Security & Privacy

Browse our Security & Privacy page for information about our data handling processes, incident readiness and the security and privacy of our application, infrastructure, workforce and API.

Our Services

As the leader in people-centric cyber resilience, Immersive Labs provide a single enterprise platform that helps organisations continuously assess, build, and prove the cyber resilience of their teams across the entire organisation, from front-line cybersecurity and development teams to Board-level executives.

Risk, Compliance & Certification

We maintain a number of security certifications demonstrating our compliance with data protection regulations, industry standards and best practices.

SOC 2 Type II Report

A report covering our security, availability and confidentiality measures.

ISO 27001

UK Government-accredited security assurance scheme with external verification.

UK Cyber Essentials Plus

UK Government-accredited security assurance scheme through self-assessment.

Reports

Our Penetration Testing reports demonstrate our commitment to maintaining the highest levels of security and compliance. To learn more about our cybersecurity controls and technical security posture, authorised customers with a signed non-disclosure agreement may request access to the reports.

Penetration Testing Report

A report covering our latest Penetration Testing measures.

Business Ethics

Code of Conduct

Immersive Labs’ commitment to acting with integrity means that we comply with the highest professional and ethical standards, building trust and cyber resilience with our customers, investors, partners, and suppliers. To ensure that this message is a part of our daily business, we not only fulfil our legal duties but also detail our ethical standards within our Code of Conduct.

Download Code of Conduct Policy

Environmental, Social & Governanace

At Immersive Labs, we believe we have an obligation to operate our business sustainably for our planet, communities, employees, and customers. For details on our commitment to this, please see our ESG policy.

Download ESG Policy

FAQs

Find answers to commonly asked
questions about Security & Privacy

Does Immersive Labs support the configuration of password policies?

No. We have set the password policy for the platform, which follows NCSC guidance and enforces length over complexity. We do not force users to change their passwords frequently and will only force a password change if there is a suspected or confirmed compromise. Customers cannot configure the password policy. Customers using SSO will use this to authenticate.

How does Immersive Labs ensure that our code is being developed securely?

We follow a secure SDLC process, which includes OWASP Top 10 and CVSS standards. All code written by our development teams is scanned and peer-reviewed prior to deployment to ensure it meets our high standards. We continually evaluate and monitor our platform for vulnerabilities.

How does Immersive Labs secure users’ access to the Immersive Labs platform?

Access to the platform is performed via the following authentication methods:

  • Credentials: username (email address) and password (NCSC guidelines);
  • Single Sign-On (SSO) using SAML 2.0
  • MFA is supported for Single Sign-On users through their Identity Access Management.
Does Immersive Labs provide usage reports of user activity?

Yes. Usage reports are available in the platform via the Insights area or through your Customer Success Manager. Audit logs of Org Admin and Team Admin accounts are not currently available.

What roles are available with the Immersive Labs platform?

There are multiple roles available within the Immersive Labs platform. Each of these roles have different levels of permissions. Users can be granted roles with no elevated permissions, roles that give administrative permissions or product-specific roles.

Organisation Admin – This is assigned to a manager of an organisation, allowing the ability to manage and assign objectives/collections, licences and view reports.

Licence Manager – This provides users along with the self-service licence feature (BETA) to configure users and teams and manage their licences.

Team Admin – This gives the user the same permissions as an Organisation Admin, but limited to the team they manage within the organisation.

Workforce Manager – This provides a user with a Workforce licence permission to create, manage and assign workforce exercises.

Crisis Sim Manager – This allows a user with a Crisis Sim licence to create, manage and view exercises and reports.

Team Sim Manager – This is assigned to a user alongside the Team Sim feature and allows a user to create, manage and view Team Sim exercises and reports.

Cyber Ranges Manager – This gives a user who has a Cyber Ranges platform permission to create, manage and view Cyber Ranges.

Hiring Manager – This gives the user access to candidate screening in the platform, but requires that you add a Cyber Pro licence (type: manager). This allows for being able to set up, manage and review candidate screening assessments.

User – This is a required role and is the default for all users, it allows access to the platform but has no permissions.

Is your data encrypted? If so, what methodologies are used?

Yes. Immersive Labs encrypts customer data at rest and in transit.

  • Data at rest is encrypted using AES-256
  • Data in transit across open networks is encrypted using TLS 1.2 as a minimum. (We do not support TLS 1.1)
  • Passwords are hashed and salted using Bcrypt
Does Immersive Labs have a physical Security Policy?

Yes. Although, we are completely cloud-native, meaning we have no infrastructure on-premise. Both our office locations have physical security controls in place, such as CCTV, alarm systems and access control, to monitor and manage access to our office space.

Immersive Labs applications are hosted in AWS state-of-the-art data centers designed to protect mission-critical computer systems with fully redundant subsystems and hierarchized security zones. AWS data centers adhere to the strictest physical security measures, including the following:

  • Multiple layers of authentication for accessing server areas
  • Multi-factor biometric authentication for critical areas
  • Camera surveillance systems at internal and external entry points
  • 24/7 monitoring by security personnel

All physical access to the data centres is highly restricted and stringently regulated.

How frequently does Immersive Labs review its information Security policies?

All the policies relating to our ISMS are reviewed at least annually by our Policy Review Committee (PRC). If there is a material change to the business, the service we provide or the technology we use a review and update (if required) will take place.

Does Immersive Labs have a dedicated security team?

Yes. Security at Immersive Labs is guided and monitored by our Risk, Security and Compliance Team. Specific security knowledge is gathered from across the business via a number of forums, such as the Security and Risk Review and our Security Guild which both have representatives from across the business.

Does Immersive Labs have an Information Security Awareness training program?

Yes. Like you, we understand the importance of the knowledge our workforce has and the confidence they need to be able to do their role day to day. So like you, we have implemented a Cyber Workforce Resilience plan which covers everyone at Immersive Labs. We face similar challenges to most other businesses and our platform upskill, prove and exercise our workforce to deal with the threats every business faces today.

How does Immersive Labs enable secure destruction of hardware?

Storage media (such as hard drives and smartphones) decommissioning is certified by an external company and meets ISO 27001 requirements.

Which privacy laws and frameworks do Immersive Labs adhere to?

We map our privacy framework predominantly to the requirements of the EU and UK GDPR, but we also consider and ensure compliance with local laws in the jurisdictions in which we process the personal data of our end users. For example, the California Privacy Rights Act, Virginia Consumer Data Protection Act, and the Personal Information Protection and Electronic Documents Act.

Does Immersive Labs have a Privacy Notice?

Yes, it can be found here.

What data does Immersive Labs process?

We process minimal personal data when our end-users register on the platform. This includes:

  • Full name
  • Profile Display Photo
  • Email Address
  • IP Address
  • Job Title / Role
  • User ID
  • Username
  • SAML UID (SSO)

We also collect other data whilst end-users are using the platform, which includes answers to labs, completion rates and achievements made. We do this so you and our end-users can track progress on our leaderboards, download CPE certificates, and get insights into your cyber workforce capabilities via in-platform dashboards.

The data we collect about the way in which end-users use the platform is helpful to us because it provides valuable insights into the steps we can take to improve the platform and its usability. We make sure that this type of data is aggregated and anonymised so that it can never be used to identify our customers or our end-users.

How does Immersive Labs use end-user data on behalf of its customers?

We use end-user data to enable and assist customers and their end-users to access and use the platform, respond to customer inquiries, and provide support for customer reporting.

Who owns end-user data?

Under the UK & EU GDPR, the customer is the controller of end-user personal data, and Immersive Labs is a processor for processing activities including enabling and assisting customers and their end-users access and use of the platform, responding to customer inquiries and providing support for reporting. This means that throughout a customer’s subscription to the Immersive Labs platform, the customer retains ownership of and control over the end-user data in its account.

Does Immersive Labs process end-user data for its own purposes?

Yes, there are occasions where Immersive Labs uses customer and end-user data for its own purposes including to monitor, prevent and detect fraud, to prevent harm to us and our customers, to comply with our legal or regulatory obligations, to analyse, develop and improve our products and services, to provide our products and services to end-users, to ask for feedback and to conduct marketing activities.

For more detailed information about the way in which we use customer and end-user data, please read our privacy notice.

Who are Immersive Labs’ sub-processors?

We maintain an up-to-date list of the names and locations of all our sub-processors, including our affiliates, available here. We are responsible for the acts and omissions of our sub-processors to the same extent that we would be responsible if Immersive Labs were performing the services of each sub-processor directly.

If you would like to receive notifications whenever we make changes to our sub-processor list, you can subscribe here.

How long does Immersive Labs retain end-user data?

Our retention policy is 12 months following the closure of a customer account. This is to allow users to access their data or to transfer their data to a future employer. Data can be deleted sooner upon customer request.

Does Immersive Labs have a privacy program?

Yes. Privacy at Immersive Labs is managed by the Legal Team utilising OneTrust privacy compliance software.

Does Immersive Labs have a formal process in place to address updates to privacy laws, regulations and regulatory guidance?

Yes, we ensure that we stay on top of emerging legislation and guidance and regularly update internal and external facing policy documentation to reflect changes in the global landscape.

How does Immersive Labs handle secure file sharing data?

Learn more here: Secure File Sharing

Does Immersive Labs have a formal incident response plan?

Yes. Our incident response plan sets out the internal processes to detect, escalate them to the relevant people, communicate internally and externally if needed, and investigate and respond. All incidents have a retrospective carried out once the incident has been officially closed.

How will Immersive Labs inform me of an incident or a breach that has compromised my data?

The type of communication will depend on the type, scope and scale of the incident. As a minimum, your administrator will receive an email informing them, to the extent available, of the nature of the breach and what actions Immersive Labs are taking to resolve the situation.

Does Immersive Labs have a Business Continuity and Disaster Recovery Plan?

Yes. Our amazing team has the ability to work from anywhere, so although we have a number of offices where our teams meet to collaborate, we are not tied to these locations and being cloud-native means we can just as easily collaborate virtually.

Our disaster recovery is aided by being cloud-native and redeployment of the platform and our customer data is documented in our Disaster Recovery Plan (DRP).

We have established an RTO and an RPO2 of 24 hours.

Does Immersive Labs have an easy way for external parties to report security vulnerabilities?

Yes. Security vulnerabilities can either be reported to security@immersivelabs.com or through our HackerOne vulnerability submission form here.

Is Immersive Labs available as an on premise service?

No. Immersive Labs is fully cloud-based and does not offer an on premise version.

How often is data backed up?

We regularly back up customer data and store it encrypted at our back-up location. Back-ups are retained for 7 days before being overwritten.

Does Immersive Labs perform vulnerability assessments?

Yes. A full penetration test is performed annually covering the platform. We also conduct assessments twice a year using our own team of testers to ensure any identified vulnerabilities are fully closed as part of our security vulnerability management process.

We also maintain a bug bounty program via HackerOne. More detail about this can be found here.

Does Immersive Labs enforce network segregation?

We enforce network segregation through different VPCs for staging and production environments and implement security groups.

The platform sits behind our Amazon CloudFront CDN which obfuscates our internal infrastructure. This allows for computing and storage to be in private subnets and adds encryption in transit by default.

How does Immersive Labs ensure secure software development?

Immersive Labs has implemented an enterprise-secure software development lifecycle (SDLC) to help ensure the continued security of our training platform. We use a variety of tools such as static and dynamic application security testing and open-source license scanning. Our pipeline includes peer code reviews and extensive quality assurance testing.

Our engineers follow custom application security training to enhance the development process and champion secure coding practices. We conduct quarterly penetration tests on our systems with internal security experts. Processes manage the remediation of vulnerabilities with weekly triage meetings and complete involvement of engineering.

Does Immersive Labs offer API access?

Yes, the option of API access is available. If you utilise Professional Services, they will be able to assist with this. If you do not have access to Professional Services, please contact your Sales Representative or Customer Success Manager for more information.

Does Immersive Labs support further integrations with its service?

Yes, in addition to our API, we support integrations with Learning Management Systems. This service is available for Enterprise customers only. Speak to your Customer Success Manager who can advise the services available.

Find out what sets Immersive Labs apart

Get a guided demo from an Immersive Labs expert to learn how we help yourworkforce prevent and respond to cyber threats by building long-termcyber resilience you can prove to your Board.