Workforce Kinetics commitments to the GDPR
Alongside other duties, data controllers are required to only use data processors that provide adequate guarantees to implement appropriate technical and organizational measures so that data processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of Workforce Kinetics:
EXPERT KNOWLEDGE
Workforce Kinetics employs and works with security and privacy professionals to maintain our systems, developing security review processes, build security infrastructure, and implement Workforce Kinetics's security policies.
Our teams engage with customers, industry stakeholders, and supervisory authorities to shape the Workforce Kinetics services in a manner that helps customers meet their compliance needs.
OUR POLICIES
Our terms have been updated to reflect GDPR and are available on the terms page on this website.
FUNCTIONALITY
We have verified that our application, Workforce Kinetics HR, has all of the necessary functionality for compliance with the GDPR. The method we use for deletion and retention of data is acceptable for use under the GDPR.
DATA PROCESSING
We promise to maintain a high level of security and will ensure timely breach reporting to meet all GDPR expectations. To reflect this, we have signed up to AWS-managed security: https://aws.amazon.com/managed-services/ This is the gold standard for security management. This service introduces automated analysis of the log files, forensic analysis of breach detection and timely notification, and then recovery. We've purchased this on behalf of all of our customers. It's active as of now and we will be contractually assuring our customers of the use of it. It's incumbent upon data controllers to ensure the data processors have the right infrastructure in place to process your data. By purchasing this service, we can assure you we have the technical infrastructure in place which goes above and beyond regulatory requirements.
PROCESSING ACCORDING TO INSTRUCTIONS
Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our previous, as well as our current GDPR-updated data processing agreements.
EMPLOYEE CONFIDENTIALITY
All of Workforce Kinetics’s employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy training, as well as our Code of Conduct training. Workforce Kinetics’s Code of Conduct outlines expected behavior with respect to the protection of information.
USE OF SUBPROCESSORS
Workforce Kinetics always adheres to the requirements of the GDPR legislation to identify sub-processors.
DATA RETURN & DELETION
Administrators can delete employee data, via the functionality of the Workforce Kinetics HR services, at any time during the term of the agreement. We have included data export commitments in our data processing terms since we began trading, and we continue these commitments post-GDPR. We are always working to enhance the robustness of the data export capabilities of the Workforce Kinetics HR services.
Workforce Kinetics stores data backups for two weeks before the backups are replaced fully and any old data is removed.
DATA CONTROLLERS
How Workforce Kinetics assists data controllers
Data Subject's Rights
Workforce Kinetics HR can provide an export of customer data, at any time during the term of the agreement. We have included data export commitments in our data processing terms for several years, and we continue these commitments post-GDPR
Data Protection Officer
The Workforce Kinetics HR Data Protection Officer is Tracy Wiseman, any questions can be directed to him regarding data protection concerns.
Incident Notifications
Workforce Kinetics provides contractual commitments around incident notification. We will inform you of incidents involving your customer data, in line with the data incident terms in our previous, and GDPR-updated, agreements.
Certifications
Our customers and regulators expect independent verification of security, privacy, and compliance controls. The Workforce Kinetics platform and service undergo several independent third-party audits on a regular basis to provide this assurance.
STANDARDS & CERTIFICATIONS
Our customers and regulators expect independent verification of security, privacy, and compliance controls. The Workforce Kinetics platform and service undergo several independent third-party audits on a regular basis to provide this assurance
Data Protection Registration
Workforce Kinetics is registered with the Information Commissioner's Office (ICO). This means we are contractually committed to delivering our services in compliance with the Data Protection Act (DPA).
Penetration Testing
We commission regular independent penetration testing of our infrastructure, to ensure we keep our system free from vulnerabilities. With many high-profile customers in the financial sector, we recognize the need for tight security at a very technical level.
FAQs
WHAT IS THE GDPR?
The General Data Protection Regulation is a new EU privacy legislation that has replaced the 95/46/EC Directive on Data Protection of 24 October 1995.
WHEN DID THE GDPR TAKE EFFECT?
The GDPR became directly applicable in all European Union Member States on 25 May 2018.
DOES THE GDPR GIVE CUSTOMERS THE RIGHT TO AUDIT Workforce Kinetics?
Under the GDPR, audit rights must be granted to data controllers in their contracts with data processors. The updated data processing agreements we offer therefore include audit rights for the benefit of our customers.
Due diligence Q&A
We have also provided a detailed list of questions and answers which you can use to complete your due diligence.
Data Protection Officer
How do I contact your data protection officer?
Systems and applications
Where is your data center located?
Europe (London) |
eu-west-2 |
rds.eu-west-2.amazonaws.com |
Will the space in your data center be shared with any other clients?
No, we have a dedicated infrastructure
What measures are in place to protect the physical security of data centers where our data will be stored?
Data centers are owned and managed by Amazon's AWS
Who has access to our data?
Customer Services Supervisors
Is our data on your servers encrypted at rest?
Yes, we use Transparent Data Encryption (TDE) to encrypt your SQL data and all your documents
Business continuity
Do you have a business continuity plan that is reviewed, tested and updated at least annually?
When was the business continuity plan last tested?
User access
Who within your organisation will have access to the personal data?
Customer Services Supervisors
What user authentication do you use on networks/systems that store/process our data?
Our Customer Services team can access your data via a super admin function. This function can only be accessed from the IP address of our offices.
Access to our servers is also tied down to fixed IP addresses and via 2FA.
How often are user accounts reviewed for suitability of access levels?
We run a weekly report of who accesses our severs
What are your password complexity policies?
We have a password policy to include 10 characters and alphanumeric
Penetration / security testing
Do you conduct penetration testing at least annually on all networks hosting our data?
Yes, annually. We have also allow clients to do independent pen tests.
Physical security
Please describe the physical security that protects our data, including building access and physical server access.
Physical security to our servers is managed by Rackspace. Physical security to our offices is managed by us.
Anti-virus
Do all devices hosting or connecting to our data have AV which is updated at least daily, runs a scheduled scan at least daily, and runs on execution?
Yes, all our laptops use Avast Antivirus, our servers use Microsoft Defender for Endpoint
Application development
Describe the procedures in place to ensure that acceptance criterion for new information systems, upgrades and versions are established and tests are performed prior to roll out.
We have a secure development policy. The development life cycle is the standard Business Requirements → Functional Specification → Technical Specification → Development → Units Tests → QA → UAT → Live
Describe the segregation of duties, including the separation of development, test, and operational facilities?
We have separate environments for Development, System Testing, UAT, and Live
Is production data used in test or development environments?
Logs
Do you keep and regularly review access, event, error and transaction logs on all networks storing/processing our data?
Yes, we have Rackspace Managed Security provides active threat detection and remediation for advanced persistence threats (APTs) and other cyber-attacks.
Are all logs protected from deletion and/or amendment?
Is access to all logs recorded and monitored?
Breach notification
Do you have a formal breach notification process?
Detail the timelines to notify us of any suspected breach.
We would notify you without delay
Have you had a security breach within the last 12 months? If so, please describe the incident, effect, and outcome.
Data retention / deletion
For what period do you retain our data?
We never delete your data. How long you retain data on our facility is your responsibility
For what period is our data stored in back-ups?
We have a 65 day backup rotation period
Where are our backups kept?
Data encryption
Is Personal Data encrypted in transit? Explain how
Is Personal Data encrypted at rest? Explain how
Yes, using Vormetric encryption which encrypts your data and your documents with AES256s
Territories
Is any our processed, stored or transferred outside of the EEA?
Sub-processors
Is our data passed on to any third parties for processing?
Yes. We have 5 Data Subprocessors:
- Amaon's AWS, who provide our dedicated infrastructure to host our application
- Google Workspace (Formerly G Suite), who send our application’s outgoing emails
- Google, who power our mobile application
- Microsoft, we use Azure to enable our integration with other Access Group products