System Security & Recovery FAQ
| Last Reviewed |
2025-05-22 |
| Next Review Due | 2026-05-22 |
Calculus ensure your system is secure and safe, unfortunately though, things can go wrong. Our environments ensure you stay safe, and in the event you do have disaster, we can get you back online as quickly as possible.
Below are some common questions we get asked surrounding your system security and recovery.
Unless your agreement or the questions otherwise specify, the protection and security is provided only to hardware that is on an active agreement with Calculus. If you have 3rd-party hardware the protection and backups will be managed by that party.
NCompass
What protection is on my NCompass system?
Leased servers and workstations will come with our EDR platform that monitors for malicious behaviour, as well as 17 performance metrics.
Purchased servers are provided with:
- EDR and monitoring on the core (or "main") server.
- Anti-Virus and Malware, with some core performance monitoring metrics on any subsequent servers. Local backups of the database are also performed daily.
Purchased workstations are provided with:
- Anti-Virus and Malware, with some core performance monitoring metrics
You can extend a more comprehensive protection plan to any of your workstations, contact the sales team to find out more.
Is my NCompass System backed up?
Yes. As standard you will get a daily backup of your database locally for speed in the event of a disaster, and an offsite encrypted backup for security and safety, this is stored for a rolling 7 days.
If you have a 3rd-party server, Calculus will not backup your data without an express written agreement.
The backups provided can be upgraded on any servers or workstations to include more comprehensive backups. Contact the sales team to find out more.
Our cloud platform provides more frequent rolling backups.
What about remote access for NCompass Apps?
Access to the API is timed token based, secured with SSL certificate on the API (Where the app talks to do exchange data).
What measures should I implement on my NCompass System to maximise security?
By default, NCompass and its relevant infrstatucture operates on a least privileged basis. What this means is that the users of your system will only be able to access parts of the system they need to without being expressly granted that permission. NCompass has a security rights option in the administration menu which allows you to grant and deny access to your users at a granular level.
In the unlikely event our monitoring detects suspicious activity, the support team will start the runbook to handle the event.
What is the recovery time if I do have a disaster scenario with my system?
Refer to your specific agreement for contractual obligations. The below is provided as an example.
Depending on the severity and nature of the failure, a backup system can be online and ready within 2-4 hours in a limited capacity for NCompass. In the event of a hardware replacement being required to get you back online, this is next business day on a like-for-like basis - limitations may occur for those of you further afield where shipping may take 48 hours, as well as the timing of the failure.
Talk to our sales team for more tailored options, such as cloud disaster recovery as part of our Platinum Protection plan.
Is NCompass PCI Compliant?
NCompass does not directly take any card payments, but does integrate with systems that do. These systems are PCI compliant. You may find that you do fail PCI compliance due to things such as open ports which are necessary for NCompass Apps to work - this is perfectly normal, if you do receive a failed scan please email support with a copy of the report indicating the failures.
Website
This only applies to Calculus provided WP11 sites, i.e. Magento.
Is my website secure?
Your website is a public facing entity, this means anyone in the world can acces and view the data on your site which differs to your NCompass system which has controlled access via tokens or credentials, or is locked down to prevent external access.
Your website traffic is protected in transit by an SSL certificate, this is the S part of the HTTPS you'll see at the start of your URL.
There are a number of protections in place on the site as well which prevent unauthorised access and interaction, including (but not limited to):
- Captcha - this tests for robots
- Access restrictions via credentials, or server policies (such as firewall ports, or file system permissions)
- Hardware Firewalls
- Enterprice grade DDoS mitigation
- SSL/TLS encryption for data in transit
Is my website backed up?
Yes. A full backup is peformed daily with a 2-day retention policy, with a monthly backup retented for 1 month. All backups are securely stored off-site.
Is my website in a secure facilty?
Yes. The datacentres are dedicated facilities, that include:
- 24/7/365 on-site staffing and monitoring.
- No external signage indicating the nature of the facility.
- Secure 3-metre-high fencing, biometric access, and CCTV with 90-day retention.
- Fire detection and suppression systems (dual-zone, gas-based, and early-warning VESDA).
- ISO 27001 compliant facility.
What is the recovery time if there is a disaster scenario for my website?
In the event of a data corruption incident (this has never occurred under the current infrastructure) 1-2 hours should be allowed for a restoration the most recent good-state backup.
If the there is a more complex failure, such as the hardware or operating system, recovery time can be up to 6-8 hours depending on the type of failure, for example:
- Some components are hot-swappable, or easier to replace requiring minimal downtime. These can be up to 1-2 hours/
- Complete system failure, whilst very rare, would require entirely new hardware and rebuild. 6-8 hours should be allowed for this.
Is my site PCI compliant?
Your site does not directly take payments, but does handover to gateways that are PCI compliant. If you do get any PCI failures on your website, please email the web team and include the full copy of report with the failures.