Security & Compliance

Last updated on June 12th, 2024

SECURITY AND COMPLIANCE

 As a company, we understand the importance of keeping your data secure and maintaining compliance with industry standards. We are committed to providing a safe environment for your data, and this is why we have chosen to store it on Amazon Web Services (AWS) in the EU-West region. By leveraging AWS’s industry-leading infrastructure, we ensure that your information is protected with the highest level of security.

We are proud that Allsorter has achieved the ISO27001 certification after being audited by a UKAS-accredited certification body. View our certificate here.

This internationally recognized standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within our organization. By adhering to ISO27001 guidelines, we aim to mitigate risks and ensure the confidentiality, integrity, and availability of your data. By complying with the ISO27001 standard, we are demonstrating our unwavering commitment to data security and regulatory compliance.

We have also been certified against the Cyber Essentials Plus standard, UK government-backed scheme designed to help organisations protect themselves against common online threats. It involves an independent assessment of an organisation's security controls, including vulnerability scans and a simulated attack.

In addition to our own security measures, we also rely on the robust protections and capabilities offered by the AWS platform. AWS provides a range of tools and features that enable us to protect your data from unauthorized access, disclosure, alteration, and destruction. These include encryption and access control mechanisms. By entrusting your data to Allsorter, you can have peace of mind knowing that we are continuously working to safeguard your information and maintain compliance with the latest industry standards.

At Allsorter, we are also dedicated to ensuring compliance with the General Data Protection Regulation (GDPR). This comprehensive regulation governs data protection and privacy for individuals within the European Union and the European Economic Area. To comply with GDPR, we have implemented stringent policies and procedures regarding the collection, processing, and storage of personal data. This includes obtaining explicit consent from users, ensuring the right to access, rectify, and erase personal information, as well as taking appropriate measures to protect data from unauthorized access and data breaches. By adhering to the principles of GDPR, we demonstrate our steadfast commitment to maintaining the privacy and security of our clients’ data and fostering a culture of transparency and accountability within our organization.

Technical and Organisational Security Measures

These describe the technical and organisational measures taken by Allsorter to ensure an appropriate level of security of Personal Data, taking into account its role as a Data Processor, as described in the Allsorter Data Processing Agreement.

(A) Controls to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services

Technical and organisational measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services:

The Customer retains the original copy of the CV/resume and the Service Provider accesses a copy for processing so Personal data is not altered by the Service Provider. The Customer’s Personnel can reformat the CV/resume and then download or export an edited copy. In this flow, there is no possibility of accidental, unlawful or voluntary destruction or loss of Personal Data by the Service Provider since the Customer retains the original copy of the Personal Data. 

  • Appropriate measures are taken protect Personal Data against accidental or unlawful destruction, accidental loss, unauthorised access, alteration, transfer or processing outside the scope of data processing activities described in the data processing agreement (“DPA”). The measures are described in their respective sections below.
  • These measures take into consideration the Service Provider’s role as a data processor, evaluation of potential risks and the sensitive nature of Personal Data.
  • The measures ensure an adequate level of resilience of the data processing systems and centres.
  • Allsorter employs a “data privacy and protection by design and default” approach.

(B) Control of physical access to premises and data processing centres

Technical and organisational measures to control physical access to premises and facilities, particularly to identify permitted Personnel at entry:

Allsorter staff works remotely, with the core platform architecture provided by AWS and the data stored in AWS data centres in the Republic of Ireland, so this is not applicable.

The space used for meetings is leased by Allsorter and has all the requisite physical security measures in place:

  • Locked doors on all entrances / exits (e.g., electronic locks; physical locks; etc.)
  • Presence of Personnel at the front desk during business hours
  • Visitor logs
  • Access control systems (e.g., access card security; etc.)
  • CCTV systems
  • Intruder alarm systems
  • Fire alarms

(C) Control to ensure anonymisation and encryption of Personal Data

Technical and organisational security measures designed to ensure anonymisation and encryption of Personal Data:

  • State-of-the art encryption applied to all personal data ‘in transit’
  • State-of-the art encryption applied to all personally identifiable information ‘at rest’
  • Secure anonymisation or deletion of Personal Data that are no longer required for lawful Processing purposes
  • Access to Personal Data is controlled as per the measures outlined in section (E) below
  • Data retention timespans are outlined in section (J) below

(D) Control of access to IT systems (data processing systems)

Technical and organisational security measures designed to ensure that users with access to the relevant IT systems are identified and authenticated:

  • IT security systems requiring individual users to log in using unique user names
  • IT security systems requiring the use of strong / complex passwords
  • IT security systems requiring the use of multi-factor authentication
  • Additional system log-in requirements for particular applications
  • Automatic locking of IT terminals and devices after periods of non-use, with passwords required to ‘wake’ the terminal or device
  • Regular audits of security procedures: we have been certified against the ISO27001 standard and are in the process of getting certified for Cyber Essentials Plus
  • Training for employees regarding access to IT systems

(E) Control of access to Personal Data

Technical and organisational security measures designed to ensure that users with access to the Relevant Personal Data are identified and authenticated:

Personal Data is not accessed by Service Provider’s Personnel unless they are expressly requested by the Customer to help them reformat or anonymise a CV/resume that they are finding difficult to handle on the platform.

  • ‘Read’ rights for systems containing Personal Data restricted to specified Personnel roles
  • ‘Edit’ rights for systems containing Personal Data restricted to specified Personnel roles or profiles
  • Logging of all attempts to access systems containing Personal Data
  • System settings to ensure that only Personal Data necessary for each specific instance of processing is processed
  • State-of-the art encryption on drives and media containing Personal Data
  • Training for employees regarding data privacy
  • Segregation of environments with personal data (Allsorter system)

(F) Control of disclosure of Personal Data

Technical and organisational measures to transport, transmit and communicate or store data on data media and for subsequent checking:

  • Restrictions on transfer rights for systems containing Personal Data
  • Secure data networks (e.g., encrypted VPNs, VPCs)
  • Logging of all transfers of data across the network
  • SSL encryption for all internet access portals
  • Enforced encryption of all drives that are used to take data off the network (Policy exists for encryption, check-in and check-out of data; however, data is not transported on removable or physical media)

(G) Control of input mechanisms

Technical and organisational security measures to permit the recording and later analysis of information about when input to data systems (e.g., editing, adding, deleting, etc.) occurred and who was responsible for such input:

  • Logging who inputs and exports resumes/CVs containing Personal Data
  • ‘Edit’ rights for systems containing Personal Data restricted to specified Personnel roles
  • Binding agreements in writing with all employees who Process Personal Data, imposing strict confidentiality obligations
  • Regular reviews of compliance with the relevant agreements

(H) Control of workflows between Processors and Sub-Processors

Technical and organisational measures to segregate the responsibilities between Processors and Sub-Processors Processing the Relevant Personal Data:

  • Binding agreements in writing governing the appointment and responsibilities of Sub-Processors with access to the Relevant Personal Data
  • Working only with the Sub-Processors capable of appropriately protecting the privacy, confidentiality and security of Personal Data
  • Regular reviews and assessments of compliance with the relevant agreements

(I) Control mechanisms to ensure availability and access to the Relevant Personal Data in the event of a physical or technical incident

Technical and organisational measures in place to ensure the physical and electronic availability and accessibility of the Relevant Personal Data:

  • Documented incident response procedures that are periodically reviewed
  • Documented business continuity plans and disaster recovery procedures
  • Secure backup procedures in place, with full backups run regularly
  • Disaster Recovery/Business Continuity Plan tests run periodically
  • All physical, power and security requirements to store Personal Data are managed by AWS
  • Uninterruptible power supplies at backup facilities
  • Physical security of backup facilities (e.g., secure premises; security Personnel; etc.).
  • Security alarm systems at backup facilities
  • Electronic security of backup facilities (e.g., firewalls; antivirus software; etc.)
  • Environmental controls at backup facilities (e.g., cooling; humidity controls; etc.)
  • Fire protection at backup facilities (e.g., sprinkler systems; fireproof doors; etc.)
  • Training for employees regarding backups and disaster recovery

(J) Control mechanisms for Personal Data retention

Data retention is enabled only for seven (7) days from the date the Personal Data is input to the system, with the flexibility to enable shorter data retention spans based on Allsorter’s agreement with the client. Once the data retention time elapses, it will be marked for deletion in the next automated deletion job.

(K) Control mechanisms to ensure separation of the Relevant Personal Data from other data

Technical and organisational measures to ensure that the Relevant Personal Data are stored and processed separately from other data:

  • Logical separation of live or production data from backup data and development or test data
  • Logical separation of storage containing Relevant Personal Data from systems containing other data
  • Separation of Personnel with access to Production Personal Data from other Personnel
  • Training for employees regarding data separation

(L) Control mechanisms to test, assess and evaluate technical measures for IT Security

Technical and organisational measures to ensure that the IT environments are secure:

  • Use of firewalls/ACLs to control traffic
  • End-point security (antivirus, firewalls, encryption, secure device policies, automatic security updates)
  • Least privilege access model applied, with user access given on a need-to-know basis and based on business needs
  • Periodic access review meetings
  • Periodic IT security meetings
  • Periodic penetration tests, both internal and external, with risks mitigated
  • Periodic vulnerability scans, both internal and external, with vulnerabilities mitigated
  • Security and governance program with policies communicated to staff on onboarding and each time they are reviewed, assessed and evaluated
  • Periodic reviews of the effectiveness of the security and governance program and adjustments as needed

(M) Certification

Allsorter has been certified against the ISO27001 standard by a UKAS-accredited certification body. We have also been certified against the Cyber Essentials Plus standard.

Contact point for data protection inquiries:

Current DPO: Mr. J Brady

dataprotection@allsorter.com

Datalive Ltd.

NovaUCD 

Belfield Innovation Park 

Dublin 4, Dublin, Ireland