Loading ...

The Privacy Policy for Timesheet Portal provided by Anfold Software

Last updated: 24/05/2018

Introduction and General Terms of this Privacy Policy

Anfold Software Ltd (company number: 06784037) is the provider of Timesheet Portal, which is a software as a service (SaaS) offering. Due to the nature of some of the functionality of this software (e.g. payroll processing, HR record keeping), our customers are able to store personal data relating to their employees or clients. The personal data we process as Data Controller is limited to the names and contact details of our contacts at our customers. We are registered as a Data Controller with the Information Commissioner's Office (ICO) (registration number: Z3196567). We are a Data Processor in respect of the personal data which is entered by our clients into Timesheet Portal. Our customers usually fulfil the role of Data Controller, but in some cases may act as a Data Processor themselves. Our standard terms and conditions outline the duties and obligations of our customers and ourselves. These can be found online in the support section. This document provides further details on data security and internal processes where personal data is involved.

Data Collection

We do not collect any personal data from your users for our own use. We are the Data Processor and you are the Data Controller in respect of the personal data which relates to your users and any other data you input into Timesheet Portal. It is entirely up to you what data you wish to put in our system, what fields you wish to make mandatory, and what permissions you assign to your account users which may give them access to the personal data of Data Subjects. You are responsible for providing your data subjects with your own privacy policy or notice in respect of the personal data you control.

We collect personal data from our contacts at our customers so that we can develop a relationship with you and provide the best customer service to you. We also want to be able to provide you with expert support and have the ability to let you know about updates to our services as well as providing you with marketing materials and promotional offers we think might be of interest to you. Where our customers are individuals and sole traders, the legal basis on which we rely for processing your personal data is that it is necessary for the performance of a contract or in order to take steps at your request prior to entering into a contract (for example if you request a free trial).

Where our customers are corporate entities, we process the personal data of our contacts at the company on the basis that we have a legitimate interest for this processing. Our legitimate interest is in ensuring that we maintain an appropriate relationship with our customer and so that we are able to provide the customer with excellent customer services.

You are under no statutory obligation to provide us with personal data, however for business continuity purposes, we require customers to provide us with contact information for the individual at their business who is responsible for its use of Timesheet Portal in order for us to enter into a contract with the business. This is because this individual will be our main point of contact should we need to provide any notice or important information relating to our services.

Storage

Primary data refers to the data contained within the Timesheet Portal application. This includes all data which is entered through the user interface, import files, API and any other areas in which the data becomes available through the interface. This data may be entered by administrators or data subjects themselves, or through any automated system processes that you may have in place to import data into our system.
For reasons of redundancy and scalability, we host your data in multiple places concurrently. These include our dedicated hosted servers housed in a secure data centre with ISP UKFast as well as other services provided by Microsoft Azure and Amazon Web Services.
How we handle data provided to us directly from customers During implementation and if our customers request us to assist you with any data inputting or other ad-hoc support tasks which require us to process your users' personal data,, we may receive files from customers which contain personal data. We may store copies of such personal data on our local machines in the office whilst we undertake the task. Following completion of the task, we will ask our customer whether the personal data should be returned or destroyed. Our policy is to not store any personal data on any of our disks which are not encrypted, and staff are aware which disks are safe to store personal data on.

Security

 

Access to personal data

Within our organisation, our support and implementation team may access your account. This is a requirement in order for them to fulfil their role so that they can provide support to our customers. This access is logged. During trial and for your first 3 months after commencing a subscription with us, your sales executive may have access to your account. This is essential as typically they provide a crucial role in helping refine your requirements and relaying these requirements to the implementation team.

Access to servers containing personal data

We maintain restricted access to servers and databases. Access is limited to key senior members of the technical team, and access to servers is audited. We also maintain a log of all people who have access to servers. If a member of staff leaves or their role changes such that they no longer require access to servers, their credentials are promptly revoked.

Virus Scanning

We use virus scanners on our production servers and in our internal network. Virus definitions are updated on a weekly basis.

Working with sub-contractors

We do not typically engage with sub-contractors who could have access to personal data. However we would ensure a suitable contract exists and training is provided which addresses the need to protect any personal data dealt with by the subcontractor.

Security Procedures

Your data is stored within the software that we provide. Hence our focus on security procedures is mostly based around ensuring good practices during development of the application and in keeping the production environment secure. Our development team are trained to understand how attacks can occur and how to write code that is not susceptible to such attacks. We also conduct regular code reviews by a senior member of the team to ensure that good practises are maintained. As part of PCI compliance, we undergo quarterly vulnerability scanning. These are automated scans that test our server for known vulnerabilities. In addition to this, we also undergo annual web application penetration testing. This testing comprises of manual and automated tests whilst logged in to the system, with a specific focus on ensuring personal data cannot be compromised by an unauthorised user.

Data in transit

All data, including personal data is always secured when in transit over public networks. Emails and data storage are processed through Microsoft’s Office 365 suite, and transferred over SSL/TLS. Data is encrypted.

We use SFTP for FTP transfers.

All our data disks on desktop workstations and laptops use 128bit AES encryption.

Intrusion Detection

We operate hardware and software based firewalls across our internal and production networks.

Report of a data breach

In the event of a data breach, we have procedures in place on our system which will allow us to email all registered DPOs for our customers, the Data Controllers. As per our obligations under the GDPR, we will report a breach to all affected Data Controllers without delay, and notify the ICO within 72 hours. If you have not registered a DPO contact on our system, then we will email the primary administrator on the account instead.

Central Record of Processing Activities

Anfold Software maintains a central record of processing activities. We do not maintain a list of the individual personal data field that each Data Controller uses, as Data Controllers have complete control over what personal data they enter relating to their Data Subjects and also what fields they ask their Data Subjects to complete on our system.

Destruction of Data & Contract Termination

When customers stop using our services we will need retain their personal data for a period of time following the end of the contractual relationship for business administration purposes including financial reporting and in order to manage our legal risk. We will retain this personal data for a maximum period of seven (7) years following the end of our contract. How is data destroyed We do not typically work with printed data, however if there was a requirement to print data which contained personal data, our policy is to shred such documents. With regards to digital data, a deletion process will result in overwriting any records containing personal data with blanks. When a customer account is terminated, we will fully remove all data records from the database.

Sub-Processors

We do not host our own servers or redundant storage facilities in-house, therefore we engage with several sub-processors in which we store personal data on. All our sub-processors are GDPR compliant.

As part of our compliance policies, we have undertaken an assessment on each of our sub-processors to ensure that they follow similar security measures which are deemed acceptable for safe-guarding personal data.

Appointment of new sub-processors

If we engage with a new sub-processor, we will notify your DPO, providing you with 30 days to object. If you object to our appointment of sub-processor, you may end terminate your contract early. This is explained within our terms.

Transfers of personal data

Application data transfer Due to the technical architecture of our system which is a requirement for redundancy and scalability, when personal data is accessed, created or modified, it will be transferred between different components of our system, and in some cases this will be over the internet between different physical sites. Our servers are located in the European Economic Area (EEA). We sometimes use third parties to provide us with services. If these third parties will transfer personal data outside of the EEA, we will ensure that there is adequate protection in place in respect of that transfer. For example, where any transfers are made by Microsoft Azure or Amazon Web Services to the United States of America, this is done on the basis that the companies adhere to the principles of the EU-U.S. Privacy Shield framework. Internally, we may transfer personal data between departments. For instance, during implementation, a customer may send data for importing into the system to their sales executive, who may in turn send this information to the implementation team. Such data transfers will be performed over secure email connections, or by saving the data to local and cloud-based storage providers. Our internal policies prohibit us from storing any customer data on non-encrypted disks.

Training

General Data Protection Our staff have all had online training sessions on the principles of GDPR compliance and how to deal with personal data. Our staff are also aware that unlawful access to personal data is prohibited.

Rights of Data Subjects

You have the right to:

The rights detailed above apply to those individuals who provide their personal data to us (for example, if you use our services and you are an individual sole trader or a partnership) and our contacts at our customers. If you are an end user of Timesheet Portal and you wish to exercise your rights, you should consider who controls your personal data. The controller of your personal data is likely to be the business which has received the personal data from you and added it to Timesheet Portal. You should request a copy of their privacy policy to establish how and why they process your personal data. Please note that we do not make any decisions about any data subjects whose personal data we control on the basis of automated decision making or profiling.

Complaints and contact us

If you have any questions about our Privacy Policy or any other information relating to our services please contact our data protection manager:

Name Michael Gois
Email: [email protected]
Address: 41A Beavor Lane, London, W6 9BL


Please note that you have the right to lodge a complaint with a supervisory authority. Further information on how to do this can be found on the ICO's website at www.ico.org.uk.

Changes to this policy

We may edit or amend this Privacy Policy from time to time in which case we shall publish the amended version on our website. We will inform you should we process your personal information for a purpose other than the purpose for which it was obtained.