Security Policy

Contact Us

The IDEASANVIL LIMITED Information Security Policy sets out the obligations between IDEASANVIL LIMITED and our customers in respect of the provision of IDEASANVIL LIMITED Services.

The Customer’s Compliance with GDPR

The Customer agrees that they are a Data Controller and that IDEASANVIL LIMITED is a Data Processor for the purposes of processing Personal Data. The Customer shall at all times comply with the GDPR in connection with the processing of Personal Data. The Customer shall ensure all instructions given by it to IDEASANVIL LIMITED in respect of Personal Data shall at all times be in accordance with the GDPR.

IDEASANVIL LIMITED’s Compliance with GDPR

2.1 IDEASANVIL LIMITED, acting as the Data Processor, shall process Personal Data in compliance with the obligations placed under it under the GDPR. IDEASANVIL LIMITED shall:

(a) Act only on instructions from the Customer or the Regulator in respect of any Personal Data processed by IDEASANVIL LIMITED;

(b) Have technical and organisational measures in place, having regard to the state of technological development and the cost of implementing any measures, against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by it, appropriate to the harm that might result from such unauthorised or unlawful processing or loss, destruction or damage to Personal Data and the nature of the Personal Data;

(c) Take reasonable steps, having regard to the state of technological development and the cost of implementing any measures, to ensure the reliability of any of its staff who have access to Personal Data processed in connection with the Terms and Conditions

(d) Not transfer the Personal Data provided by the Customer to a country or territory outside the EEA without ensuring the Personal Data is afforded adequate protection within the meaning of the GDPR.

Data Ownership

3.1 The customer data held within IDEASANVIL LIMITED systems remains the property of the Customer.

Data Sovereignty and Integrations

4.1 Personal Data may be shared with Trusted Third-Party service providers in order for IDEASANVIL LIMITED to provide their services to the customer.

4.2 No Personal Data is shared with other service providers, applications or individuals without the written consent of the Customer excluding Trusted Third-Party service providers.

Data Encryption

5.1 All data stored by IDEASANVIL LIMITED is encrypted at rest, using AES-256 encryption. This is done to protect data in the event a IDEASANVIL LIMITED server or other device is compromised by an unauthorised party.

Security

Taking into account the state of technical development and the nature of processing, IDEASANVIL LIMITED shall implement and maintain the technical and organisational measures set out in Appendix 3 to protect the data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.

Audits

IDEASANVIL LIMITED shall, in accordance with GDPR, make available to the Customer such information that is in its possession or control as is necessary to demonstrate IDEASANVIL LIMITED’s compliance with the obligations on each party imposed by Article 28 of the GDPR, and allow for and contribute to audits, by IDEASANVIL LIMITED’s Third Party Auditor (subject to a maximum of one audit request in any 36 month period).

Staff

All staff and contractors employed by IDEASANVIL LIMITED are required to undergo data protection training and sign data protection and non-disclosure agreements before being allowed to work with customer data.

Backup Policy and System Monitoring

IDEASANVIL LIMITED servers are backed up daily, weekly and monthly, and are monitored 24 hours a day, 7 days a week, 365 days a year.

Data Breaches

IDEASANVIL LIMITED shall notify the Customer without undue delay and in writing on becoming aware of any Data Breach in respect of any Personal Data.

If a vulnerability is identified or data is available publicly outside of the IDEASANVIL LIMITED systems, please contact IDEASANVIL LIMITED immediately via dataprotection@ideasanvil.com.

Appendix 1: Definitions

Unless otherwise defined in this policy, all terms in bold will have the meanings given them to them below:

Data Breach has the meaning defined in the GDPR

Data Controller has the meaning defined in the GDPR

Data means all data entered into IDEASANVIL LIMITEDs systems

Data Processor has the meaning defined in the GDPR

EEA means the European Economic Area

GDPR means the General Data Protection Regulation (EU) 2016/679

ISO 27001 certification means an ISO/IEC 27001:2013 certification or a comparable certification for the Audited Services

IDEASANVIL LIMITED means IDEASANVIL LIMITED Invision House, Wilbury Way, Hitchin, Hertfordshire, SG4 0TY

IDEASANVIL LIMITED’s Third Party Auditor means a IDEASANVIL LIMITED-appointed, qualified and independent third party auditor, whose then-current identity IDEASANVIL LIMITED will disclose to Customer

Personal Data has the meaning defined in the GDPR

Customer means a business, person or organisation who pays IDEASANVIL LIMITED for services

Term means the period from the start date until the end of IDEASANVIL LIMITED’s provision of the Services, including, if applicable, any period during which provision of the IDEASANVIL LIMITED Services may be suspended and any post-termination period during which IDEASANVIL LIMITED may continue providing the Services for transitional purposes

Trusted Third Parties means Microsoft 365 Services EU, Microsoft Azure Services EU, Zendesk Inc., LogMeIn Inc., IOMart Group PLC

Appendix 2: Subject Matter and Details of the Data Processing

Subject Matter
IDEASANVIL LIMITED’s provision of the Services to The Customer.

Nature and Purpose of the Processing
IDEASANVIL LIMITED will process Personal Data for the purposes of providing the Services to the Customer in accordance with the Security Policy.

Categories of Data
Data relating to individuals provided to IDEASANVIL LIMITED via the Services, by (or at the direction of) the Customer.

Data Subjects
Data subjects include the individuals about whom data is provided to IDEASANVIL LIMITED via the Services by (or at the direction of) the Customer.

Appendix 3: Security Measures

IDEASANVIL LIMITED utilises multiple layers of security controls (software, physical and process based) to protect data. This includes, but not limited to;

Training

Audits and inspections

Local & Network Firewalls

Web Application Firewalls

Intrusion Detection & Prevention Systems

Whole disk encryption

Removable media encryption

Multivendor Anti-Virus and Endpoint protection systems

Application White Listing

Access Control Lists

Security Patch Management

Identity and Access Management

Centralised Log Management

Symmetric and Asymmetric Encryption systems for data storage

Two Factor Authentication

Separation of Duties

Data Loss Prevention

Vulnerability Assessment

Remote Monitoring & Alerting