At cloudThing, we have always believed in and honoured the right to data privacy and protection for all individuals that we hold data for, and championed the same position with our customers, as a part of trying to set the highest ethical benchmark in everything we do. Over the years, we’ve also demonstrated our commitment to data privacy and protection by meeting industry standards for information security such as ISO 27001 and Cyber Essentials. We have already have many Data Processing Agreements in place, and we are revising them further to meet the requirements of the GDPR, recognising that the new regulation will help us implement the highest standards in protecting personal data.
How we Comply
cloudThing has incorporated deep best-practice and all required privacy protection regulations (including the GDPR) as part of its standard business processes, managed via our Governance Team/ This includes integration throughout our ISO 9001:2015 accredited framework for quality and our ISO 27001:2017 accredited framework for information security, independently assessed at least annually.
- We maintain a detailed data inventory using our complyThing product to track data sets, data owners, applications, locations, implemented controls and to maintain a record of processing activities.
- We publish a privacy notice, providing clear information for cloudThing staff, current customers and prospective customers regarding what data we gather, what we will use it for, how data subjects can exercise their rights and include contact details for cloudThing's DPPO and the ICO.
- We conduct information audits to ensure that all personal data we hold is tracked to maintain the adequacy, security, accuracy and integrity of data.
- We have a clearly defined Data Retention & Disposal Policy which (in combination with our Data Inventory) defines the retention period, review schedule and method of disposal, to ensure that data we hold is only kept only as long as necessary and destroyed appropriately.
- We have a clearly defined Data Breach & Reporting Policy which documents data breach escalation and reporting processes.
- We maintain a Subject Request Protocol which explains how data subjects can exercise their rights under privacy laws, and use our complyThing product to expedite data subject requests.
- We maintain clear version control for all internal documentation and audit trails of all communication sent or received to or from individuals, demonstrating accountability.
- We have an extensive Business Continuity Plan in place which is tested at scheduled intervals to ensure that in the event of extended service outages caused by factors beyond our control (e.g. natural disasters), we can restore services to the widest extent possible in a minimum time frame.
- We conduct supplier assessments in line with our Purchasing Policy before a supplier is approved. This assessment helps to ensure that the supplier has robust controls in place to ensure the security of data shared with them. Where required, we implement Data Sharing Agreements with our suppliers.
- We have implemented a Corporate Binding agreement between our offices in the UK and wholly owned subsidiary in India, to ensure all data is processed and managed securely and in-line with the requirements of privacy regulation – data will also only still be transferred to India with explicit customer consent.
- Prior to processing any data, be it internal or on behalf of our customers, we ensure that all data is privacy screened.
- Where appropriate, we conduct Data Protection Impact Assessments (DPIAs) for data processing operations that involve a high risk to the rights and freedoms of data subjects to determine the appropriate measures to be taken to minimise, or eliminate, the risks.
- If we identify any high-risk processing for which effective controls cannot be designed, we escalate this to the ICO before proceeding.
- For customers which we are engaged, we operate using Service Level Agreements (SLAs), clearly defining our and our customer's responsibility to manage and process data in-line with privacy regulations.
- We have a dedicated Secure-DevOps team who are all trained in privacy and security management best practices, providing on-going guidance internally and to our customers.
- We are committed to continuous improvement and subject every part of our business to an internal audit, at least annually.
- Our services are not aimed to serve children. If in the case that, we receive an inquiry from children through our website we do not process data in a way that should put them at risk.
Human Resource Controls
- We perform Pre-Employment Vetting and Screening checks to verify that are employees are suitable to work for us and that the data they provide about themselves is accurate, ensuring that the safety and security of existing staff, services and end-users is maintained.
- Our employment contracts include data protection clauses for all staff ensuring compliance with applicable laws, regulations, and procedures.
- We deliver regular training sessions for our employees including for relevant data protection regulations. Regular communication is sent to its employees to raise awareness and ensure implementation of data security controls and processes in daily operations. Training sessions are recorded for playback and attendance is tracked in our training log.
- We conduct regular tests and assessments for all employees to ensure a high level of competency, knowledge, and understanding of relevant data protection regulations, their responsibilities and the controls we have in place to protect personal information.
- We gather digital signatures from all employees annually on an adherence register, confirming their understanding of all our management systems and underwriting their responsibility to ensure the organisation and their personal compliance.
- We annually review cloudThing staff data to ensure that the data we hold about them is accurate and up to date. All employees have access to self-service tools where the relevant information can be updated/corrected. All employees are responsible for ensuring that information we hold about them is accurate and up to date.
- We operate as an organisation using a set of Architectural Principles, which mandate an array of good practices such as Privacy by Design, Secure by Design and Defence in Depth.
- We design and build software and services in-line with a detailed Secure System Engineering Policy, which is regularly updated, to ensure strict security controls are in place including (but not limited to) continuous monitoring of environments, regular vulnerability scanning, penetration testing, weekly reviews of infrastructure and key storage abstraction, to identify threats and malicious unauthorised activity.
- We enforce that all devices (physical or virtual) and methods of communication that store and/or transfer data are encrypted, in-line with good industry practice.
- We follow a robust set of policies directed by our Information Security Management System, including (but no limited to):
- an Access Control Policy to mandate a Role Based Access Control and Principle of Least privilege for user/system access
- a Remote Access Policy designed to minimise the potential exposure to unauthorised use of our systems and data from remote locations
- a Password Policy to ensure a strict standard for the creation of strong passwords, the protection of those passwords, and the frequency of change
- a Removable Media Policy forbidding use in nearly all situations and to minimise the risk of loss or exposure of sensitive information in relation to portable storage
- an Information Transfer Policy mandating minimum requirements to ensure that the transfer of data is performed in a way that adequately protects it
- a Data Security Policy to ensure we protect restricted, confidential or sensitive data from loss or corruption
- a Mobile Device & Teleworking Policy to ensure that data used on our mobile device estate is robustly protected, even when devices are lost or stolen.
- a Bring Your Own Device policy mandating controls around any device which is used to access our employee tools that isn’t issued by us
- a Key Management System Policy which mandates controls and processes for key strength, rotation management and defining how credentials are stored and processed
- a Clear Desk and Clear Screen Policy to establish the minimum requirements for ensuring data is not inadvertently shared within the office
- We utilise best-of-breed device management tooling to provide near-real-time security insight across our estate.
- We conduct regular backups to enable data recovery in case of accidental loss or malicious attacks on internal or customer data, in-line with agreed Service Level Agreements.