and storage facility for our customers. Once a customer requests termination of our services, we provide a backup of the data in a human-readable format. Once the customer has been made inactive in Merlin, we will delete all data for that customer from our systems within 30 days.

Are you PCI-Level 1 compliant? 

Yes, we have PCI DSS Accreditation.

If you would like to find out more about Merlin’s security, please contact Mark Thomas, Head of Sales, at markt@quickmerlin.com.