Security and compliance are top priorities for Compare and Recycle because they are fundamental to your experience with the product. Compare and Recycle is committed to securing your personal continuity of access.
Compare and Recycle uses a variety of industry-standard technologies and services to secure your data from unauthorised access, disclosure and loss. We also take steps to ensure we collect only the information that is relevant to the order and only retain this data as necessary to assist with queries and as required by law.
Infrastructure and Network Security
Physical Access Control
AWS’s data centres are state of the art, utilising innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale datacentres. This experience has been applied to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Compare and Recycle employees do not have physical access to Amazons servers and storage. All data is stored within the London (eu-west-2) and Ireland (eu-west-1) regions.
Logical Access Control
Compare and Recycle is the manager of its infrastructure on the AWS Platform, and only select authorised Compare and Recycle operations team members have access to configure the infrastructure.
Amazon Web Services undergoes various third-party independent audits on a regular basis and can provide verification of compliance controls for its data centres, infrastructure, and operations. You can find a full list of all certifications such as ISO 27001 in the Amazon Security Center. Multiple services offered by Amazon Web Services also follow the CISPE code of conduct which can be verified at https://cispe.cloud/publicregister/.
Our servers are all located within private networks and access is limited to the operation team where certain actions are logged. Compare and Recycle's servers (including databases) are automatics patched with the latest security updates and firewall rules regularly reviewed.
Business Continuity and Disaster Recovery
Every part of the Compare and Recycle service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
All stored data is replicated 6 times in 3 different validity zones with daily encrypted backups which are kept for 4 days. In the unlucky event of production data loss, we will restore data from these backups. In these events data lose is possible and customers will be notified.
In the event of a region-wide outage, Compare and Recycle will attempt to bring up a duplicate environment in a different region. Some pages might still be available and core pages are served from over 100 points across 24 countries.
Reliability of Information
Our prices are provided by external feeds, these are received via SSL directly from our merchants. We check/update our prices every 10 minutes. We contact customers in the unlikely event that they have accepted an expired price.
Data through System
Most requests are sent securely to Compare and Recycle via TLS. We currently use an Extended validation certificate on www.compareandrecycle.co.uk and only allow the use of TLS1.2 or higher. Some older browsers might not be supported on our platform.
The Compare and Recycle latest SSL Labs Report can be found here.
Data out of System
As part of the service, we send personal data and bank details to the selected merchant for processing. We use SSL and personal details are sent to the
Data Security and Privacy
Your personal information will be retained to assist any support queries for 12 months.
If you have requested to receive marketing in the form of newsletters, we will retain your information for 36 months, after this period we will remove your data from our marketing list and database if you have not re-used the site.
All customer data stored on Compare and Recycle servers is removed when a user requests it. They can do this by contacting firstname.lastname@example.org.
Requests and errors are logged for up to 30 days but are also encrypted and archived for up to 60 days. We store these logs to ensure system security and provide a reliable service. Most requests logged should not store and personal information and for core pages data magnification is used.
Intrusion detection systems
We analyse all traffic between our servers to check for intrusion attempts and investigate any issues found. We also check employee logins to core systems and run risk analysis to identify compromised accounts.
Services which data can be shared with
HasOffers by Tune
Our application shares data with HasOffers by Tune so we can track sales and orders across the merchants. The IP address, device ID and order number will be shared and will follow their retention policy. This data is not explicitly personally identifiable.
Our application shares data with New Relic so we can monitor performance and ensure maximum service availability. Details about a request such as the URL headers and the IP address are submitted to their servers but no other personal information relating to the user or any orders which are placed. For more details about New Relic security policies you can read the New Relic Security Whitepaper.
Application issues and errors are recorded. All event data is summarised and deleted after 90 days.
We strive to ensure we follow the best security practices and take measures like ensuring all company-provided workstations are enforced with full-disk encryption and other security features.
Compare and Recycle follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Compare and Recycle notifies customers of any data breaches as soon as possible via email.
If you would like to report a vulnerability or have any security concerns with a Compare and Recycle product, please contact email@example.com.
Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.
If you wish to report a vulnerability and wish to protect the message, please use the following PGP key;
CF7C 514C 09ED 0EDD F94D 93A2 F426 8248 CD9D 7A71