Anfold Software Ltd (company number: 06784037) is the provider of Timesheet Portal, which is a software as a service (SaaS) offering. Due to the nature of some of the functionality of this software (e.g. payroll processing, HR record keeping), our customers are able to store personal data relating to their employees or clients.
The personal data we process as Data Controller is limited to the names and contact details of our contacts at our customers. We are registered as a Data Controller with the Information Commissioner's Office (ICO) (registration number: Z3196567). We are a Data Processor in respect of the personal data which is entered by our clients into Timesheet Portal. Our customers usually fulfil the role of Data Controller, but in some cases may act as a Data Processor themselves.
Our standard terms and conditions outline the duties and obligations of our customers and ourselves. These can be found online in the support section. This document provides further details on data security and internal processes where personal data is involved.
We collect personal data from our contacts at our customers so that we can develop a relationship with you and provide the best customer service to you. We also want to be able to provide you with expert support and have the ability to let you know about updates to our services as well as providing you with marketing materials and promotional offers we think might be of interest to you.
Where our customers are individuals and sole traders, the legal basis on which we rely for processing your personal data is that it is necessary for the performance of a contract or in order to take steps at your request prior to entering into a contract (for example if you request a free trial).
Where our customers are corporate entities, we process the personal data of our contacts at the company on the basis that we have a legitimate interest for this processing. Our legitimate interest is in ensuring that we maintain an appropriate relationship with our customer and so that we are able to provide the customer with excellent customer services.
You are under no statutory obligation to provide us with personal data, however for business continuity purposes, we require customers to provide us with contact information for the individual at their business who is responsible for its use of Timesheet Portal in order for us to enter into a contract with the business. This is because this individual will be our main point of contact should we need to provide any notice or important information relating to our services.
Primary data refers to the data contained within the Timesheet Portal application. This includes all data which is entered through the user interface, import files, API and any other areas in which the data becomes available through the interface. This data may be entered by administrators or data subjects themselves, or through any automated system processes that you may have in place to import data into our system.
For reasons of redundancy and scalability, we host your data in multiple places concurrently. These include our dedicated hosted servers housed in a secure data centre with ISP UKFast as well as other services provided by Microsoft Azure and Amazon Web Services.
How we handle data provided to us directly from customers
During implementation and if our customers request us to assist you with any data inputting or other ad-hoc support tasks which require us to process your users' personal data,, we may receive files from customers which contain personal data. We may store copies of such personal data on our local machines in the office whilst we undertake the task. Following completion of the task, we will ask our customer whether the personal data should be returned or destroyed. Our policy is to not store any personal data on any of our disks which are not encrypted, and staff are aware which disks are safe to store personal data on.
Access to personal data
Within our organisation, our support and implementation team may access your account. This is a requirement in order for them to fulfil their role so that they can provide support to our customers. This access is logged. During trial and for your first 3 months after commencing a subscription with us, your sales executive may have access to your account. This is essential as typically they provide a crucial role in helping refine your requirements and relaying these requirements to the implementation team.
Access to servers containing personal data
We maintain restricted access to servers and databases. Access is limited to key senior members of the technical team, and access to servers is audited. We also maintain a log of all people who have access to servers. If a member of staff leaves or their role changes such that they no longer require access to servers, their credentials are promptly revoked.
We use virus scanners on our production servers and in our internal network. Virus definitions are updated on a weekly basis.
Working with sub-contractors
We do not typically engage with sub-contractors who could have access to personal data. However we would ensure a suitable contract exists and training is provided which addresses the need to protect any personal data dealt with by the subcontractor.
Your data is stored within the software that we provide. Hence our focus on security procedures is mostly based around ensuring good practices during development of the application and in keeping the production environment secure.
Our development team are trained to understand how attacks can occur and how to write code that is not susceptible to such attacks. We also conduct regular code reviews by a senior member of the team to ensure that good practises are maintained.
As part of PCI compliance, we undergo quarterly vulnerability scanning. These are automated scans that test our server for known vulnerabilities. In addition to this, we also undergo annual web application penetration testing. This testing comprises of manual and automated tests whilst logged in to the system, with a specific focus on ensuring personal data cannot be compromised by an unauthorised user.
Data in transit
All data, including personal data is always secured when in transit over public networks. Emails and data storage are processed through Microsoft’s Office 365 suite, and transferred over SSL/TLS. Data is encrypted.
We use SFTP for FTP transfers.
All our data disks on desktop workstations and laptops use 128bit AES encryption.
We operate hardware and software based firewalls across our internal and production networks.
Report of a data breach
In the event of a data breach, we have procedures in place on our system which will allow us to email all registered DPOs for our customers, the Data Controllers. As per our obligations under the GDPR, we will report a breach to all affected Data Controllers without delay, and notify the ICO within 72 hours. If you have not registered a DPO contact on our system, then we will email the primary administrator on the account instead.
Central Record of Processing Activities
Anfold Software maintains a central record of processing activities. We do not maintain a list of the individual personal data field that each Data Controller uses, as Data Controllers have complete control over what personal data they enter relating to their Data Subjects and also what fields they ask their Data Subjects to complete on our system.
Destruction of Data & Contract Termination
When customers stop using our services we will need retain their personal data for a period of time following the end of the contractual relationship for business administration purposes including financial reporting and in order to manage our legal risk. We will retain this personal data for a maximum period of seven (7) years following the end of our contract.
How is data destroyed
We do not typically work with printed data, however if there was a requirement to print data which contained personal data, our policy is to shred such documents.
With regards to digital data, a deletion process will result in overwriting any records containing personal data with blanks. When a customer account is terminated, we will fully remove all data records from the database.
We do not host our own servers or redundant storage facilities in-house, therefore we engage with several sub-processors in which we store personal data on. All our sub-processors are GDPR compliant.
As part of our compliance policies, we have undertaken an assessment on each of our sub-processors to ensure that they follow similar security measures which are deemed acceptable for safe-guarding personal data.
Appointment of new sub-processors
If we engage with a new sub-processor, we will notify your DPO, providing you with 30 days to object. If you object to our appointment of sub-processor, you may end terminate your contract early. This is explained within our terms.
Transfers of personal data
Application data transfer
Due to the technical architecture of our system which is a requirement for redundancy and scalability, when personal data is accessed, created or modified, it will be transferred between different components of our system, and in some cases this will be over the internet between different physical sites. Our servers are located in the European Economic Area (EEA). We sometimes use third parties to provide us with services. If these third parties will transfer personal data outside of the EEA, we will ensure that there is adequate protection in place in respect of that transfer. For example, where any transfers are made by Microsoft Azure or Amazon Web Services to the United States of America, this is done on the basis that the companies adhere to the principles of the EU-U.S. Privacy Shield framework.
Internally, we may transfer personal data between departments. For instance, during implementation, a customer may send data for importing into the system to their sales executive, who may in turn send this information to the implementation team. Such data transfers will be performed over secure email connections, or by saving the data to local and cloud-based storage providers. Our internal policies prohibit us from storing any customer data on non-encrypted disks.
General Data Protection
Our staff have all had online training sessions on the principles of GDPR compliance and how to deal with personal data. Our staff are also aware that unlawful access to personal data is prohibited.
Rights of Data Subjects
You have the right to:
withdraw your consent to us processing your personal data where any activities we undertake are done on the basis of your consent (for example, sending marketing communications to you). This will not impact the lawfulness of any processing undertaken before you withdrew your consent;
- access the personal data we hold about you;
- ask us to rectify or make any changes to your personal data to make sure it is accurate and up to date;
- ask us to stop, restrict our use of, or delete your personal data;
- transfer your information to a third party; and
- object to processing in cases where processing is based upon our legitimate interests.
Please note that we do not make any decisions about any data subjects whose personal data we control on the basis of automated decision making or profiling.
Complaints and contact us
||41A Beavor Lane, London, W6 9BL
Please note that you have the right to lodge a complaint with a supervisory authority. Further information on how to do this can be found on the ICO's website at www.ico.org.uk.
Changes to this policy