Legal NoticesDownload this as a PDF
- Expanded and subdivided Section 3.13 to clarify the processing of data outside of the UK,
- Added Campaign Monitor to section 3.13 with description of usage and situation.
INFORMATION SECURITY POLICY (2018-10-10)
At Acorah Software Products Limited ('ASPL'), we are committed to protecting your data and this Information Security Policy tells you how we secure your data. This Information Security Policy has been drafted to comply with the legal standards that currently exist in the United Kingdom and will be modified as ASPL determines is necessary to satisfy or exceed legal requirements. We reserve the right to modify this Information Security Policy at any time by notifying our customers, via the main ASPL website (www.taxcalc.com), of a new or revised Information Security Policy.
If you would like further information on this Information Security Policy or about ASPL’s data security measures, we encourage you to contact firstname.lastname@example.org.
1 Introduction to ASPL Information Security
1.1 Information Commissioner’s Office (ICO) registered details:
1.1.1 Our ICO registration reference is Z896266X
1.1.2 Our registered Data Protection Officer is Ian Belcher and the registered address is TaxCalc, Rubra One, Mulberry Business Park, Fishponds Road, Wokingham, RG41 2GY. Tel: 01189364855, Email: email@example.com
1.3 ASPL only allows audits of data processing activities and those of its agents, subsidiaries and sub-contractors as far as permitted or requested by law, due to security considerations and the protection of all our other customers’ data. In addition to this, a simple inspection or audit would not be feasible as there would be significant technical depth involved.
2 Information Security and ASPL Staff
2.2 Lowest level permissions are routinely used regarding access or privileges within any functionality that allows interrogation of customer data.
2.3 Account access is controlled by the ASPL IT team and relevant authorisations are required before allowing any change in access (for example, a completed new starter process), so that the employee is only given relevant access to systems. A given leaver’s account access is disabled on their last day of employment and passwords are changed as required to ensure they can no longer access systems.
3 Information Security Where ASPL is the Data Controller
3.1 ASPL regularly audits its data footprint and limits data acquisition to the minimum possible.
3.2 By default, we retain data for as long as we remain in a business relationship with a customer. As soon as the relationship ends, we retain data for a further 6 years following the end of the company’s financial year in order to comply with HMRC parameters on business records. Once this period elapses, all data is deleted.
3.3 ASPL responds to Subject Access Requests in line with the GDPR’s requirements. Please email firstname.lastname@example.org to initiate a Subject Access Request.
3.4 We do not have separate security accreditations. However, our systems are regularly scanned for vulnerabilities to adhere to PCI (Payment Card Industry) standards and our CloudConnect product undergoes penetration testing by an external third party as described in Sections 11 and 15 of the Cloud Service Agreement.
3.5 Various notification channels are monitored on a daily basis in regards to the CVE (Common Vulnerabilities & Exploits) database. All discovered instances are risk assessed to determine the severity and urgency of mitigations or updating application versions.
3.6 Software security patches are assessed and triaged as they are released, then assigned to a patch window according to the assessed risk and business impact
3.7 Our bespoke customer relationship management system (CRMS) employs a range of security measures, including restricted access, firewall protection and direct access to the data is only available to a few system administrators. We only store hashes of customer passwords and MAC addresses used to uniquely identify customer machines. Inadvertent and malicious access to other customers data is prevented by good coding practices, preventing SQL injection attacks and all systems are internally regression tested.
3.8 Live and back-up Customer data held electronically by Acorah is normally held on our data servers at our designated datacentres, and therefore only accessible via secure remote access. Other personal data held by ASPL in electronic format will be held at our Head Office; our offices have door access controls and all visitors are signed in and escorted through the building.
3.9 Access to our internal network system is firewall controlled to the office and via a VPN network that uses 2FA (two factor authentication). Functionality within the internal network system is also on a least possible permission basis.
3.10 All planned Software features, releases of the Software and amendments to the Website / CRMS are reviewed by the Compliance team to ensure adherence to the relevant Acts and regulations.
3.11 All new internal uses of, or software that will interact with, Customer data are risk assessed via Data Protection Impact Assessment (DPIA) prior to implementation, so that any required adjustments can be made to the Privacy or Information Security Policies (or other relevant policies).
3.12 In the confirmed instance of a data breach that would adversely affect the personal data of a Customer, ASPL would notify You of the breach without unnecessary delay. We would also notify the ICO in such an eventuality, if it would be pertinent to do so.
3.13 The only instances of personal data that may be shared with an organisation outside of the EEA are:
3.13.1 Your registered postcode. The postcode is only shared when a customer is registering an account on the TaxCalc Website and uses the ‘postcode look-up’ functionality. This is provided by AFD Software, a Isle of Man based company.
3.13.2 Your IP address is provided to Maxmind Inc, a US based company (although they do have servers located in the UK). This firm states they have signed up to the EU-US Privacy Shield. This is to verify the country of purchase under the EU VAT MOSS regulations, which is needed if we are to sell software to members of EU countries.
3.14 Marketing Preferences
3.14.1 Marketing preferences are managed under the lawful basis of consent.
3.14.2 Consent is only collected directly from the data subject, usually via the TaxCalc website (as part of the registration or purchase process) but also from TaxCalc internet promotions and TaxCalc stalls at exhibitions and other functions.
3.14.3 Consent management, including withdrawal of consent, is conducted via the website (either front end for Customers or back end for permitted customer account management staff).
3.14.4 Marketing campaigns to Data Subjects are reviewed by the Compliance team and recipients are checked against our consent options.
4 Information Security Where ASPL is the Data Processor (Core Business)
4.1 Where ASPL is a Data Processor, the security measures described in 3.1, 3.2, 3.4 to 3.6 and 3.8 to 3.12 also apply.
4.2 Additionally, where ASPL is a Data Processor, and you are the Data Controller: Wherever possible, ASPL will aid You in fulfillng Subject Access Requests and other Data Subject data management actions in line with the GDPR’s timeframes and stated responsibilities.
5 Information Security Where ASPL is the Data Processor (TaxCalc CloudConnect®)
5.1 CloudConnect continually goes through technical updates to ensure it complies with regulatory changes and best practice standards.
5.2.1 As per the Cloud Service Agreement, the CloudConnect databases are hosted with Mythic Beasts Ltd in the UK.
5.2.2 Each database server has disk encryption to provide Security-At-Rest. All transfers to the database are secured using SSL/TLS to provide Security-In-Transit. Our emergency disaster recovery methodology uses the same methods.
5.3 Access Control
5.3.1 We have privacy and non-disclosure contracts in place with our providers to ensure security of the data held on the databases. Effectively this means that our providers can and will do no more than a) host devices and b) reboot in the event of outage.
5.3.2 Our Cloud team have been allocated permissions on a least-privilege access principal (restrict access to only the level needed to fulfil job function), and successful access to any server is via explicit firewall permissions and multi-factor authentication (MFA) tooling.
5.3.3 These technical methods are coupled with extensive data protection policies in our employment contracts to ensure that staff do not access data held within Customer databases without the Customer’s explicit documented instruction.
5.3.4 Each customer database is protected with unique usernames and passwords to prevent intra-server breaches. They are ‘ring-fenced’ as individual databases (rather than using one big database) and replicated in a master/slave fashion in order to provide redundancy.
5.4 Data Retention: We remove database backups from our servers frequently, retained as per our Backups Attachment to the Cloud Service Agreement.
5.5 Monitoring, Testing and Remediation:
5.5.1 Issue detection (including breach/intrusion) is integrated into our 24/7 in-house monitoring and alerts; this function is handled by the Cloud team.
5.5.2 We have an automated monitoring system with hundreds of sensors implanted throughout our Cloud infrastructure. These alert us if there are any detectable problems. The quantum of ‘detectable’ is of course a moving target. New threats emerge constantly, the environment of the Internet changes and as we develop the service, as with any software provider, we occasionally incur bugs too. This is why we have a whole team dedicated to maintaining and developing the CloudConnect service.
5.5.3 Ongoing activities include:
- We receive notifications from a variety of security lists and websites, and all devices are patched to the latest versions on a regular patch cycle basis; this ensures that any application/package level vulnerabilities are addressed quickly.
- Reactive actions when a security problem is detected through the monitoring system.
- We perform regular penetration testing with a third party to highlight improvements, which are documented and actioned.
5.6 Cloud Server Supplier Confidence: Our dataservers are operated by Mythic Beasts (main servers) and Bytemark (our cold storage provider). When determining our suppliers, we engaged in a lengthy due diligence process and we have privacy and non-disclosure contracts in place to ensure security of the data held on the databases. Our suppliers do not access the unique databases; they only provide server-level support.
5.7 Further documentation on the CloudConnect Service can be found in our Cloud Service Agreement.
Copyright ©2018 Acorah Software Products Limited. All Rights Reserved.