skip to main content

GDPR compliance statement

Description of the technical and organisational security measures implemented by the data importer:

PHYSICAL SECURITY

The Ashgoal team are all UK based.

The Ashgoal office is equipped with surveillance cameras and footage is monitored periodically by authorised individuals. Fire alarms are in place to detect and mitigate damage in the unlikely event of a fire. Regular fire drills are also conducted by the premises management team to educate employees about emergency evacuation procedures. A policy has been implemented to approve and regulate visitor access to the building.

All of the Ashgoal cloud products/services and data are hosted within tier 4/3 Data Centre facilities, with the highest level of security.

DATA SECURITY

Ashgoal provides a location to store data, and if contracted can manage the security settings on our customers behalf, but only on the authorised direction of our customers, and only from an approved point of contact. The security settings implemented are on the authority of our customers, and therefore our customers must take responsibility for the securities that have been implemented.

The Ashgoal team can have access to data on production servers, if contracted by the customer. Changes to any application, infrastructure, deployment processes are documented extensively as part of an internal change control process, and ensures compliance with the company’s internal ISMS policies.

If you have a cloud solution, backups are taken every sixty minutes and stored at a third tier 3 facility, or in line with your service agreement. Should an unlikely catastrophe occur in one of the Data Centres, businesses would lose only 60 minutes of data. The backups are retained for 90 days, and stored within the UK, and encrypted using AES 256 bit standards (key strength - 1024), with the keys being managed and stored in a dedicated client safe, or directly by the client. All data in transit is encrypted over a secure socket connection.

DATA DELETION

When a customer account is deleted on our cloud, all associated data is destroyed within 14 business days. Ashgoal customers have the ability to export their data before deletion.

OPERATIONAL SECURITY

Ashgoal has clear change management processes, logging and monitoring procedures, and fall back mechanisms as part of its operational security directives. An information security committee is present to oversee and approve all organisation-wide security policies.

Operational security starts right from recruiting an engineer to training and auditing their work products. The recruitment process includes standard background verification checks (including verification of academic records) on all new recruits. All employees are provided with adequate training about the information security policies of the company and are required to sign that they have read and understood the company’s security related policies. Confidential company information is available for access only to select authorised Ashgoal employees.

Employees are required to report any observed suspicious activities or threats. Our external Human Resources team takes appropriate disciplinary action against employees who violate organisational security policies. Security incidents (breaches and potential vulnerabilities) can be reported by customers via email: compliance@ashgoal.com

Ashgoal maintains an inventory of all information systems used by employees for development purposes in an internal service desk, aided by automated probing software that assists in tracking changes to these systems and their configurations. Only authorised and licensed software products are installed by employees. No third parties or contractors manage software or information facilities. All employee information systems are authorised by the management before they are installed or put to use.

NETWORK SECURITY

The Ashgoal office network where updates are developed, deployed, monitored and managed is secured by industry-grade firewalls and antivirus software, to protect internal information systems from intrusion and to provide active alerts in the event of a threat or an incident. Firewall logs are stored and reviewed periodically. Access to the production environment is via an ipsec VPN and remote access is possible only via the office network. Audit logs are generated for each remote user session and reviewed, and access to the production systems require multi-factor authentication process.

All Ashgoal products are hosted in tier 4 facilities, with security managed 24/7. The NOC and teams monitor the infrastructure 24x7 for stability, using a dedicated alert monitoring system. Every three months, end-to-end vulnerability assessments and penetration tests are performed.

REGULATORY COMPLIANCE

All formal processes and security standards at Ashgoal are designed to meet regulations. Use of our service by customers in the European Economic Area (“EEA”), will include the processing of information relating to their customers. In providing our service, we do not own, control or direct the use of the information stored or processed on our platform at the direction of our customers, and in fact we are largely unaware of what information is being stored on our platform and only access such information as reasonably necessary to provide the service (including to respond to support requests), as otherwise authorised by our customers or as required by law. We are the data processors and not the data controllers of the information on our platform for purposes of the European Union (“EU”) Directive 95/46/EC on Data Protection (“EU Directive”) and the Swiss Federal Act on Data Protection. Our EEA or Switzerland based customers, who control their customer data and send it to Ashgoal for processing, are the “controllers” of that data and are responsible for compliance with the Directive. In particular, Ashgoal’ customers are responsible for complying with the Directive and relevant data protection legislation in the relevant EEA member state before sending personal information to Ashgoal for processing.

As the processors of personal information on behalf of our customers, we follow their instructions with respect to the information they control to the extent consistent with the functionality of our service. In doing so, we implement industry standard security, technical, physical and administrative measures against unauthorized processing of such information and against loss, destruction of, or damage to, personal information as more fully described in the Ashgoal privacy policy.

Ashgoal store data in its UK Data Centres only.

We work with our customers to help them provide notice to their customers concerning the purpose for which personal information is collected and sign Model Contract Clauses (for data processors) with them to legitimise transfers of personal data from EU to processors established in third countries as may be required under the EU Directive.

Ashgoal only use UK based tier 4 facilities that hold many industry standards: ISO 27001, SOC I, II AND III compliance. Ashgoal are currently aligning their ISO 27001:2013 with their GDPR policies.