Question 1

Security Measures

Support InforUMobile · Accepted Answer

InforUMobile Technical and Organisational Security Measures (“Security Measures”) Ref. clause 4.2.3 and 7.3 of the Data Protection Addendum https://inforumobile.co.uk/ufaqs/schedule-1-inforumobile-data-processing-addendum/ Effective as of 20-02-2019

We shall implement and maintain the following technical and organisational security measures to protect the Protected Data In accordance with DP Laws :
1. taking into account the state of the art, the costs of implementation and the Details of Processing and the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing,
1. implementing appropriate technical and organisational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR and relevant provisions of applicable DP Law and as spelled out in more detail in the chart below,
1. 1.3 regularly review the measures in order to achieve compliance with this clause in light of developments in technology, security and methods of deliberate attack on computer systems and the factors listed in clauses 1.1 and 1.2;
1. You acknowledge that none of the below measures relieves you of your own obligations under DP Law, notably Articles 24 (Responsibility of the Controller), 25 (Data Protection by Design and Default), and 32-34 (Security of Processing), 35-36 (Data Protection Impact Assessments).
1. You warrant and represent that you will not in any way undermine, disable, interfere with or otherwise circumvent the above measures. This includes, but is not limited to, attempting to re-identify data that has been de-identified, which is prohibited under DP Law.
1. Details of Technical and Organisational Security Measures are:

	Type of measure	Description
1	Information security management certifications/accreditations, other certifications, codes of conduct, trust marks or seals	We adhere to the principles of ISO27001 and plan to gain ISO27001 accreditation in 2019.We provide our Services to prominent, security-sensitive organisations who impose (and verify that we follow) strict information security guidelines.
2	Physical security controls to prevent unauthorised access, theft or damage to physical equipment.	Our system is stored on an International Server Farm which is under 24/7 CCTV monitoring and human-guardedOur server cabinet is locked and only specific, authorised people may gain access to it. We securely dispose of computer equipment and paper records.
3	Governance	We have clearly defined roles and responsibilities for information security and data protection;We have implemented appropriate information security policies and procedures in line with ISO 27000.We have procedures/policies to regularly review data access rights (joiners, movers, leavers).Procedures/policies are in place for the secure disposal of data, media and equipment.
4	Staff reliability checks are carried out when recruiting.	Employer reference checks on all staff.Enhanced security checks conducted by third parties.
5	Staff are trained on information security, confidentiality and data protection.	All staff undergo data protection and IT security training. New employees undergo comprehensive induction programmes inclusive of the above subject matter.Staff sign legally-binding confidentiality agreements and are made aware that any re-purposing or use of Protected Data and any Personal Data we process for our own purposes as a Controller is strictly prohibited.
6	Access Controls	Controls on access to Protected Data are in place and access is limited to staff who need to have access to carry out legitimate tasks, notably: Customer account is protected by an encrypted password (see below). Only Support Staff and a limited number of Super-Users have access to Customer accounts and Protected Data, with the exception of phone numbers in SMS logs, which retain for billing purposes;A limited number of Super-Users are permitted to access to Customer Accounts to resolve an alert, e.g. a problem with the cue, that may affect Service / platform performance and impact various Customers. We use inhouse developers. Other staff do not have access to Protected Data. Our production system is segregated from our staging system. Developers only used test / dummy data. They are prohibited from using real data.Only support staff have access to certain Protected Data and, in such cases, only incidentally in the course of providing technical support. We keep and review audit logs for anomalies.
7	Robust Password Policy	The system will not accept passwords unless they meet minimal security conditions regarding length, characters, etc. It is configured to automatically reject passwords that don’t meet these conditions . Multiple failed password attempts trigger a block on the account.
8	Personal data is securely encrypted when stored and when transferred.	Encrypted in transitCustomer accounts are protected by encrypted password.
9	Data-minimisation	We validate email addresses and phone numbers based on format, not actual Contact Data. It is Customer’s responsibility to ensure accuracy of the Contact Data. Customer may embed code or parameters to track the source of inbound traffic or place cookies for analytics or other purposes on their Contact’s devices but only Customer can see, access or use that information. InforUMobile does not use or benefit from such collection. Metrics and reports: metrics generated by InforUMobile on behalf of Customer are on an aggregate basis. E.g. if 100 visitors visit your landing page but only 2 submit a form the rate would be 2%. Traffic report functionality is automatically included in the Landing Page Service but do not capture identifiable elements so do not involve Personal Data. We do not track individual Contact behaviour, though you will have access to more granular detail using the Reporting function, campaign-tagging, etc. using optional features. This remains within your Customer Account.
10	Data Subject Rights and Preference Management	Caller ID blocking not permitted: where DP Law requires you to include your actual phone number or a prefix to indicate a direct marketing call, we technologically require you to show your real number . SMS functionality includes an unsubscribe function that automatically populates a suppression listWhen Customer or Authorised User attempts to send a Contact Communication using Contact Data on the suppression list, it is automatically removed from the transmission (i.e. it is not sent but the remainder are).Consent-management / right to object: Advanced distribution control allows Customer to segment Contacts and apply distribution rules that respect Contact preferences, e.g. frequency, type of campaign or Contact Communication. Other functionality can reduce Communications fatigue; quiet hours / days. It is Customer’s responsibility to configure the settings accordingly by use of the platform functionality.DSRs: Customer can correct, delete or export in common machine-readable format any data elements you have inputted the forms in your account to help fulfil erasure, rectification, portability or access requests.
11	Technical protection is in place against deliberate or malicious attacks on systems and is regularly tested.	Our communication system is shielded by a firewall. We screen Contact Communications for viruses, malware, malicious attachments or known insecure links and malicious code and reserve the right to automatically block / quarantine the message to prevent you sending a message that could create security risks for your Contacts but you bear ultimate responsibility for ensuring your Contact Communications do not contain security threats .Our platform undergoes regular penetration tests by external parties, including tests required under specific regulation such as banking regulations, and these can be performed with varying frequency but generally take place once a year. Our Windows and SQL servers are frequently tested and undergo regular security updates and patches. We also run internal vulnerability assessments.We require our developers to comply with strict internal coding standards that align with best practice.
12	Business continuity measures are in place to provide protection against equipment failure or damage and are tested regularly.	e.g. back-up systems, mirrored systems, ability to restore data.

Question 2

Security Measures

Support InforUMobile · Accepted Answer

InforUMobile Technical and Organisational Security Measures (“Security Measures”) Ref. clause 4.2.3 and 7.3 of the Data Protection Addendum https://inforumobile.co.uk/ufaqs/schedule-1-inforumobile-data-processing-addendum/ Effective as of 20-02-2019

We shall implement and maintain the following technical and organisational security measures to protect the Protected Data In accordance with DP Laws :
1. taking into account the state of the art, the costs of implementation and the Details of Processing and the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing,
1. implementing appropriate technical and organisational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR and relevant provisions of applicable DP Law and as spelled out in more detail in the chart below,
1. 1.3 regularly review the measures in order to achieve compliance with this clause in light of developments in technology, security and methods of deliberate attack on computer systems and the factors listed in clauses 1.1 and 1.2;
1. You acknowledge that none of the below measures relieves you of your own obligations under DP Law, notably Articles 24 (Responsibility of the Controller), 25 (Data Protection by Design and Default), and 32-34 (Security of Processing), 35-36 (Data Protection Impact Assessments).
1. You warrant and represent that you will not in any way undermine, disable, interfere with or otherwise circumvent the above measures. This includes, but is not limited to, attempting to re-identify data that has been de-identified, which is prohibited under DP Law.
1. Details of Technical and Organisational Security Measures are:

	Type of measure	Description
1	Information security management certifications/accreditations, other certifications, codes of conduct, trust marks or seals	We adhere to the principles of ISO27001 and plan to gain ISO27001 accreditation in 2019.We provide our Services to prominent, security-sensitive organisations who impose (and verify that we follow) strict information security guidelines.
2	Physical security controls to prevent unauthorised access, theft or damage to physical equipment.	Our system is stored on an International Server Farm which is under 24/7 CCTV monitoring and human-guardedOur server cabinet is locked and only specific, authorised people may gain access to it. We securely dispose of computer equipment and paper records.
3	Governance	We have clearly defined roles and responsibilities for information security and data protection;We have implemented appropriate information security policies and procedures in line with ISO 27000.We have procedures/policies to regularly review data access rights (joiners, movers, leavers).Procedures/policies are in place for the secure disposal of data, media and equipment.
4	Staff reliability checks are carried out when recruiting.	Employer reference checks on all staff.Enhanced security checks conducted by third parties.
5	Staff are trained on information security, confidentiality and data protection.	All staff undergo data protection and IT security training. New employees undergo comprehensive induction programmes inclusive of the above subject matter.Staff sign legally-binding confidentiality agreements and are made aware that any re-purposing or use of Protected Data and any Personal Data we process for our own purposes as a Controller is strictly prohibited.
6	Access Controls	Controls on access to Protected Data are in place and access is limited to staff who need to have access to carry out legitimate tasks, notably: Customer account is protected by an encrypted password (see below). Only Support Staff and a limited number of Super-Users have access to Customer accounts and Protected Data, with the exception of phone numbers in SMS logs, which retain for billing purposes;A limited number of Super-Users are permitted to access to Customer Accounts to resolve an alert, e.g. a problem with the cue, that may affect Service / platform performance and impact various Customers. We use inhouse developers. Other staff do not have access to Protected Data. Our production system is segregated from our staging system. Developers only used test / dummy data. They are prohibited from using real data.Only support staff have access to certain Protected Data and, in such cases, only incidentally in the course of providing technical support. We keep and review audit logs for anomalies.
7	Robust Password Policy	The system will not accept passwords unless they meet minimal security conditions regarding length, characters, etc. It is configured to automatically reject passwords that don’t meet these conditions . Multiple failed password attempts trigger a block on the account.
8	Personal data is securely encrypted when stored and when transferred.	Encrypted in transitCustomer accounts are protected by encrypted password.
9	Data-minimisation	We validate email addresses and phone numbers based on format, not actual Contact Data. It is Customer’s responsibility to ensure accuracy of the Contact Data. Customer may embed code or parameters to track the source of inbound traffic or place cookies for analytics or other purposes on their Contact’s devices but only Customer can see, access or use that information. InforUMobile does not use or benefit from such collection. Metrics and reports: metrics generated by InforUMobile on behalf of Customer are on an aggregate basis. E.g. if 100 visitors visit your landing page but only 2 submit a form the rate would be 2%. Traffic report functionality is automatically included in the Landing Page Service but do not capture identifiable elements so do not involve Personal Data. We do not track individual Contact behaviour, though you will have access to more granular detail using the Reporting function, campaign-tagging, etc. using optional features. This remains within your Customer Account.
10	Data Subject Rights and Preference Management	Caller ID blocking not permitted: where DP Law requires you to include your actual phone number or a prefix to indicate a direct marketing call, we technologically require you to show your real number . SMS functionality includes an unsubscribe function that automatically populates a suppression listWhen Customer or Authorised User attempts to send a Contact Communication using Contact Data on the suppression list, it is automatically removed from the transmission (i.e. it is not sent but the remainder are).Consent-management / right to object: Advanced distribution control allows Customer to segment Contacts and apply distribution rules that respect Contact preferences, e.g. frequency, type of campaign or Contact Communication. Other functionality can reduce Communications fatigue; quiet hours / days. It is Customer’s responsibility to configure the settings accordingly by use of the platform functionality.DSRs: Customer can correct, delete or export in common machine-readable format any data elements you have inputted the forms in your account to help fulfil erasure, rectification, portability or access requests.
11	Technical protection is in place against deliberate or malicious attacks on systems and is regularly tested.	Our communication system is shielded by a firewall. We screen Contact Communications for viruses, malware, malicious attachments or known insecure links and malicious code and reserve the right to automatically block / quarantine the message to prevent you sending a message that could create security risks for your Contacts but you bear ultimate responsibility for ensuring your Contact Communications do not contain security threats .Our platform undergoes regular penetration tests by external parties, including tests required under specific regulation such as banking regulations, and these can be performed with varying frequency but generally take place once a year. Our Windows and SQL servers are frequently tested and undergo regular security updates and patches. We also run internal vulnerability assessments.We require our developers to comply with strict internal coding standards that align with best practice.
12	Business continuity measures are in place to provide protection against equipment failure or damage and are tested regularly.	e.g. back-up systems, mirrored systems, ability to restore data.

Question 3

Security Measures

Support InforUMobile · Accepted Answer

InforUMobile Technical and Organisational Security Measures (“Security Measures”) Ref. clause 4.2.3 and 7.3 of the Data Protection Addendum https://inforumobile.co.uk/ufaqs/schedule-1-inforumobile-data-processing-addendum/ Effective as of 20-02-2019

We shall implement and maintain the following technical and organisational security measures to protect the Protected Data In accordance with DP Laws :
1. taking into account the state of the art, the costs of implementation and the Details of Processing and the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing,
1. implementing appropriate technical and organisational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR and relevant provisions of applicable DP Law and as spelled out in more detail in the chart below,
1. 1.3 regularly review the measures in order to achieve compliance with this clause in light of developments in technology, security and methods of deliberate attack on computer systems and the factors listed in clauses 1.1 and 1.2;
1. You acknowledge that none of the below measures relieves you of your own obligations under DP Law, notably Articles 24 (Responsibility of the Controller), 25 (Data Protection by Design and Default), and 32-34 (Security of Processing), 35-36 (Data Protection Impact Assessments).
1. You warrant and represent that you will not in any way undermine, disable, interfere with or otherwise circumvent the above measures. This includes, but is not limited to, attempting to re-identify data that has been de-identified, which is prohibited under DP Law.
1. Details of Technical and Organisational Security Measures are:

	Type of measure	Description
1	Information security management certifications/accreditations, other certifications, codes of conduct, trust marks or seals	We adhere to the principles of ISO27001 and plan to gain ISO27001 accreditation in 2019.We provide our Services to prominent, security-sensitive organisations who impose (and verify that we follow) strict information security guidelines.
2	Physical security controls to prevent unauthorised access, theft or damage to physical equipment.	Our system is stored on an International Server Farm which is under 24/7 CCTV monitoring and human-guardedOur server cabinet is locked and only specific, authorised people may gain access to it. We securely dispose of computer equipment and paper records.
3	Governance	We have clearly defined roles and responsibilities for information security and data protection;We have implemented appropriate information security policies and procedures in line with ISO 27000.We have procedures/policies to regularly review data access rights (joiners, movers, leavers).Procedures/policies are in place for the secure disposal of data, media and equipment.
4	Staff reliability checks are carried out when recruiting.	Employer reference checks on all staff.Enhanced security checks conducted by third parties.
5	Staff are trained on information security, confidentiality and data protection.	All staff undergo data protection and IT security training. New employees undergo comprehensive induction programmes inclusive of the above subject matter.Staff sign legally-binding confidentiality agreements and are made aware that any re-purposing or use of Protected Data and any Personal Data we process for our own purposes as a Controller is strictly prohibited.
6	Access Controls	Controls on access to Protected Data are in place and access is limited to staff who need to have access to carry out legitimate tasks, notably: Customer account is protected by an encrypted password (see below). Only Support Staff and a limited number of Super-Users have access to Customer accounts and Protected Data, with the exception of phone numbers in SMS logs, which retain for billing purposes;A limited number of Super-Users are permitted to access to Customer Accounts to resolve an alert, e.g. a problem with the cue, that may affect Service / platform performance and impact various Customers. We use inhouse developers. Other staff do not have access to Protected Data. Our production system is segregated from our staging system. Developers only used test / dummy data. They are prohibited from using real data.Only support staff have access to certain Protected Data and, in such cases, only incidentally in the course of providing technical support. We keep and review audit logs for anomalies.
7	Robust Password Policy	The system will not accept passwords unless they meet minimal security conditions regarding length, characters, etc. It is configured to automatically reject passwords that don’t meet these conditions . Multiple failed password attempts trigger a block on the account.
8	Personal data is securely encrypted when stored and when transferred.	Encrypted in transitCustomer accounts are protected by encrypted password.
9	Data-minimisation	We validate email addresses and phone numbers based on format, not actual Contact Data. It is Customer’s responsibility to ensure accuracy of the Contact Data. Customer may embed code or parameters to track the source of inbound traffic or place cookies for analytics or other purposes on their Contact’s devices but only Customer can see, access or use that information. InforUMobile does not use or benefit from such collection. Metrics and reports: metrics generated by InforUMobile on behalf of Customer are on an aggregate basis. E.g. if 100 visitors visit your landing page but only 2 submit a form the rate would be 2%. Traffic report functionality is automatically included in the Landing Page Service but do not capture identifiable elements so do not involve Personal Data. We do not track individual Contact behaviour, though you will have access to more granular detail using the Reporting function, campaign-tagging, etc. using optional features. This remains within your Customer Account.
10	Data Subject Rights and Preference Management	Caller ID blocking not permitted: where DP Law requires you to include your actual phone number or a prefix to indicate a direct marketing call, we technologically require you to show your real number . SMS functionality includes an unsubscribe function that automatically populates a suppression listWhen Customer or Authorised User attempts to send a Contact Communication using Contact Data on the suppression list, it is automatically removed from the transmission (i.e. it is not sent but the remainder are).Consent-management / right to object: Advanced distribution control allows Customer to segment Contacts and apply distribution rules that respect Contact preferences, e.g. frequency, type of campaign or Contact Communication. Other functionality can reduce Communications fatigue; quiet hours / days. It is Customer’s responsibility to configure the settings accordingly by use of the platform functionality.DSRs: Customer can correct, delete or export in common machine-readable format any data elements you have inputted the forms in your account to help fulfil erasure, rectification, portability or access requests.
11	Technical protection is in place against deliberate or malicious attacks on systems and is regularly tested.	Our communication system is shielded by a firewall. We screen Contact Communications for viruses, malware, malicious attachments or known insecure links and malicious code and reserve the right to automatically block / quarantine the message to prevent you sending a message that could create security risks for your Contacts but you bear ultimate responsibility for ensuring your Contact Communications do not contain security threats .Our platform undergoes regular penetration tests by external parties, including tests required under specific regulation such as banking regulations, and these can be performed with varying frequency but generally take place once a year. Our Windows and SQL servers are frequently tested and undergo regular security updates and patches. We also run internal vulnerability assessments.We require our developers to comply with strict internal coding standards that align with best practice.
12	Business continuity measures are in place to provide protection against equipment failure or damage and are tested regularly.	e.g. back-up systems, mirrored systems, ability to restore data.

InforUMobile List of Sub-Processors

Are there any fixed costs?

Security Measures

Security Measures

Support InforUMobile