Common Questions about Data Protection

Processing data

Question	Answer
Who do you hold personal data about as part of the services you provide to us? e.g. employees, customers	Employee personal data is held regarding your employees, dependent upon the modules you have purchased.
For what purposes do you use the personal data?	As processor, to provide the contracted services i.e. an HR and Payroll System.
Which of your departments have access to the personal data?	Only the necessary departments at IRIS can access the cloud services’ data including Support, Development/QA and Admin. We do have a role-based access policy in place for these departments.
What data processing activities do you undertake on our behalf (e.g. collection, recording, organisation, storage, use, disclosure, transmission, or dissemination of data)?	IRIS Cascade allows the employee to view their own personal HR records Your internal HR Team can send communication directly to the employee via email; this may contain personal data All communication between client browsers and IRIS Cascade is protected by TLS 1.2 encryption IRIS Cascade uses UK data centres exclusively for storing data, currently provided by Rackspace You and each individual employee can access that individual’s personal data
Where is the personal data collected from? e.g. direct from data subject, from us (customer), passed by a third party. If the latter, please state which third party(ies)	The data is entered directly into the system by your employees. No data is passed to a third party unless you have enabled third-party API links. You would be in control of this process.
How do you collect/receive the personal data? e.g. application form, secure online portal, password protected attachment via email	Personal data can be entered into the system via: Employee self-service You control who has access to the system to view and enter personal data You control what fields are visible in the system for each employee level Data can be imported into the system – this is done on your instruction
What procedures do you apply to ensure personal data is accurate and kept up to date?	The responsibility for collecting information lies with the person processing the data in the software. Customers should ensure they have adequate standard operating procedures to ensure the accuracy of data entered into the system.
Do you automatically profile individuals? If yes, do you make decisions solely based on such automated processing, including profiling?	No
What procedures do you apply to ensure that no more than the personal data required is collected?	The responsibility for collecting information lies with the person processing the data in the software. Customers should ensure they have standard operating procedures in place to ensure data minimisation.
What processes do you have in place to prevent the ex-filtration of sensitive data?	All actions in IRIS Cascade are bound by role based access control (RBAC) and profiles, which are fully configured by the customer's admins to control who sees what, and what they can do, down to the field level.

Processing locations and international data transfers

Question

Answer

Do you have processing locations outside of the UK? How does this affect security?

On occasion, IRIS may use engineers and third parties located in India for production environment support, deployment activities, access management, and security and vulnerability management.

In all these instances, information is held on secured network drives held in the UK and only accessible by those authorised to process it.

All relevant security requirements have been addressed and further information is available on request.

A full risk assessment is carried out annually to ensure that client data is always protected.

What measures are in place for international data transfers?

Supplementary measures for personal data processed in India:

IRIS and our engineers in India adhere to the standards of ISO 27001 and use privileged access management controls to audit activity of engineers.

VPNs and Bastions are used where appropriate and all communications are over encrypted channels.
IRIS has an international data transfer agreement in place with all sub-processors used that are based in India. This requires them to comply with IRIS data protection and security policies and standards, particularly in relation to handling requests from official sources.

Data Protection Systems

Question	Answer
Is your company compliant with the notification requirements of the Data Protection Act 2018 or equivalent legislation?	Yes
In the last 2 years, has your company been the subject of any data protection information notices, enforcement notices, decision notices, undertakings, or any equivalent regulatory notices/actions again? If yes, attach a copy of the document and explain what you have done to ensure that the situation does not occur again.	No
Does your organisation conduct regular compliance audits to ensure that data protection policy is compliant with relevant laws and regulations?	Yes, annual audits take place.

Policies

Is there a Data Protection Policy applicable to all staff who process data for us? If yes, please provide a copy.	IRIS has a Group Data Protection Policy. Staff who may have access to your data – for example in relation to Support or Professional Services are required to operate to standard operating procedures.
Do you have an up-to-date internal data breach register?	Yes. This is managed by the IRIS Group Data Protection Officer.
Do you have a Data Retention/Archive Policy? How long do you store data in relation to the service you provide to us and what criteria are applied to determine how long data is retained?	In the context of our function as a data processor, we are required to keep customer data for the retention period agreed in the contract, which represents the customer’s instructions to us. However, after the end of the provision of services relating to processing we must, at the choice of the customer, delete or return all the personal data to the customer and delete existing copies. It is up to the customer to ensure they instruct IRIS during any notice period of the end of the contract.
Do you have an internal data breach register or central record of processing activities?	Yes, this is reviewed annually or if a breach occurs, a review takes place of the issue and how to prevent it from occurring again.

Security and IT

Question	Answer
Do you have adequate physical security procedures and measures in place to protect personal data?	Yes, IRIS Cascade is BS EN ISO/IEC 27001:2013 compliant.
Do any staff who do not need access to any personal data have access to it? Consider both physically and via a computer network	No
Do you use encryption to protect personal data?	Data is encrypted at rest using the storage device to encrypt the data as it’s written to disk. Encryption is AES-256 and the encryption keys are managed by Rackspace but are unique to IRIS Cascade’s dedicated platform.
Are all mobiles phones, laptops and tablets which contain personal data tracked in an asset register, pin or password protected, encrypted and remotely wipeable?	No customer data is stored on staff equipment. Our Group IT look after IRIS’s asset register. Devices issued to staff by IRIS Group IT will be included in that register.
How is removable storage media recorded and managed to ensure security?	Use of removable storage is minimal; no customer data may be downloaded from production environments.
What protections are there against unauthorised copying, processing etc?	Password security is in place for user access, encryption for data in transit, limited IRIS employee access only given to those employees that are necessary. All datacentre environments are isolated from corporate ones – access is via an VPN with two-factor authentication. Backup procedures by Azure and Rackspace are also in place.
What protections are there against accidental loss, damage or destruction?	We work with the principle of least privilege – developers and administrators are not allowed to work directly with live customer data, data is geo-replicated where possible.
Do you have robust frequent data back-up procedures?	Data is fully backed up offsite weekly, with differentials happening every few hours and transaction logs every 30 minutes. The internal Recovery Point Objective (RPO) is 4 hours. The Recovery Time Objective (RTO) is 72 hours.
How are back-up failures identified?	RackSpace Managed Backup (MBU) produces a report that we can query and see when there's been a failure. RackSpace also generate a ticket when MBU fails.
How are back-up failures dealt with?	At IRIS we review the MBU output every morning and follow up with any back-up failure to understand why it might have failed, and to decide whether it is appropriate to trigger an immediate further attempt at a back up, or whether it is more appropriate to ensure the subsequent back up definitely succeeds. All effort is focused on ensuring there are no sequential back-up failures for the same device.
What additional identification and security measures apply to any sensitive or special category data (if applicable)?	Not Applicable.

Sharing / Receiving data from third parties

Question	Answer
Do you have a complete list of data processors used by your organisation in respect of the personal data you process or control as part of the services you provide to us? If so, please provide a copy.	Rackspace (UK) SendGrid (Emails) Amazon SES (Emails) IRIS Cascade's production hosting environment is supported with a team that includes engineers from Cybage. IRIS Cascade’s Development systems are managed by local development team and Cybage.
How do you audit your data processors’ compliance with Data protection law?	We request security guarantees in line with Article 28 Of the General Data Protection Regulation (GDPR) We have Corporate procedures in relation to this.
Do you have a standard data processor agreement for use with third parties?	Yes
Does the client have have any control ver the use of the third parties listed?	Rackspace is essential to the successful use of IRIS Cascade and cannot be controlled on a customer by customer basis. SendGrid is the default email service for IRIS Cascade however Cascade customers can opt for a UK-pinned service via Amazon SES which IRIS Cascade will configure for the customer. Alternatively Cascade can be configured to route emails via the customer’s email relay of choice including their own email server.
What is SendGrid and what does SendGrid do with our data?	SendGrid is a US provider of cloud-based transactional and marketing email delivery, management and analytics services. These services will consist primarily of sending and delivering e-mail communications on behalf of customers to their recipients. The personal data transferred concern anyone who is a sender, recipient or copy recipient of an email which the Customer instructs SendGrid to deliver and manage. Data subjects may also include individuals who are mentioned within the body of emails sent by the Customer using SendGrid's services. The categories of personal data transferred: · Sender, recipient and copy recipient identification information (first and last name), contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title); and · Any other personal data that the Customer chooses to include within the body of an e-mail that it sends using SendGrid's services. The personal data transferred to SendGrid for processing is determined and controlled by the Customer in its sole discretion. As such, SendGrid has no control over the volume and sensitivity of personal data processed through its service by the Customer.
Where is our data held?	Rackspace data centre.
What and where is Rackspace?	Rackspace is a UK data centre based in London. We use 2 different Rackspace centres: London LON3 London LON5

Compliance programme

Question

Answer

Who is responsible for data protection compliance in your organisation?

All IRIS staff are responsible for compliance with data protection in line with IRIS policies and procedures. The Chief Information Officer (CIO) has ultimate responsibility for enforcement of policies and procedures and is supported by the governance structure described in Appendix 1 of the Group Data Protection Policy.

What processes do you have in place to ensure identification of and prompt reporting of data breaches to us and (if appropriate) the Information Commissioner's Office?

IRIS Software Group has an overarching critical incident process. The IRIS Personal Data Incident Reporting Procedure falls under that process to ensure any incident is promptly reported to the Group Data Protection Officer and assessed in line with the regulatory guidelines on Breach Reporting under current data protection laws.

The IRIS Cascade Product Manager is responsible for ensuring that all staff involved in providing the IRIS Cascade service have the means to escalate incidents in line with the above corporate procedures.

As your Data Processor, IRIS Cascade will not report personal data breaches to a regulator on your behalf. However, IRIS Cascade will report incidents to you without undue delay so that you can report the matter to the ICO if you believe it is necessary to do so.

Who is responsible for dealing with the response to data breaches in your organisation?

Group Data Protection Officer in consultation with the CIO.

To the extent not already set out above, what action have you taken to ensure compliance with data protection laws?

IRIS has an Information Security and Governance Group, which includes members of the Executive Committee.

The IRIS Cascade Management Review Group leads on IRIS Cascade.

IRIS Cascade has carried out a gap analysis and risk assessment in line with current data protection regulations.

Do all staff receive data protection training? Please provide details.

IRIS use meta compliance to hold all Policies and procedures in relation to data protection. The compliance software tracks, records and enforces employees to:

Read company policies
Conduct assessments to record understanding
Conduct e-learning activities in relation to data security, information security and managing incidents

The group also provides onsite training to key areas to support this knowledge and understanding of the subject matter:

Training	Training in place
Confidentiality Training	Yes - Annually
GDPR Training	Yes- Annually

Consent and rights of individuals

Question	Answer
On what basis is consent obtained by your organisation (if at all) to process an individual's personal data, i.e. for which categories of data do you rely upon the consent of the data subject?	This is only relevant to data controllers. In the context of our processor activity this would be the customer’s responsibility.
If consent is obtained, is the consent written? If not, how will it be demonstrated that consent has been given?	As above
Are there processes in place to allow an individual to withdraw their consent? If so, how can they do this and is it as easy as their initial giving of consent?	As above
If no consent is required or obtained, which grounds for processing will be relied on?	As above
Do you have a clear and known process to deal with Subject Access Requests?	As above
What is the process for you to respond to requests to rectify inaccurate personal data about an individual?	As above
What is the process for you to respond to a request under the right to be forgotten?	As above
Is personal data processed or accessed outside the European Economic Area (EEA)? If so, what measures are in place for such transfers e.g. binding corporate rules, adequacy decision or appropriate safeguards including data processor contracts?	Where SendGrid is used: IRIS Cascade uses SendGrid for the sending of system generated emails. To enable this process, email header information is transferred to the USA. Email header information may contain limited personal data (employee name/email address). This process is covered by the EU Standard contract clause for data transfers to third countries. For the purposes of Schrems II: no additional safeguards are deemed necessary as the data transferred is only email header and not the email content.
Do you have a Privacy Policy/Fair Processing Notice?	It is the Controller’s (customer’s) responsibility to provide data subjects with a privacy/fair processing explanation.
How are individuals whose personal data you process made aware of the Privacy Policy/Fair Processing Notice?	It is the Controller’s (customer’s) responsibility to provide data subjects with this information.

Access Control

Question	Answer
Is there a documented procedure to revoke leaver access to data, physical access to premises and information systems?	Yes
Is there a documented procedure to recover all computer equipment, access tokens, key etc prior to an employee leaving?	Yes
Upon termination, is there a documented procedure to for the immediate revoking of physical access to premises and the logical access to computer systems?	Yes
Are privileged user accounts only used for performing specific functions that require administrator or other privileged access, and are not used day to day work?	Yes
Are your password settings configured to ensure that passwords meet a minimum length of 8 characters, are complex, and are required to be changed at least every 90 days? Complex passwords must contain characters from three of the following five categories: Uppercase characters (A through Z) Lowercase characters (a through z Base 10 digits (0 through 9) Non-alphanumeric characters: ~!@#$%^&*_-+=`\|\(){}[]:;"'<>,.?/ Any Unicode character that is categorised as an alphabetic character but is not uppercase or lowercase. This can include Unicode characters from Asian languages	Customers are in control of their password policies, which can be configured within the application. Customers can control password complexity and history. Note that this applies only to users logging in against simple username/password combinations in IRIS Cascade – customers may choose to instead/also authenticate their users against an external provider such as ADFS or Azure AD. In this instance, password policies are the responsibility of the customer’s external provider.
What technical measures are implemented in relation to passwords being stored in the database?	Passwords in the Cascade database are salted and hashed, with a unique salt per user.
Can Azure authentication but used in scenarios where users share terminals?	Azure authentication (and any other external providers) can be used for shared devices, however users must sign out of Azure before leaving their machine for others to access.
Can you use Cascade Modern Authentication with 3rd party authentication libraries?	Modern Authentication was designed to work with 3rd Party authentication providers - It is designed to work with OIDC/OAuth 2.0 only - SAML is not supported. You must remember that when signing in and out of Cascade, you must also sign in and out of your chosen 3rd party authentication provider.
Are shared (generic) accounts used for any privileged / sensitive access or functions?	No
How is data separation managed between your different customers? (Detail the measures in place.)	IRIS Cascade is a multi tenanted SaaS with customers databases separated logically. User cannot access any database other than their own.

Operations Security

Question	Answer
Is there a formally documented change management procedure in place that requires that all changes to applications, systems, databases and all network components are documented and require management approval?	Yes. Changes are documented. Software changes require approval from a Change Advisory Board Technical Development requires approval from the Architectural Review Board
Is there a process in place to ensure that only secure and approved hardware and software is procured for use in providing services within your organisation?	Rackspace provide the hardware used in the IRIS Cascade service.
Are all systems required to have active anti-malware installed and running?	Yes
Are anti-malware signature updates deployed across the production environment, including servers, email servers, and end users’ devices, within 24 hours of updates being made available?	The production environment anti-malware is a managed service provided by eSentire Rackspace. Updates are deployed when available.
Is there an internal vulnerability scanning process this is performed on at least a quarterly basis?	Vulnerability scanning for IRIS Cascade is performed on a regular basis and when significant platform/software changes are made
Are findings from vulnerability scans tracked, and are rescans performed until no findings are identified?	Yes
Is there patch management process in place to ensure that all systems are kept up to date with the latest patch levels?	Patching is managed by IRIS on a schedule multiple times weekly.
Is there a process to ensure that critical security patches for hardware and software are implemented within 30 days of patch release?	Yes. Patching matches the IRIS Group Policies.
Are penetration tests of critical applications or networks with Internet connectivity performed at least every 12 months and after significant changes?	Yes. We pen test the applications. Infrastructure is tested as part of those pen tests. External penetration tests are conducted annually by an independent penetration tester. Internal penetration tests are also conducted.
Is customer data physically and logically separated from data of other clients?	Customer data is stored in separate databases.

Communications Security

Question	Answer
Is there a process or a system in place to ensure that all systems and networks used to deliver services to Client configured in a consistent and secure manner, with approved security settings applied?	Yes, systems use hardened images and configurations. Configuration management is used to ensure consistency.
Are the computer systems and networks that will be used to provide services to Client configured to prevent single points of failure, in order to provide business as usual services in the event of a systems failure?	Yes. All systems are at least N+1.
Are the computer systems and networks that will be used to provide services to Client monitored in real time, or have alerting that is responded to in a timely manner?	Yes
Are network intruder detection systems (NIDS) or network intruder prevention systems (NIPS) installed and configured to monitor all external perimeter network connections?	Yes, an IDS is in place to detect suspected activity.
Is there technology in place to encrypt, point to point, all customer data that travels over public networks, including email, instant messaging and voice over IP (VoIP), using an industry standard encryption algorithm?	Data encryption in transit uses certificates. Data is also encrypted at rest.
If wireless networks are used, are technical controls in place to protect connections to it using WPA2/PSK at a minimum?	No wi-fi networks exist on the production systems.
Are controls in place to segregate guest wireless networks from the corporate network?	Yes

System Acquisition, Development & Security

Question	Answer
Are controls in place to prohibit the use of customer live data within the development and testing environments?	Yes
Does the system development lifecycle (SDLC) include information security requirements to support development of secure systems?	Yes – security is considered during Architecture Review Board (ARB) stage for major projects; all code changes are subject to automated analysis against the OWASP top 10 and SANS top 25 lists. In addition, the codebase is scanned at least once a week by an automated vulnerability scan tool. Any issues found during any of these stages are fixed straight away, before release. The SDLC emphasises shifting security testing left so that the master branch remains secure, stable and releasable.
Are Penetration tests conducted? How often are they conducted?	Yes – at least annually.
Does the change management process require the security team to authentication, authorisation, and access control mechanisms?	Yes

Business Continuity Management

Question	Answer
Do you have a Business Continuity Plan?	Yes
Does the plan include Business and technical Recovery, so that services can be resumed to clients, within acceptable timescales?	Yes
How often is the BCP tested?	We test our Business Continuity planning yearly.
Are you certified to any recognised Business Continuity Standard for the full range of products and services you provide to Client?	ISO Compliant.
Do you have a clearly defined Incident Response Structure which ensure incidents are identified, escalated and effectively managed?	Yes

Scalability

Question	Answer
Please provide an overview of your platform in terms of the tech stack, key architectural components and the dependant third party services	The tech stack at the time of writing uses Windows Server 2019 and 2022 with IIS and SQL Server 2019 and 2022 as the base layer, although software versions are subject to change for patch management and operational requirements. Software is mostly written in ASP.NET, and at the time of writing is running against version 6 of the runtime. Some components remain in classic ASP, and newer components are written in Angular 8. The application is split between the distributed, multi-tenant web tier, with data housed in single-tenant databases distributed across our SQL clusters. Back-office or asynchronous services are provided by dedicated services running on headless servers. Inter-process messaging is currently handled by RabbitMQ, with caching performed using Redis. All components are installed on servers within our Rackspace network, and no external communication is required.
How does your platform scale to accommodate spikes in traffic? (specify the level that can be accommodated)	The system is built to handle peak traffic. Some scaling is in place for busy periods.
Please provide an overview of the monitoring solution that you have in place for the platform?	Various monitoring systems are in place, from infrastructure monitoring, APM, logs and alerting systems.
Has the platform been load tested? If so, at what levels?	No
Are there any known bottlenecks (with respect to platform performance and stability) in the platform?	The system is known to be slower when employee numbers go above 14,000 – we are working to improve this, but at the time of writing this is the only known performance bottleneck.
What dependencies does the platform have on licensed third-party components?	At the time of writing – Aspose Words, Aspose Cells, DevExpress, FusionCharts, Voiceflow (AI Bot).
What process is in place to ensure that all dependant third party components are upgraded when and as required particularly with respect to security patches?	Third party components are integrated using the .NET package manager, NuGet. New versions are apparent here, and development teams review every release for new versions.
What level of availability has been achieved by the platform in the last 6 months?	Latest availability stats can be provided on request, typically availability if 99.9% or above over a given period.
Are there any specific areas of the platform that have not achieved the overall level of availability within the last 6 months?	No
What internal alerting and escalation process is in place within the organisation to ensure that action is taken when part of, or the entire system becomes unavailable?	The alerting and monitoring processes are managed by the Operations team. This is followed up by an incident management process.