Sign In

GDPR Compliance Statement

Introduction

Nuffield Technologies is committed to respecting the privacy and data protection rights of its clients and users of our services. This document, therefore, sets out Nuffield Technologies data protection compliance, to provide assurances to our clients and prospective clients that we take such compliance seriously and to address some of the common questions we are asked about our company and services, with regards to the protection of personal data.

Nuffield Technologies is governed by UK data protection laws which include the General Data protection Regulation (GDPR) and the UK’s implementation thereof (UK GDPR), the Data Protection Act 2018 and any subsequent data protection law introduced in the UK. Throughout this statement terms like “personal data”, “processing”, “data subject”, “data controller” and “data processor” have the same meaning as defined in UK data protection legislation.

This statement applies to our SaaS (Software as a Service) products.

Our GDPR commitment to our clients

As a UK company, Nuffield Technologies is committed to ensuring our business, services and internal processes are GDPR compliant, that we continue to maintain that compliance and ensure it meets the full requirements of the law. We are also committed to safeguarding any personal data we process on behalf of our clients and apply the same compliance standards to our clients’ data, as we do our own.

Our services are compliant because:

  • We check all our systems and processes to ensure they meet the requirements of GDPR, particularly in terms of ensuring appropriate technical and organisational measures are in place to ensure the security of our clients’ data at all times.
  • We are Cyber Essentials accredited
  • We are working towards ISO27001 and SOC2 accreditation
  • Our staff are trained in GDPR compliance and understand their responsibilities for managing the systems that process our clients’ personal data
  • We have an extensive range of internal policies which set out the data protection responsibilities across the whole of our business
  • Data is stored in the UK
  • We only process data that is entered into our systems by our clients. It is our client’s responsibility to ensure it is lawful for them to process the data in the way our systems allow
  • We have implemented the appropriate contractual obligations required by Article 28 of the GDPR (in our terms of service and accompanying documentation)
  • We only use sub-processors or other third-party processors who are GDPR compliant, and always carry out GDPR due diligence checks and ensure there is a data processing contract in place which reflects the requirements of GDPR and our high data security and compliance standards
  • We ensure we maintain this compliance at all times

Our role as a Data Processor

When a client’s data is placed on our servers, the client is the Data Controller and Nuffield Technologies, the Data Processor. We only use the data our client provides to us for the purposes of delivering the services and only as agreed in any terms and data processing agreements that have been signed.

We do not use our client’s data in any way other than to provide the agreed services. We do not share any client data with third parties unless required to do so by law. Where law enforcement or other authorised parties request access to the data we store on our servers, we follow strict internal policies for dealing with such requests. Furthermore, the third parties are required to demonstrate they have a lawful reason to access the data and under what authority.

What data is processed by our services?

This will depend on the client’s requirements and how the service is used, but typically login credentials (name, email address) for users and admin staff, plus any task data entered within the service.

Uploading client data to our services

Task data will be inputted into our service via the client’s devices, by their employees.

Data location

Our clients’ data is stored on Google Cloud Platform in the europe-west2-c data center, located in London, UK.

Security

Our Senior Management Staff have ultimate responsibility for ensuring appropriate information security standards are applied to the technology we use and the services we provide.

Only limited members of our staff have access to our client’s data and no other third-party will have access. We do not share our client’s data with any third-party unless required to do so by law.

Our technology

We have the following main first line security measures in place across our infrastructure:

  • Data is encrypted at rest using AES256
  • In-transit data is protected using TLS
  • Communication between different servers in our infrastructure is encrypted and authenticated on a per-request basis
  • Data can only be accessed by authenticated and authorised users
  • We use a third party authentication provider (Firebase Authentication) to provide authentication of users
  • We use role based permissions to allow access to features and data only to the appropriate users.

Maintaining security

All our employees keep up to date with all technical aspects of security and ensure the ongoing security of our systems. This means that any security patches are applied to our systems as a matter of priority (and some automatically).

We continually monitor our servers for suspicious activity. Any issues identified are fixed accordingly with the utmost priority.

Any changes or updates to our own systems are done so, always, with data protection and privacy in mind and where appropriate.

Examples of the kinds of security hardening implemented:

  • Single Sign On (SSO) with major providers (Google, Microsoft, Apple) is available
  • Multi Factor Authentication (MFA) is enabled and recommended for all users
  • App Attestation makes sure data can only be accessed from our applications on devices that have not been tampered with.

Access to data by Nuffield Technologies employees

Furthermore, only a limited number of developers within our organisation have direct access to the database that stores your data. There are strict security protocols in place to limit access to the database for maintenance or support purposes.

Frontend and backend data may be accessed during a support call, if required.

No other members of staff can access the database. 

Nuffield Technologies employees

All Nuffield Technologies employees are trained and made aware of their responsibilities under GDPR. This includes their responsibilities with regards to access, security and processing of personal data made available by our clients through the use of our systems.

Security and data governance are covered in our employee handbooks and policies, and actively discussed as part of quarterly meetings to ensure all staff are up to date.

Physical security

Only our employees have access to our working offices. Our clients’ data are stored on servers only accessible from our offices. Our servers are managed by Google and only their staff can access the servers physically. See here to find out more about Google’s data center security measures https://www.google.com/about/datacenters/data-security/

Third-party processors

The only third-parties we use for the provision of our services are:

  • Google Cloud Platform
  • Sendgrid

Changes to our approach

Should our approach to any aspect covered by this statement change we will make sure, where a client’s data is impacted, we will notify our clients within a reasonable timeframe.

Data breaches

In the unlikely event of a breach occurring (as defined in the GDPR) we will notify you within 48 hours of the breach coming to our attention.

How our own compliance with GDPR helps our clients

Our approach to our own compliance also helps our clients comply with their own GDPR compliance requirements. This statement should go some way to explain our approach to GDPR compliance. By using our services, clients can be assured their use is GDPR compliant.

Data protection contact

Any questions, queries or requests for further information regarding our GDPR compliance should be sent to:
Nuffield Technologies Limited, Data Protection Officer
Email address: [email protected]
Postal address: Unit 4 Acorn Business Park, Ling Road, Poole, BH12 4NZ

FAQ

What happens to client data if they cancel their contract?
We perform a secure deletion of the data from our servers.

Is data on your servers encrypted at rest?
All data is encrypted at rest using AES-256.

Do your services make use of any cookies or similar technology?
Yes, our services make use of cookies. But we only use essential cookies, necessary for the functioning of the service (such as managing logins to the service, screen resolution settings and display options within the interface)

Are you ISO27001 certified?
We are working towards ISO 27001 certification.

Are you Cyber Essentials accredited?
We are currently Cyber Essentials accredited

Have you carried out a Data Protection Impact Assessment (DPIA)?
Our development process for our systems always includes ensuring the most appropriate security and this statement should go some way to allay any concerns of our clients. Generally speaking, though, it would be the Data Controller (i.e. our clients) who need to carry out a DPIA for the use of the service, but we have documented our own DPIA nonetheless.