Data protection

Do you have processing locations outside of the UK? How does this affect security?

On occasion, IRIS may use engineers and third parties located in India for production environment support, deployment activities, access management, and security and vulnerability management.

In all these instances, information is held on secured network drives held in the UK and only accessible by those authorised to process it.

All relevant security requirements have been addressed and further information is available on request.

A full risk assessment is carried out annually to ensure that client data is always protected.

What measures are in place for international data transfers?

Supplementary measures for personal data processed in India:

• IRIS and our engineers in India adhere to the standards of ISO 27001 and use privileged access management controls to audit activity of engineers.

• VPNs and Bastions are used where appropriate and all communications are over encrypted channels.

• IRIS has an international data transfer agreement in place with all sub-processors used that are based in India. This requires them to comply with IRIS data protection and security policies and standards, particularly in relation to handling requests from official sources.

Is your company compliant with the notification requirements of the Data Protection Act 2018 or equivalent legislation? 

Yes

In the last 2 years, has your company been the subject of any data protection information notices, enforcement notices, decision notices, undertakings, or any equivalent regulatory notices/actions again?  If yes, attach a copy of the document and explain what you have done to ensure that the situation does not occur again.

No

Does your organisation conduct regular compliance audits to ensure that data protection policy is compliant with relevant laws and regulations?

Yes.

Is there a Data Protection Policy applicable to all staff who process data for us?

Yes.

Do you have an up-to-date internal data breach register?

Yes.

Do you have a Data Retention/Archive Policy?
How long do you store data in relation to the service you provide to us and what criteria are applied to determine how long data is retained?

Yes.

The data retention policy for your data is determined by you from within the system. The system will automatically remove or anonymise data at the times specified.

Do you have an internal data breach register or central record of processing activities?

Yes.

Do you have a complete list of data processors used by your organisation in respect of the personal data you process or control as part of the services you provide to us? If so, please provide a copy.

• Rackspace (UK Hosting)

• Reach Interactive (SMS)

• SendGrid (Emails)

• SendInBlue (Emails)

While SendGrid and SendInBlue are our default providers for email, it is possible for us to use alternative email providers. There may also be Sub-Processors depending on the additional Modules you have selected (for example Experian or DocuSign). Please contact your Account Manager for further details on modular sub-processors.

How do you audit your data processors' compliance with data protection law?

We request security guarantees in line with Article 28 Of the General Data Protection Regulation (GDPR).

We have Corporate procedures in relation to this.

Do you have a standard data processor agreement for use with third parties?

Yes.

Does the client have have any control over the use of the third parties listed?

Rackspace is essential to the successful use of IRIS Networx and cannot be controlled on a customer by customer basis.

Some of the third parties are only used if optional modules are purchased by the client.

What is SendGrid and what does SendGrid do with our data?

SendGrid is an email delivery and management service that helps businesses send transactional and marketing emails. It provides tools and APIs for sending emails, managing recipient lists, and tracking email performance.

SendGrid is committed to ensuring that it is GDPR compliant. They have a privacy policy that outlines how they handle user data. This policy provides details on what data they collect, how it's used, who has access to it, and what security measures are in place to protect it.

On what basis is consent obtained by your organisation (if at all) to process an individual's personal data, i.e. for which categories of data do you rely upon the consent of the data subject?

Consent is obtained from the candidate to store their candidate account data.

In order to fulfil a contract is used for the vacancy applications.

If consent is obtained, is the consent written?  If not, how will it be demonstrated that consent has been given?

For the candidate account a checkbox must be selected to proceed with account creation.

There is a link to a privacy policy next to this checkbox informing the candidate what data will be stored, what it will be used for, who it will be shared with and how long it will be retained.

This checkbox is not selected by default. This action is logged, and the candidate can see when they provided consent within their candidate account.

Are there processes in place to allow an individual to withdraw their consent? If so, how can they do this and is it as easy as their initial giving of consent?

Yes.

The candidates can withdraw their consent at any time from within their candidate account.

Do you have a clear and known process to deal with Subject Access Requests?

Yes.

There is a dedicated feature within IRIS Networx Recruitment to fulfil Subject Access Requests.

What is the process for you to respond to requests to rectify inaccurate personal data about an individual?

Candidates can rectify inaccurate information relating to their profile and incomplete applications from within the candidate account.

For complete applications, these requests will be forwarded to clients.

What is the process for you to respond to a request under the right to be forgotten?

Candidates can withdraw from applications and deactivate their account at any time.

There is also dedicated functionality within the system to delete all information held about a candidate to cater for these requests.

Is personal data processed or accessed outside the European Economic Area (EEA)?  If so, what measures are in place for such transfers e.g. binding corporate rules, adequacy decision or appropriate safeguards including data processor contracts?

Where SendGrid is used:

IRIS Networx uses SendGrid for the sending of system generated emails.

To enable this process, email header information is transferred to the USA. Email header information may contain limited personal data (employee name/email address).

This process is covered by the EU Standard contract clause for data transfers to third countries.

For the purposes of Schrems II: no additional safeguards are deemed necessary as the data transferred is only email header and not the email content.

Do you have a Privacy Policy/Fair Processing Notice?

Yes.

There is a separate privacy notice for the candidate account and for each application which details what will happen with the candidate’s data for the specific vacancy.

How are individuals whose personal data you process made aware of the Privacy Policy/Fair Processing Notice?

Candidates must tick a checkbox to indicate they have read the privacy policy. This checkbox is not ticked by default.

Is there a formally documented change management procedure in place that requires that all changes to applications, systems, databases and all network components are documented and require management approval?

Yes. Changes are documented.

• Software changes require approval from a Change Advisory Board.

• Technical Development requires approval from the Architectural Review Board.

Is there a process in place to ensure that only secure and approved hardware and software is procured for use in providing services within your organisation?

Rackspace provide the hardware used in the IRIS Networx service

Are all systems required to have active anti-malware installed and running?

Yes.

Are anti-malware signature updates deployed across the production environment, including servers, email servers and end users’ devices, within 24 hours of updates being made available?

The production environment anti-malware is a managed service provided by Rackspace. Updates are deployed when available.

Is there an internal vulnerability scanning process this is performed on at least a quarterly basis?

Vulnerability scanning for IRIS Networx is performed on a regular basis and when significant platform/software changes are made.

Are findings from vulnerability scans tracked, and are rescans performed until no findings are identified?

Yes

Is there patch management process in place to ensure that all systems are kept up to date with the latest patch levels?

Patching is a managed service provided by Rackspace.  All systems are kept up to date regularly.

Is there a process to ensure that critical security patches for hardware and software are implemented within 30 days of patch release?

Yes.  Patching is performed monthly.

Does the organisation regularly conduct penetration tests on the network and IT systems and services?

Yes. We perform a monthly automated scan and commission an annual independent penetration test from an accredited provider.

Are penetration tests of critical applications or networks with Internet connectivity performed at least every 12 months and after significant changes?

Yes.

Is customer data physically and logically separated from data of other clients?

Data for each company is logically separated; this logical data separation is written into the architecture of the system to ensure there is no possibility of companies accessing information other than their own.

Is there a process or a system in place to ensure that all systems and networks used to deliver services to Client configured in a consistent and secure manner, with approved security settings applied?

Yes, systems use hardened images and configurations.  Configuration management is used to ensure consistency.

Are the computer systems and networks that will be used to provide services to Client configured to prevent single points of failure, in order to provide business as usual services in the event of a systems failure?

Yes.  All systems are at least N+1

Are the computer systems and networks that will be used to provide services to Client monitored in real time, or have alerting that is responded to in a timely manner?

Yes

Are network intruder detection systems (NIDS) or network intruder prevention systems (NIPS) installed and configured to monitor all external perimeter network connections?

Yes, an IDS is in place to detect and block suspected activity.

Is there technology in place to encrypt, point to point, all customer data that travels over public networks, including email, instant messaging and voice over IP (VoIP), using an industry standard encryption algorithm?

Data encryption in transit uses certificates.  Data is also encrypted at rest.

If wireless networks are used, are technical controls in place to protect connections to it using WPA2/PSK at a minimum?

No wi-fi networks exist on the production systems.

Are controls in place to segregate guest wireless networks from the corporate network?

Yes

Are controls in place to prohibit the use of customer live data within the development and testing environments?

Yes

Does the system development lifecycle (SDLC) include information security requirements to support development of secure systems?

Yes.

Security is considered during Architecture Review Board (ARB) stage for major projects; all code changes are subject to automated analysis against the OWASP top 10 and SANS top 25 lists. In addition, the codebase is scanned at least once a week by an automated vulnerability scan tool. Any issues found during any of these stages are fixed straight away, before release. The SDLC emphasises shifting security testing left so that the master branch remains secure, stable and releasable.

Are Penetration tests conducted? How often are they conducted?

Yes.

We perform a monthly automated scan and commission an annual independent penetration test from an accredited provider.

Does the change management process require the security team to authentication, authorisation, and access control mechanisms?

Yes.

Do you have a Business Continuity Plan?

Yes

Does the plan include Business and technical Recovery, so that services can be resumed to clients, within acceptable timescales?

Yes, for RPO and RTO timescales, please see Security and IT.

How often is the BCP tested?

We test our Business Continuity planning on an annual basis.

Are you certified to any recognised Business Continuity Standard for the full range of products and services you provide to Client?

ISO Compliant.

Do you have a clearly defined Incident Response Structure which ensure incidents are identified, escalated and effectively managed?

Yes.

Please provide an overview of your platform in terms of the tech stack, key architectural components and the dependant third party services

The tech stack at the time of writing uses Windows Server 2022 with IIS and SQL Server 2019 as the base layer, although software versions are subject to change for patch management and operational requirements.

Software is mostly written in ASP.NET, and at the time of writing is running against version 4.6.1 of the runtime. Newer software is written in .NET 5 and 7.

The application is split between the multi-tenant web tier and data housed in multi-tenant databases across our SQL clusters. Back-office services are provided by dedicated services running on headless servers. Inter-process messaging is currently handled by Azure Service Bus. Most components are installed on servers within our Rackspace network and newer applications are hosted on Azure utilising Relay Hybrid Connections for database connectivity.

How does your platform scale to accommodate spikes in traffic? (specify the level that can be accommodated)

The system is built to handle peak traffic.  Some scaling is in place for busy periods.

Please provide an overview of the monitoring solution that you have in place for the platform?

Various monitoring systems are in place, from infrastructure monitoring, APM, logs, and alerting systems

Has the platform been load tested? If so, at what levels?

No.

Are there any known bottlenecks (with respect to platform performance and stability) in the platform?

No.

What dependencies does the platform have on licensed third-party components?

At the time of writing - Aspose Words and DevExpress.

What process is in place to ensure that all dependant third party components are upgraded when and as required particularly with respect to security patches?

Third party components are integrated using the .NET package manager, NuGet. New versions are apparent here, and development teams review every release for new versions.

What level of availability has been achieved by the platform in the last 6 months?

Latest availability stats can be provided on request, typically availability is 99.9% or above over a given period.

Are there any specific areas of the platform that have not achieved the overall level of availability within the last 6 months?

No.

What internal alerting and escalation process is in place within the organisation to ensure that action is taken when part of, or the entire system becomes unavailable?

The alerting and monitoring processes are managed by the Operations team.  This is followed up by an incident management process.