Keeping your e-shot account secure

The e-shot platform offers a high level of security by design to its customers.

It is, however, the responsibility of our customers to ensure that their users are trained and equipped to maintain the level of adequate security of their information and data. But we are here to help and support you with this.

e-shot helps to achieve this in 5 key ways 

1. Training

As part of your initial account set-up, we will arrange training for all your users.

We provide two levels of training

• Training sessions for administrators. 

• Training sessions for new users. 

Administrator training includes all aspects of account management, including how to set up new users, enforce MFA, apply role restricted access and deactivate user access.  They are also given details of where they can view activity logs along with more in-depth training on the functionality of the platform.

User training gives users operational training on the various features and functions of the platform, along with full details of how to access additional help, whether that is through our on-line resources, approaching the account administrator (for example if they are experiencing issues with resetting their password) or by contacting our Customer Success team.

We do not put any limitations on the number of users that you can have active in your account to ensure that we are not putting a financial penalty on increased auditability. All users need to have their own login with their own security credentials and our Customer Success team will always verify identity where the query requires certain privileges and any password reset issues will be directed to the account Administrator in the first instance.

2. Administrator Access and role restricted access for users

Account administrators have complete control over user management including role-based and restricted access to sensitive sections e.g., Contacts (CRM) section. 

When setting up new users Administrators are encouraged to consider the level of access their users need to ensure, for example, only those uses that need to work with contact data have access to it. The nature of email communications mean the data that users would be processing includes linked and linkable Personal Identifiable Information (PII) and even, depending on your business, personal data that is considered Special Category due to its sensitive nature, so it is important to ensure that the right people are working with your data and that they are fully aware of their data security responsibilities and obligations.

We also advise Administrators to regularly review and maintain their account users and permissions. It is just as simple to increase permission levels or deactivate users, so keeping your user list up-to-date and correct takes a matter of moments.

3. Activity Audit logs

In the settings section of the platform Administrators can view activity logs of all users, by subaccount.

4. Enabling access restriction by IP (or range), for users and API calls. 

We can set access restrictions by IP for both user access and API access for increase security. If this is something that you are interested in, simply contact our Customer Success team to discuss the set up and authorisation requirements.

5. MFA and Single Sign-on (SSO)

For added security, over an above the required strong password users can set up 2-factor authentication on their user profile. It is also possible for account Administrators to enforce two-factor authentication across all users.  You can find out more about MFA and how to set it up on your account in our dedicated articles.

e-shot supports Single sign-on (SSO) via Microsoft. If you wish to consolidate your authentication through Microsoft, you can use your Microsoft authentication credentials to validate your login.

Service and Security – more than just a Software (SaaS)

e-shot is not a typical SaaS. We offer software and a service, and we’re proud that this makes us different. We offer help, training, consultancy, best practices with a team of experts always on hand to assist, whether you need marketing or technical assistance. 

As a SaaS the e-shot console is public facing, so we have a number of restrictions also set in the background for account security. 

• Each client information and data is stored in their own separate database. 

• Users require username and password (complex) to login or can use the Microsoft authentication route to log in. 

• Only one concurrent login session is allowed for a user. 

• All login attempts are recorded, including where the credentials entered are invalid. 

• The number of invalid login attempts are restricted. 

• The change and forgotten password policies use a low friction RECPATCHA engine to ensure systems are not attempting to brute force attack into the platform. 

Access to all e-shot publicly accessible interfaces is behind cloud security protection and prevention. 

• Protection against DDoS attacks 

• Proxy service

• TLS access restriction

• HTTPS (SSL) enforced 

• Firewall rules 

• WAF (Web Application Firewall) 

• Monitoring, logs and auditing 

• Deep forensics for investigation and prevention based on suspicious transactions which can be converted and added to the rule base policy. 

• Access to all monitoring tools is restricted by user and role. 

The physical platform and infrastructure are behind enterprise grade firewalls that set to block all traffic by default except for authorised traffic via our cloud security. It is also set up to monitor, log and prevent unauthorised, suspicious traffic.  Further measures include real-time health monitoring services for Database, application, and server performance. 

For more information about account security or technical and operational security take a look at our security page, alternatively if you have a specific question please feel free to get in touch.