Common Questions about Data Protection

Find answers to some common questions about data protection in our IRIS Cascade products.

Question Answer

Who do you hold personal data about as part of the services you provide to us? e.g. employees, customers

Employee personal data is held regarding your employees, dependent upon the modules you have purchased

For what purposes do you use the personal data?

As processor, to provide the contracted services i.e. an HR and Payroll System

Which of your departments have access to the personal data?

Only the necessary departments at IRIS can access the cloud services’ data including Support, Development/QA and Admin. We do have a role-based access policy in place for these departments

What data processing activities do you undertake on our behalf (e.g. collection, recording, organisation, storage, use, disclosure, transmission, or dissemination of data)?

  • IRIS Cascade allows the employee to view their own personal HR records

  • Your internal HR Team can send communication directly to the employee via email; this may contain personal data

  • All communication between client browsers and IRIS Cascade is protected by TLS 1.2 encryption

  • IRIS Cascade uses UK data centres exclusively for storing data, currently provided by Rackspace

  • You and each individual employee can access that individual’s personal data

Where is the personal data collected from? e.g. direct from data subject, from us (customer), passed by a third party. If the latter, please state which third party(ies)

The data is entered directly into the system by your employees. No data is passed to a third party unless you have enabled third-party API links. You would be in control of this process

How do you collect/receive the personal data? e.g. application form, secure online portal, password protected attachment via email

Personal data can be entered into the system via:

  • Employee self-service

  • You control who has access to the system to view and enter personal data

  • You control what fields are visible in the system for each employee level

  • Data can be imported into the system – this is done on your instruction

What procedures do you apply to ensure personal data is accurate and kept up to date?

The responsibility for collecting information lies with the person processing the data in the software. Customers should ensure they have adequate standard operating procedures to ensure the accuracy of data entered into the system

Do you automatically profile individuals? If yes, do you make decisions solely based on such automated processing, including profiling?

No

What procedures do you apply to ensure that no more than the personal data required is collected?

The responsibility for collecting information lies with the person processing the data in the software. Customers should ensure they have standard operating procedures in place to ensure data minimisation

What processes do you have in place to prevent the ex-filtration of sensitive data?

All actions in IRIS Cascade are bound by role based access control (RBAC) and profiles, which are fully configured by the customer's admins to control who sees what, and what they can do, down to the field level.

 

Question Answer

Do you have processing locations outside of the UK? How does this affect security?

 

On occasion, IRIS may use engineers and third parties located in India for production environment support, deployment activities, access management, and security and vulnerability management.

In all these instances, information is held on secured network drives held in the UK and only accessible by those authorised to process it.

All relevant security requirements have been addressed and further information is available on request.

A full risk assessment is carried out annually to ensure that client data is always protected.

 

What measures are in place for international data transfers?

Supplementary measures for personal data processed in India:

  • IRIS and our engineers in India adhere to the standards of ISO 27001 and use privileged access management controls to audit activity of engineers.

  • VPNs and Bastions are used where appropriate and all communications are over encrypted channels.

  • IRIS has an international data transfer agreement in place with all sub-processors used that are based in India. This requires them to comply with IRIS data protection and security policies and standards, particularly in relation to handling requests from official sources.

 

Question Answer

Is your company compliant with the notification requirements of the Data Protection Act 2018 or equivalent legislation? 

Yes

In the last 2 years, has your company been the subject of any data protection information notices, enforcement notices, decision notices, undertakings, or any equivalent regulatory notices/actions again?  If yes, attach a copy of the document and explain what you have done to ensure that the situation does not occur again.

No

Does your organisation conduct regular compliance audits to ensure that data protection policy is compliant with relevant laws and regulations?

Yes, annual audits take place

 

Is there a Data Protection Policy applicable to all staff who process data for us?  If yes, please provide a copy.

IRIS has a Group Data Protection Policy.  Staff who may have access to your data – for example in relation to Support or Professional Services are required to operate to standard operating procedures

Do you have an up-to-date internal data breach register?

Yes.  This is managed by the IRIS Group Data Protection Officer

Do you have a Data Retention/Archive Policy?
How long do you store data in relation to the service you provide to us and what criteria are applied to determine how long data is retained?

In the context of our function as a data processor, we are required to keep customer data for the retention period agreed in the contract, which represents the customer’s instructions to us. However, after the end of the provision of services relating to processing we must, at the choice of the customer, delete or return all the personal data to the customer and delete existing copies.  It is up to the customer to ensure they instruct IRIS during any notice period of the end of the contract

Do you have an internal data breach register or central record of processing activities?

Yes, this is reviewed annually or if a breach occurs, a review takes place of the issue and how to prevent it from occurring again

 

Question Answer  

Do you have adequate physical security procedures and measures in place to protect personal data?

Yes, IRIS Cascade is BS EN ISO/IEC 27001:2013 compliant

Do any staff who do not need access to any personal data have access to it?  Consider both physically and via a computer network

No

Do you use encryption to protect personal data?

Data is encrypted at rest using the storage device to encrypt the data as it’s written to disk.  Encryption is AES-256 and the encryption keys are managed by Rackspace but are unique to IRIS Cascade’s dedicated platform.

Are all mobiles phones, laptops and tablets which contain personal data tracked in an asset register, pin or password protected, encrypted and remotely wipeable?

No customer data is stored on staff equipment. Our Group IT look after IRIS’s asset register.  Devices issued to staff by IRIS Group IT will be included in that register

How is removable storage media recorded and managed to ensure security?

Use of removable storage is minimal; no customer data may be downloaded from production environments

What protections are there against unauthorised copying, processing etc?

Password security is in place for user access, encryption for data in transit, limited IRIS employee access only given to those employees that are necessary. All datacentre environments are isolated from corporate ones – access is via an VPN with two-factor authentication. Backup procedures by Azure and Rackspace are also in place.

What protections are there against accidental loss, damage or destruction?

We work with the principle of least privilege – developers and administrators are not allowed to work directly with live customer data, data is geo-replicated where possible.

Do you have robust frequent data backup procedures?

Data is fully backed up offsite weekly, with differentials happening every few hours and transaction logs every 30 minutes. The internal Recovery Point Objective (RPO) is 4 hours. The Recovery Time Objective (RTO) is 72 hours.

What additional identification and security measures apply to any sensitive or special category data (if applicable)?

Not Applicable.

 

Question Answer

Do you have a complete list of data processors used by your organisation in respect of the personal data you process or control as part of the services you provide to us? If so, please provide a copy.

  • Rackspace (UK)

  • SendGrid (Emails)

  • Amazon SES (Emails)

 

How do you audit your data processors’ compliance with Data protection law?

We request security guarantees in line with Article 28 Of the General Data Protection Regulation (GDPR)

We have Corporate procedures in relation to this.

Do you have a standard data processor agreement for use with third parties?

Yes

Does the client have have any control ver the use of the third parties listed?

Rackspace is essential to the successful use of IRIS Cascade and cannot be controlled on a customer by customer basis.

SendGrid is the default email service for IRIS Cascade however Cascade customers can opt for a UK-pinned service via Amazon SES which IRIS Cascade will configure for the customer. Alternatively Cascade can be configured to route emails via the customer’s email relay of choice including their own email server.

What is SendGrid and what does SendGrid do with our data?

SendGrid is a US provider of cloud-based transactional and marketing email delivery, management and analytics services. These services will consist primarily of sending and delivering e-mail communications on behalf of customers to their recipients.

The personal data transferred concern anyone who is a sender, recipient or copy recipient of an email which the Customer instructs SendGrid to deliver and manage. Data subjects may also include individuals who are mentioned within the body of emails sent by the Customer using SendGrid's services.

The categories of personal data transferred:

· Sender, recipient and copy recipient identification information (first and last name), contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title); and

· Any other personal data that the Customer chooses to include within the body of an e-mail that it sends using SendGrid's services. The personal data transferred to SendGrid for processing is determined and controlled by the Customer in its sole discretion. As such, SendGrid has no control over the volume and sensitivity of personal data processed through its service by the Customer.

Where is our data held? Rackspace data centre.
What and where is Rackspace?

Rackspace is a UK data centre based in London.

We use 2 different Rackspace centres:

 

Question Answer

Who is responsible for data protection compliance in your organisation?

All IRIS staff are responsible for compliance with data protection in line with IRIS policies and procedures. The Chief Information Officer (CIO) has ultimate responsibility for enforcement of policies and procedures and is supported by the governance structure described in Appendix 1 of the Group Data Protection Policy.

What processes do you have in place to ensure identification of and prompt reporting of data breaches to us and (if appropriate) the Information Commissioner's Office?

IRIS Software Group has an overarching critical incident process. The IRIS Personal Data Incident Reporting Procedure falls under that process to ensure any incident is promptly reported to the Group Data Protection Officer and assessed in line with the regulatory guidelines on Breach Reporting under current data protection laws.

The IRIS Cascade Product Manager is responsible for ensuring that all staff involved in providing the IRIS Cascade service have the means to escalate incidents in line with the above corporate procedures.

As your Data Processor, IRIS Cascade will not report personal data breaches to a regulator on your behalf.  However, IRIS Cascade will report incidents to you without undue delay so that you can report the matter to the ICO if you believe it is necessary to do so.

 

Who is responsible for dealing with the response to data breaches in your organisation?

Group Data Protection Officer in consultation with the CIO.

To the extent not already set out above, what action have you taken to ensure compliance with data protection laws?

 

IRIS has an Information Security and Governance Group, which includes members of the Executive Committee.

The IRIS Cascade Management Review Group leads on IRIS Cascade.

IRIS Cascade has carried out a gap analysis and risk assessment in line with current data protection regulations

Do all staff receive data protection training? Please provide details.

IRIS use meta compliance to hold all Policies and procedures in relation to data protection. The compliance software tracks, records and enforces employees to:

  • Read company policies

  • Conduct assessments to record understanding

  • Conduct e-learning activities in relation to data security, information security and managing incidents

The group also provides onsite training to key areas to support this knowledge and understanding of the subject matter:

Training

Training in place

Confidentiality Training

Yes - Annually

GDPR Training

Yes- Annually


 

Question Answer

On what basis is consent obtained by your organisation (if at all) to process an individual's personal data, i.e. for which categories of data do you rely upon the consent of the data subject?

This is only relevant to data controllers. In the context of our processor activity this would be the customer’s responsibility.

If consent is obtained, is the consent written?  If not, how will it be demonstrated that consent has been given?

As above

Are there processes in place to allow an individual to withdraw their consent? If so, how can they do this and is it as easy as their initial giving of consent?

As above

If no consent is required or obtained, which grounds for processing will be relied on?

As above

Do you have a clear and known process to deal with Subject Access Requests?

As above

What is the process for you to respond to requests to rectify inaccurate personal data about an individual?

As above

What is the process for you to respond to a request under the right to be forgotten?

As above

Is personal data processed or accessed outside the European Economic Area (EEA)?  If so, what measures are in place for such transfers e.g. binding corporate rules, adequacy decision or appropriate safeguards including data processor contracts?

Where SendGrid is used:

IRIS Cascade uses SendGrid for the sending of system generated emails.

To enable this process, email header information is transferred to the USA. Email header information may contain limited personal data (employee name/email address). 

This process is covered by the EU Standard contract clause for data transfers to third countries.

For the purposes of Schrems II: no additional safeguards are deemed necessary as the data transferred is only email header and not the email content

 

Do you have a Privacy Policy/Fair Processing Notice?

It is the Controller’s (customer’s) responsibility to provide data subjects with a privacy/fair processing explanation

How are individuals whose personal data you process made aware of the Privacy Policy/Fair Processing Notice?

It is the Controller’s (customer’s) responsibility to provide data subjects with this information.

 

Question Answer

Is there a documented procedure to revoke leaver access to data, physical access to premises and information systems?

Yes

Is there a documented procedure to recover all computer equipment, access tokens, key etc prior to an employee leaving?

Yes

Upon termination, is there a documented procedure to for the immediate revoking of physical access to premises and the logical access to computer systems?

Yes

Are privileged user accounts only used for performing specific functions that require administrator or other privileged access, and are not used day to day work?

Yes

Are your password settings configured to ensure that passwords meet a minimum length of 8 characters, are complex*, and are required to be changed at least every 90 days?


*Complex passwords must contain characters from three of the following five categories:

  • Uppercase characters (A through Z)

  • Lowercase characters (a through z

  • Base 10 digits (0 through 9)

  • Non-alphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/

  • Any Unicode character that is categorised as an alphabetic character but is not uppercase or lowercase. This can include Unicode characters from Asian languages

Customers are in control of their password policies, which can be configured within the application. Customers can control password complexity and history.

Note that this applies only to users logging in against simple username/password combinations in IRIS Cascade – customers may choose to instead/also authenticate their users against an external provider such as ADFS or Azure AD. In this instance, password policies are the responsibility of the customer’s external provider.

What technical measures are implemented in relation to passwords being stored in the database?

Passwords in the Cascade database are salted and hashed, with a unique salt per user.

Can Azure authentication but used in scenarios where users share terminals?

Azure authentication (and any other external providers) can be used for shared devices, however users must sign out of Azure before leaving their machine for others to access.

Can you use Cascade Modern Authentication with 3rd party authentication libraries?

Modern Authentication was designed to work with 3rd Party authentication providers - It is designed to work with OIDC/OAuth 2.0 only - SAML is not supported. You must remember that when signing in and out of Cascade, you must also sign in and out of your chosen 3rd party authentication provider.
Are shared (generic) accounts used for any privileged / sensitive access or functions? No

How is data separation managed between your different customers?

(Detail the measures in place.)

 IRIS Cascade is a multi tenanted SaaS with customers databases separated logically. User cannot access any database other than their own.

 

Question Answer

Is there a formally documented change management procedure in place that requires that all changes to applications, systems, databases and all network components are documented and require management approval?

Yes. Changes are documented.

  • Software changes require approval from a Change Advisory Board

  • Technical Development requires approval from the Architectural Review Board

Is there a process in place to ensure that only secure and approved hardware and software is procured for use in providing services within your organisation?

Rackspace provide the hardware used in the IRIS Cascade service

Are all systems required to have active anti-malware installed and running?

Yes

Are anti-malware signature updates deployed across the production environment, including servers, email servers and end users’ devices, within 24 hours of updates being made available?

The production environment anti-malware is a managed service provided by Rackspace.  Updates are deployed when available

 

Is there an internal vulnerability scanning process this is performed on at least a quarterly basis?

Vulnerability scanning for IRIS Cascade is performed on a regular basis and when significant platform/software changes are made

Are findings from vulnerability scans tracked, and are rescans performed until no findings are identified?

Yes

Is there patch management process in place to ensure that all systems are kept up to date with the latest patch levels?

Patching is a managed service provided by Rackspace.  All systems are kept up to date regularly.

Is there a process to ensure that critical security patches for hardware and software are implemented within 30 days of patch release?

Yes.  Patching is performed monthly

Does the organisation regularly conduct penetration tests on the network and IT systems and services?

Yes

 

Are penetration tests of critical applications or networks with Internet connectivity performed at least every 12 months and after significant changes?

Yes

Is customer data physically and logically separated from data of other clients?

Customer data is stored in separate databases.

 

Question Answer

Is there a process or a system in place to ensure that all systems and networks used to deliver services to Client configured in a consistent and secure manner, with approved security settings applied?

Yes, systems use hardened images and configurations.  Configuration management is used to ensure consistency 

Are the computer systems and networks that will be used to provide services to Client configured to prevent single points of failure, in order to provide business as usual services in the event of a systems failure?

Yes.  All systems are at least N+1

Are the computer systems and networks that will be used to provide services to Client monitored in real time, or have alerting that is responded to in a timely manner?

Yes

Are network intruder detection systems (NIDS) or network intruder prevention systems (NIPS) installed and configured to monitor all external perimeter network connections?

Yes, an IDS is in place to detect and block suspected activity

Is there technology in place to encrypt, point to point, all customer data that travels over public networks, including email, instant messaging and voice over IP (VoIP), using an industry standard encryption algorithm?

Data encryption in transit uses certificates.  Data is also encrypted at rest

If wireless networks are used, are technical controls in place to protect connections to it using WPA2/PSK at a minimum?

No wi-fi networks exist on the production systems

Are controls in place to segregate guest wireless networks from the corporate network?

Yes

 

Question Answer

Are controls in place to prohibit the use of customer live data within the development and testing environments?

Yes

Does the system development lifecycle (SDLC) include information security requirements to support development of secure systems?

Yes – security is considered during Architecture Review Board (ARB) stage for major projects; all code changes are subject to automated analysis against the OWASP top 10 and SANS top 25 lists. In addition, the codebase is scanned at least once a week by an automated vulnerability scan tool. Any issues found during any of these stages are fixed straight away, before release. The SDLC emphasises shifting security testing left so that the master branch remains secure, stable and releasable

Are Penetration tests conducted? How often are they conducted?

Yes – at least annually

Does the change management process require the security team to authentication, authorisation, and access control mechanisms?

Yes

 

Question Answer

Do you have a Business Continuity Plan?

Yes

Does the plan include Business and technical Recovery, so that services can be resumed to clients, within acceptable timescales?

Yes

How often is the BCP tested?

We test our Business Continuity planning yearly.

Are you certified to any recognised Business Continuity Standard for the full range of products and services you provide to Client?

ISO Compliant

Do you have a clearly defined Incident Response Structure which ensure incidents are identified, escalated and effectively managed?

Yes

 

Question Answer

Please provide an overview of your platform in terms of the tech stack, key architectural components and the dependant third party services

The tech stack at the time of writing uses Windows Server 2019 with IIS and SQL Server 2019 as the base layer, although software versions are subject to change for patch management and operational requirements.

Software is mostly written in ASP.NET, and at the time of writing is running against version 4.7.2 of the runtime. Some components remain in classic ASP, and newer components are written in Angular 8.

The application is split between the distributed, multi-tenant web tier, with data housed in single-tenant databases distributed across our SQL clusters. Back-office or asynchronous services are provided by dedicated services running on headless servers. Inter-process messaging is currently handled by RabbitMQ, with caching performed using Redis. All components are installed on servers within our Rackspace network, and no external communication is required

How does your platform scale to accommodate spikes in traffic? (specify the level that can be accommodated)

The system is built to handle peak traffic.  Some scaling is in place for busy periods

Please provide an overview of the monitoring solution that you have in place for the platform?

Various monitoring systems are in place, from infrastructure monitoring, APM, logs and alerting systems

Has the platform been load tested? If so, at what levels?

No

Are there any known bottlenecks (with respect to platform performance and stability) in the platform?

The system is known to be slower when employee numbers go above 14,000 – we are working to improve this, but at the time of writing this is the only known performance bottleneck

What dependencies does the platform have on licensed third-party components?

At the time of writing – Aspose Words, Aspose Cells, DevExpress, FusionCharts

What process is in place to ensure that all dependant third party components are upgraded when and as required particularly with respect to security patches?

Third party components are integrated using the .NET package manager, NuGet. New versions are apparent here, and development teams review every release for new versions

What level of availability has been achieved by the platform in the last 6 months?

Latest availability stats can be provided on request, typically availability if 99.9% or above over a given period.

Are there any specific areas of the platform that have not achieved the overall level of availability within the last 6 months?

No

What internal alerting and escalation process is in place within the organisation to ensure that action is taken when part of, or the entire system becomes unavailable?

The alerting and monitoring processes are managed by the Operations team.  This is followed up by an incident management process.