Security & Compliance

Welcome to Allsorter’s Security and Compliance webpage.

As a company, we understand the importance of keeping your data secure and maintaining compliance with industry standards. We are committed to providing a safe environment for your data, and this is why we have chosen to store it on Amazon Web Services (AWS) in the EU-West region. By leveraging AWS’s industry-leading infrastructure, we ensure that your information is protected with the highest level of security.

At Allsorter, we are currently in the process of obtaining ISO27001 certification. This internationally recognized standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within our organization. By adhering to ISO27001 guidelines, we aim to mitigate risks and ensure the confidentiality, integrity, and availability of your data. In our pursuit of this certification, we are demonstrating our unwavering commitment to data security and regulatory compliance.

In addition to our own security measures, we also rely on the robust protections and capabilities offered by the AWS platform. AWS provides a range of tools and features that enable us to protect your data from unauthorized access, disclosure, alteration, and destruction. These include encryption, access control mechanisms. By entrusting your data to Allsorter, you can have peace of mind knowing that we are continuously working to safeguard your information and maintain compliance with the latest industry standards.

At Allsorter, we are also dedicated to ensuring compliance with the General Data Protection Regulation (GDPR). This comprehensive regulation governs data protection and privacy for individuals within the European Union and the European Economic Area. To comply with GDPR, we have implemented stringent policies and procedures regarding the collection, processing, and storage of personal data. This includes obtaining explicit consent from users, ensuring the right to access, rectify, and erase personal information, as well as taking appropriate measures to protect data from unauthorized access and data breaches. By adhering to the principles of GDPR, we demonstrate our steadfast commitment to maintaining the privacy and security of our clients’ data and fostering a culture of transparency and accountability within our organization.

Technical and Organisational Security Measures

 

These describe the technical and organisational measures taken by Allsorter to ensure an appropriate level of security of Personal Data, taking into account its role as a Data Processor, as described in the Allsorter Data Protection Agreement. 

(A) Control of physical access to premises 

Technical and organizational measures to control physical access to premises and facilities, particularly to identify permitted Personnel at entry:

Allsorter staff works remotely, with the core platform architecture provided by AWS and the data stored in AWS data centres in Ireland so this is not applicable.

The space used for meetings is leased by Allsorter and has all the requisite physical security measures in place:

  • Locked doors on all entrances / exits (e.g., electronic locks; physical locks; etc.)
  • Presence of Personnel at the front desk during business hours
  • Visitor logs
  • Access control systems (e.g., access card security; etc.)
  • CCTV systems
  • Intruder alarm systems
  • Fire alarms 

(B) Control of access to IT systems 

Technical and organisational security measures designed to ensure that users with access to the relevant IT systems are identified and authenticated: 

  • IT security systems requiring individual users to log in using unique user names
  • IT security systems requiring the use of strong / complex passwords
  • IT security systems requiring the use of multi-factor authentication
  • Additional system log-in requirements for particular applications
  • State-of-the art encryption applied to all data ‘in transit’
  • State-of-the art encryption applied to all personally identifiable information ‘at rest’
  • Automatic locking of IT terminals and devices after periods of non- use, with passwords required to ‘wake’ the terminal or device
  • Regular audits of security procedures: we are in the process of getting our ISO27001 certification as well as Cyber Essentials Plus
  • Training for employees regarding access to IT systems

(C) Control of access to Personal Data 

Technical and organizational security measures designed to ensure that users with access to the Relevant Personal Data are identified and authenticated: 

  • ‘Read’ rights for systems containing Personal Data restricted to specified Personnel roles
  • ‘Edit’ rights for systems containing Personal Data restricted to specified Personnel roles or profiles
  • Logging of all attempts to access systems containing Personal Data
  • State-of-the art encryption on drives and media containing Personal Data
  • Training for employees regarding data privacy
  • Segregation of environments with personal data (Allsorter system) 

(D) Control of disclosure of Personal Data 

Technical and organizational measures to transport, transmit and communicate or store data on data media and for subsequent checking: 

  • Restrictions on transfer rights for systems containing Personal Data
  • Secure data networks (e.g., encrypted VPNs, VPCs)
  • Logging of all transfers of data across the network
  • SSL encryption for all internet access portals
  • Enforced encryption of all drives that are used to take data off the network (Policy exists for encryption, check-in and check-out of data; however, data is not transported on removable or physical media)

(E) Control of input mechanisms 

Technical and organizational security measures to permit the recording and later analysis of information about when input to data systems (e.g., editing, adding, deleting, etc.) occurred and who was responsible for such input:  

  • Logging who inputs and exports resumes/CVs containing Personal Data
  • ‘Edit’ rights for systems containing Personal Data restricted to specified Personnel roles
  • Binding agreements in writing with all employees who Process Personal Data, imposing strict confidentiality obligations
  • Regular reviews of compliance with the relevant agreements 

(F) Control of workflows between Processors and Sub-Processors

Technical and organizational measures to segregate the responsibilities between Processors and Sub-Processors Processing the Relevant Personal Data: 

  • Binding agreements in writing governing the appointment and responsibilities of Sub-Processors with access to the Relevant Personal Data
  • Regular reviews and assessments of compliance with the relevant agreements                 

(G) Control mechanisms to ensure availability of the Relevant Personal Data 

Technical and organizational measures to ensure the physical and electronic availability and accessibility of the Relevant Personal Data: 

  • Documented business continuity and disaster recovery procedures
  • Secure backup procedures in place, with full backups run regularly
  • DR/BCP tests run periodically
  • All physical, power and security requirements to store Personal Data are managed by AWS
    • Uninterruptible power supplies at backup facilities
    • Physical security of backup facilities (e.g., secure premises; security Personnel; etc.).
    • Security alarm systems at backup facilities
    • Electronic security of backup facilities (e.g., firewalls; antivirus software; etc.)
    • Environmental controls at backup facilities (e.g., cooling; humidity controls; etc.)
    • Fire protection at backup facilities (e.g., sprinkler systems; fireproof doors; etc.)
  • Secure anonymisation or deletion of Personal Data that are no longer required for lawful Processing purposes
  • Training for employees regarding backups and disaster recovery
  • Data retention is enabled only for 30 days from the date the Personal Data is input to the system, with the flexibility to enable shorter data retention spans based on Allsorter’s agreement with the client. This can be shortened to as low as a day.

(H) Control mechanisms to ensure separation of the Relevant Personal Data from other data 

Technical and organizational measures to ensure that the Relevant Personal Data are stored and Processed separately from other data: 

  • Logical separation of live or production data from backup data and development or test data
  • Logical separation of storage containing Relevant Personal Data from systems containing other data
  • Separation of Personnel with access to Production Personal Data from other Personnel
  • Training for employees regarding data separation

(I) IT Security

Technical and organizational measures to ensure that the IT environments are secure:

  • Use of firewalls/ACLs to control traffic
  • End-point security (antivirus, firewalls, encryption, secure device policies, automatic security updates)
  • Least privilege access model applied
  • Periodic access review meetings
  • Periodic IT security meetings
  • Periodic penetration tests, both internal and external
  • Periodic vulnerability scans, both internal and external
  • Security and governance programme with policies communicated to staff on onboarding and each time they are reviewed

(J) Certification

Allsorter is currently pursuing ISO27001 and Cyber Essentials Plus certifications. 

Contact for data protection enquiries:

dataprotection@allsorter.com

Datalive Ltd. 

NovaUCD 

Belfield Innovation Park

Dublin 4, Dublin, Ireland