This document provides an overview of how Rotify adhere to Data Protection Laws and Regulations. Based in the United Kingdom, Rotify adhere to both the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 (UK DPA), jointly referred to as “Data Protection” in this document.
What is Rotify’s Data Protection ‘Role’?
Processors for client data (including client’s employee data) hosted on the Rotify Software;
Controllers of our client and supplier contact information, required to manage and deliver services under contract; and
Controllers for personal data in relation to Rotify company employees.
How Rotify complies with Data Protection
Rotify places paramount importance on the security of our products and the protection of personal data. Everyone at Rotify takes ownership for this and we use data protection by design and default, meaning we put data protection at the forefront of the work we undertake and the services we provide, ensuring Rotify and our hosting infrastructure is robust and secure. We appreciate our customers trust us with their data and understand our responsibility to protect all personal data we hold.
Data protection compliance requires appropriate technical and organisational measures to be in place to protect data and safeguard individual rights. At Rotify, we integrate data protection throughout the entire lifecycle and consider this upfront in everything you do, including:
Being proactive not reactive by considering data protection at the beginning of the data security planning process;
Data Protection being our default setting;
Data Protection embedded into design as a core feature of the product which includes password protection, pseudonymisation, encryption and retention/deletion of data;
End-to-End Security meaning privacy protections follow the data, wherever it goes, applying the same principles from when the data is first created until the day it gets deleted; and
Respect for User Privacy, keeping it user-centric and providing rights to each data subject.
Rotify’s hosting solution
Rotify’s customer system is hosted by Microsoft Azure based in London, United Kingdom. We enforce HTTPS, which encrypts and protects the communication between your browser and server and we operate comprehensive firewall policies on our systems infrastructure.
Azure is a trusted and fully compliant hosting partner and complies with many industry standards and holds security certifications including:
ISO 27001 Information Security Management Standard
ISO 9001 Global Quality Management Standard
ISO 27017 Cloud security
ISO 27018 Protection of personal data in the cloud
SOC1 Audit Controls Report
SOC2 Security, Availability and Confidentiality Report
Rotify have several documented policies and procedures which cover IT security and Data Protection.
Our IT security policy covers:
Protecting and maintaining the confidentiality, integrity and availability of information and related infrastructure assets;
Processes for passwords, encryptions, asset management and control;
Managing the risk of security exposure or compromise;
Assuring a secure and stable information technology (IT) environment;
Identifying and responding to events involving information asset misuse, loss or unauthorised disclosure;
Monitoring systems for anomalies that might indicate compromise;
Business and information security continuity planning including back up processes; and
Promoting and increasing the awareness of information security.
Our Data protection policy covers:
Commitment to data protection by default and by design and supporting the fundamental rights and freedoms of all individuals with whom it processes personal data on behalf of;
Data Protection Officer role;
Adherence to the data protection principles and allowing individuals the execute their rights;
Data sharing and international transfers where applicable;
Supplier and Sub-contractor management;
Staff awareness and training;
Clear desk and screen requirements;
Direct marketing principles; and
Record keeping and retention policy.
Processing systems and electronic information security
Rotify has implemented security measures that:
Prevent unauthorised persons from gaining access to and using processing systems;
Restrict access of Personal Data to only those personnel who are entitled to view it as part of their role, using “least privilege” approach;
Only users can set and review their passwords,
Ensures Personal Data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage;
Provides the ability to track system access and audit where Personal Data has been accessed, modified, or removed by assigning each employee a unique User-ID; and
Restricts access to sensitive personal data to Senior staff members.
Only users can set and review their own passwords in Rotify. This means that even users with system administrator access cannot see or amend other users’ passwords. All passwords are held in a database outside of the system and are all encrypted.
Physical Site Security
In respect of all sites at which a relevant processing system and/or any Personal Data in any format is located, including any data centre, Rotify:
Ensures all sites are protected by appropriate entry controls including professional security staff utilising video surveillance, intrusion detection systems, and other electronic means to confirm that only authorized personnel are allowed access;
Ensures all authorised staff use two-factor authentication to access data centres and any visitors and contractors are escorted on the premises at all times;
Maintains at least industry standard security systems to restrict access to the site and data appropriately;
Ensures secure maintenance, disposal or re-use of equipment; and
Has implemented physical protection against environmental threats including flooding, earthquake, explosion, civil unrest and other forms of natural or man-made disaster.
Rotify’s Management team actively support the security within the organisation through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
Rotify ensures networks are adequately managed and controlled in order to be protected from threats. IT management always consider how changes to a network element or connected resource may impact the security of other systems and applications using the network, including the effects of information in transit.
Our systems maintain up-to-date anti-virus and malware protection software on all processing systems.
All data is encrypted at rest as default, methods include hardware encryption on disks for servers. Azure at rest encryption algorithms where the private key is held within their department.
Laptops and other portable devices are encrypted by policy, Mobile devices are not allowed to connect to corporate data networks without encryption and this is also enforced by policy.
Laptops use Bit locker, enforced by policy with keys stored centrally within the encrypted AD environment. Bit Locker will use TPM to encrypt the local drives and boot up is to be controlled by an individual PIN.
Awareness & Training
A culture of security and data protection awareness ensures that employees, contractors and any third-party working for our organisation know what is expected of them and how to maintain compliance. Regular and ongoing training sessions ensure that the latest information, guidance, legislations and regulations are known and understood.
Management Information & Reporting
Regular reports and information passed to management ensures adequate resources are made available and for accountability at all levels.
The company has documented operating procedures including change and capacity management, information backup, event logging, management of removable media and information handling procedures.
Reviews & Audits
Rotify regularly conducts internal audits and has external audits completed on an annual basis which review activities and systems against procedures and regulations to ensure we know they are still effective and fit for purpose.
All partners and third parties we work with are scrutinised and assessed to ensure they offer an adequate level of security and protection for Personal Data they process on our behalf. By carrying out due diligence on new and existing partners and suppliers we ensure we maintain our standards accreditations.
Rotify has implemented appropriate disaster recovery, business continuity plans and risk assessments and regularly tests and updates its plans to ensure they remain current and effective.
Information security incident management
Rotify has a process to report, identify and implement mitigations to prevent further incidents for the management of Information Security incidents which are regularly tested through exercise.
Customer Data Retention & Deletion
Rotify’s data retention policy adheres to regulatory requirements. For more details, please contact us at dpo@Rotify.co.uk. Once data is erased, it is done using multi-pass algorithms to overwrite 7 times with random characters to ensure non-recovery to NHS InfoSec & UK HMG Infosec S5 Enhanced policy standards, and then redundant disks are physically destroyed.
Rotify currently holds the Cyber Essentials certification, and we are working towards Cyber Essentials Plus and ISO27001 accreditation.
As a workforce management provider to tens of thousands of staff, we take data security very seriously. Having the trust of our customers is our focus at Rotify, and we happily welcome any enquiries from current and future customers that may be looking for additional information about our data protection policies or procedures. Please email enquiries@Rotify.co.uk to get in touch.