Preparing for GDPR……
As you may be aware, the General Data Protection Regulation (GDPR) would become enforceable from May 25, 2018. CareFree Management Ltd is getting prepared to meet all the necessary requirements and is here to help you meet them too. We are putting significant efforts in making sure that our data protection practices align with industry’s best practices as well.
Through this notice, we intend to offer to you a general overview of how we anticipate to meet the regulatory requirements under the GDPR.
What Are We Doing?
Listed below are some of the more significant points to give you a clear outline about what CareFree is doing to ensure that data protection practices comply with the GDPR.
• Great measures are being taken to make sure that data protection is managed as a corporate issue
• Effective policies and procedures are being put in place to ensure that our data-processing activities are adequately documented
• All our procedures are being reviewed to ensure that all the rights of individuals are covered within the new timescales
• A comprehensive review of our information security practices is being carried out, and various technical, organisational, & physical measures are being adopted to ensure that personal data is adequately safeguarded
• CareFree have aligned their practises with ISO27001 and are working closely with an external organisation to attain the accreditation
• To reflect the requirements of the GDPR, we would require all our users to transition to the Updated Terms. Starting with the week of May 21, 2018, the Updated Terms will be available shortly
If you have any questions regarding GDPR, please contact a member of the team.
Data Protection & Data Security
CareFree has its organisational centre in Wakefield, West Yorkshire. Being a responsible & respected organization, we are extremely vigilant about protecting our data & keeping our clients’ data secure. The employees of the organisation are granted access to the office only after authorisation and the sensitive areas of the office can be accessed only by authorised personnel.
The office is equipped with surveillance cameras and their footage is monitored periodically by authorised personnel. Entry logs are available for all staff entering the premises outside of working hours. Fire alarms and water sprinklers are in place to detect and mitigate damage in the unlikely event of a fire. Additionally, regular fire drills are conducted by the premises management team to educate the employees about emergency evacuation procedures. The office is equipped with 24×7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure.
The CareFree hosting provision is housed in Manchester with a warm standby site located in Nottingham. Between the two sites there is a high speed line for high availability/disaster recovery. As with most hosted solutions and cloud computing our datacentre utilises virtual technology for the required servers – Web Servers, RDS Servers and SQL Servers. All hardware has failure protection – network switches, disk failure, power etc and all of this sits behind a very secure network and firewall. No data is stored outside of the UK and there are no future plans to change the current state of the data or where this is housed.
CareFree have recently implemented a new infrastructure which consist of a multi tenanted Private Cloud for CareFree customers only. A significant investment has been made to ensure all security areas have been covered and documented.
Other than authorised personnel, employees of CareFree do not have access to production servers but have specific operational areas for Support, Development, Test and Demo. RDS servers are clustered for load balancing along with SQL server clusters to ensure business continuity and database integrity.
The infrastructure consists of:
Windows Server 2012 R2 Data Centre
Multiple SQL Production Servers – one instance per server
Separate Non-Production SQL Servers – Sandbox, Development, User Acceptance Testing and Demonstration
All servers clustered
SQL Server 2016
Intel Xeon CPU E5 – 2630 v3 processors – 6 Cores per server
Enterprise Level Solid State Disks
RDS Load Balanced Farms – 5 RDS servers in each farm
Disaster Recovery site in Nottingham – completely separate from main data centre – completely separate national network ring.
All the apps at CareFree are created and hosted on a multi tenanted Private Cloud, the infrastructure for databases and application servers is managed and maintained by ourselves and the host provider, IGC.
The first layer of protection for the application is provided by IGC’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection monitors offending IPs, users, and spam. It is worth noting that all account passwords that are stored in the application are one-way hashed and salted.
CareFree uses a multi-tenant data model to host all its applications. It is through an individual virtual private cloud that CareFree services each application wherein a unique tenant ID is assigned to each customer. The application is engineered and verified to ensure that only the data for the tenant who is logged-in may be fetched. It is this strategic design that ensures that no customer can access another customer’s data. Access to the application by the Application development team is also controlled, managed, and audited. Each time the application and the infrastructure are accessed, a detailed log is created which is then subsequently audited.
The protection and security of the customers’ data is a serious matter for CareFree, hence, we manage the security of its application and customers’ data with sincerity & responsibility. However, provisioning and access management of individual apps created using the platform is at the discretion of individual app owners.
The Development team at CareFree does not have access to data on production servers, however any changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process and carried out on dedicated development servers.
CareFree takes the integrity and protection of customers’ data very seriously & maintains two kinds of data history: application logs from the system, and application & customers’ data. All this data is stored in CareFree’s cloud computing platform, backups are taken nightly, with additional options for 15 minute transaction log back ups which are all stored off-site.
Diverse environments are used for the purpose of development and testing, a strict management system for access to systems is in place on a need to do/know basis according to the information classification, where the Segregation of Duties are built-in & reviewed on a quarterly basis.
Upon receiving a notice of cancellation of service, all data associated with the account will be removed and deleted from our hosting platform after 28 days of the cancellation end date. If, however, an account holder wants the backup of their data, CareFree offer data export options or should continued access be required, then alternative arrangements can be made.
Reporting issues and threats
In the event, that you encounter any issues, security incidents (e.g. breaches and potential vulnerabilities) or flaws that might affect the data security or privacy of CareFree users, please do contact us and write to email@example.com citing your concerns & details, so that we can investigate at the earliest opportunity.
Your request will be looked into immediately, where we might reach out to you & ask for your guidance in identifying or replicating the issue and determining means or devising strategies to resolve the threat right away.
All of CareFree’s formal processes and security standards are formulated to meet regulations at various levels including the industry and UK levels.
Customers using our services, would be processing personal data/information of their customers/employees. In providing our service, we do not own, control or direct the use of the information stored or processed on our platform at the direction of our customers. The information is only accessed when it is reasonably necessary to be able to provide the service (including responding to support requests), when authorised by our customers or required by law. We act as data processors for our end customers, but as data controllers for those customers from whom use via our platform for business purposes. To put it simply, it is our customers who are responsible for complying with the Directive and relevant data protection legislation in their respective right for processing.
In our role as processors of personal information on our customers’ behalf, we follow their instructions for the information they control, as long as it complies with our services & functionality. In doing so, we employ industry-standard security taking technical, physical, and administrative measures against unauthorised processing of such information and against loss, destruction of, or damage to personal information.
CareFree will be sending some “GDPR Specific” literature for the attention of all customers. This will highlight best practise for looking at your own internal processes and some “must do’s” to ensure you are compliant come 25th May.
CareFree Management Ltd
Unit 3 Mariner Court