Red Flag Alert Technology Group Data Security Notice
This Security Notice is incorporated into and made a part of any Red Flag Alert’s Information Security Management System and as such an Agreements that RFA may have with its Vendors and Clients RFA. RFA maintains a comprehensive documented security program that is based on industry standard security frameworks including ISO 27001 and ISO 27018 (the “ISMS”). Pursuant to the Security Program, RFA implements and maintains administrative, physical, and technical security measures to protect its Data and internal systems and processes and Support Services and the security and confidentiality of Customer Content (including any Customer Personal Data that may be contained therein) (each as defined in the Agreement) under RFA’ control that is processed by RFA in its provisioning of its Services (the “ISMS”). RFA’ compliance with this Notice shall be deemed to satisfy any more general measures included within any Agreement, including the Specific Terms. In accordance with its Security Program, RFA will, when any Customer Content is under its control: (i) comply with the Security Measures identified below with respect to such Customer Content, and (ii) where relevant, keep documentation of such Security Measures. RFA regularly tests and evaluates its Security Program and may review and update this Security Notice at any time without notice, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection afforded to Customer Content by these Security Measures.
Shared Responsibility. RFA operates in a shared responsibility model, where both RFA and the Customer maintain security responsibilities. This is covered in more detail in our Documentation.
Architecture. RFA is a hybrid platform-as-a-service offering. The components responsible for managing and controlling the Platform Services are referred to as the ‘RFA Control Plane’ and are hosted within a RFA Cloud Service Provider account. The compute resources that perform data processing operations are referred to as the “Data Plane”. For certain Cloud Service Providers, the Data Plane may either be deployed in the Customer’s Cloud Service Provider account (known as the ‘Customer Data Plane’) or, for RFA Serverless Compute, in a RFA-controlled Cloud Service Provider account (known as the ‘RFA Data Plane’). Data Plane shall refer to both Customer Data Plane and RFA Data Plane unless otherwise specified.
Compute Resources. Compute resources are created and coordinated by the RFA Control Plane and deployed into the Data Plane. Compute resources are launched as new virtual machines that leverage the latest base image and RFA source code and do not have data from previous machines. When compute resources terminate, the data on their local hard drives is overwritten by RFA or by the Cloud Service Provider.
4. Data Storage of Customer Content.
Systems & Network Security
5.1 Platform Controls.
5.1.1 Isolation. RFA leverages multiple layers of network security controls, including network-level isolation, for separation between the RFA Control Plane and Customer Data Plane, and between Workspaces within the RFA Data Plane.
5.1.2 Firewalls & Security Groups. Firewalls are implemented as network access control lists or security groups within the Cloud Service Provider's account. RFA also configures local firewalls or security groups within the Customer Data Plane.
5.2.1 RFA employs industry standards to harden images and operating systems under its control that are deployed within the Platform Services, including deploying baseline images with hardened security configuration such as disabled remote root login, isolation of user code, and images are regularly updated and refreshed.
5.2.2 For Systems under RFA control supporting the production data processing environment, RFA tracks security configurations against industry standard baselines such as CIS and STIG.
5.3 .1 Encryption of data-in-transit. Customer Content is encrypted using cryptographically secure protocols (TLS v.1.2 or higher) in transit between (1) Customer and the RFA Control Plane and (2) the RFA Control Plane and the Data Plane. Additionally, depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt communications between clusters within the Data Plane5.3.1 Review. Cryptographic standards are periodically reviewed and selected technologies and ciphers are updated in accordance with assessed risk and market acceptance of new standards.
5.3.2 Customer Options; Responsibilities. Customers may choose to leverage additional encryption options for data in transit within the Customer Data Plane or RFA Data Plane as described in the Documentation. Customer shall, based on the sensitivity of the Customer Content, configure the Platform Services and Customer Systems to encrypt Customer Content where appropriate.
5.4 Monitoring & Logging
5.5 Penetration Testing. RFA conducts third-party penetration tests at least annually, employs in-house offensive security Employees, and also maintains a public bug bounty program.
5.6 Vulnerability Management & Remediation. RFA regularly runs authenticated scans against representative hosts in the SDLC pipeline to identify vulnerabilities and emerging security threats that may impact the Data Plane and RFA Control Plane. RFA will use commercially reasonable efforts to address critical vulnerabilities within 14 days, high severity within 30 days, and medium severity within 60 days measured from, with respect to publicly declared third party vulnerabilities, the date of availability of a compatible, vendor-supplied patch, or for internal vulnerabilities, from the date such vulnerability is confirmed.
5.7.1 Control Plane. RFA deploys new code to the RFA Control on an ongoing basis.5.8 Corporate Controls.
5.9 Pseudonymization. Information stored in activity logs and databases are protected where appropriate using a unique randomized user identifier to mitigate risk of re-identification of data subjects.
5.10 Workstation Controls: RFA enforces certain security controls on its workstations used by Employees, including:
Incident Detection & Response
6.1 Detection & Investigation. RFA’ dedicated Detection engineering team deploys and develops intrusion detection monitoring across its computing resources, with alert notifications sent to the Security Incident Response Team (SIRT) for triage and response. The SIRT employs an incident response framework to manage and minimise the effects of unplanned security events.
6.2 Security Incidents; Security Breaches. “Security Breach” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data under RFA control. A “Security Incident” is any actual or attempted breach of security that does not rise to the level of a Security Breach. A Security Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents. RFA maintains a record of known Security Incidents and Security Breaches that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed Security Incidents are investigated by security, operations, or support Employees; and appropriate resolution steps are identified and documented. For any confirmed Security Incidents, RFA will take appropriate, reasonable steps to minimise product and Customer damage or unauthorised disclosure. All incidents are logged in an incident tracking system that is subject to auditing on an annual basis.
6.3 Communications & Cooperation. In accordance with applicable data protection laws, RFA will notify Customer of a Security Breach for which that Customer is impacted without undue delay after becoming aware of the Security Breach, and take appropriate measures to address the Security Breach, including measures to mitigate any adverse effects resulting from the Security Breach.
7 Backups, Business Continuity, and Disaster Recovery
7.1 Business Continuity and Disaster Recovery. RFA Business Continuity (BC) and Disaster Recovery (DR) plans are reviewed, and drills are conducted annually.
7.2 Data Resiliency. RFA performs backups for the RFA Control Plane (including any Customer Instructional Input stored therein), generally managed by the Cloud Service Provider capabilities, for data resiliency purposes in the case of a critical systems failure.
7.3 No Data Restoration. Due to the hybrid nature of the RFA Platform, RFA does not provide backup for Customer Content, and RFA is unable to restore an individual Customer’s Instructional Input upon request. To assist Customers in backing up Customer Instructional Input, RFA provides certain features within the Platform Services.
7.4 Customer Managed Backups. Customers retain ownership of their Customer Content and must manage their own backups, including to the extent applicable, enabling backup within the Systems in which the Customer Data is stored
8 Data Deletion.
9 Secure Software Development Lifecycle (“SDLC”)
9.1 Security Design Review. Feature designs are assessed by security Employees for their security impact to the RFA Platform, for example, additions or modifications to access controls, data flows, and logging.
9.2 Security Training. Architects are required to take Secure SDLC training.
9.3 Change Control. RFA’ controls are designed to securely manage assets, configurations, and changes throughout the SDLC.
9.4 Code Scanning. Static and dynamic code scans are regularly run and reviewed.
9.5 Penetration Testing. As part of the Security Design Review process, certain features are identified and subjected to penetration testing prior to release.
9.6 Code Approval. Functional owners are required to approve code in their area of responsibility prior to the code being merged for production.
9.7 Multi-Factor Authentication. Accessing the RFA code repository requires Multi-Factor Authentication.
9.8 Code Deployment. Production code is deployed via automated continuous integration / continuous deployment pipeline processes. The release management teams are separated from the engineering teams that build the product.
9.9 Production Separation. RFA separates production Platform Services Systems from testing and development Platform Services Systems.
ISO and all other certificates are provided upon request and as part of any auditing process.
Last Modified August 2022
a) Data must be processed lawfully, fairly and in a transparent manner in relation to individuals. Red Flag Alert Technology Group has a legitimate interest in processing personal data on decision-makers and budget holders in medium-to-large businesses in the United Kingdom. The information is acquired from publicly available sources as well as direct contact with the companies in question. As a result, where personal data is processed in situations where data subjects should reasonably expect future processing, the data subject's interests and fundamental rights do not trump the data controller's interest.
b) Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data is collected solely for the purpose of compiling a database of business contacts to be used by Red Flag Alert Technology Group and its Client’s and Approved Third Parties for business-to-business marketing.
(c ) Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The data collected is limited to names of senior managers and directors, their job titles, company addresses, company landline telephone numbers and corporate email addresses.
(d) Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Red Flag Alert checks all information to ensure that it is kept accurate and up-to-date.
(e) Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
When someone leaves a position, their name and contact information are removed from the database. The data may, however, be utilised for suppression reasons, i.e. to prevent it from being added to the database again.
(f) Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data is only used by Red Flag Alert to offer legitimate business services that are relevant to the professional role of the data subject. Red Flag Alert operates a rigorous data security environment as part of its Data Governance Framework.
(g) Individuals have the right to see, correct, restrict access to or remove their personal information.
For subject access requests, use the contact details shown above. All requests for data to be removed or amended will be dealt with promptly.
(h) Complaints. Individuals have a right to complain to the Information Commissioner if they believe that there is a problem with the way their data is being used.
HOW WE USE YOUR PERSONAL DATA
1. Privacy Protection
We understand the importance of safeguarding personal information collected from our customers, future customers, and website users. In compliance with GDPR, we will only use the information we acquire about you lawfully. This website can be accessed and browsed without revealing any personal information.
2. Data Collection
We collect information about you so that we can send you information about our products and services. All information is collected and used purely for the purpose of providing you with a service, and it is handled and stored in line with GDPR rules.
If you register on our site, if you contact us with comments or particular requests, or if you send a business card or other data to any of our staff, we collect personally identifiable information about you. The elements of your data that we collect may include:
We also collect anonymous information which is not unique to you such as:
3. User Access and Control of Your data
Using the contact information provided above, you may request a copy of the personal information we have about you, as well as the ability to correct it if necessary. If you wish to withdraw your consent to our use of your data at any time, please contact The Data Protection Officer at the address listed above.
4. Data Use
We use your data to provide you with information about our products and services that we believe may be of interest to you.
Cookies are used to make it easier for you to navigate our website. Cookies are small pieces of data that a website saves on your computer's hard drive, in order for it to know who you are. Cookies are used by the majority of websites. Cookies cannot be used to identify you on their own. Cookies are also used to track how visitors interact with our website. The data is used to create reports and to help us improve the site. The cookies collect anonymous information about site visitors, such as the number of visitors, where they came from, and which pages they visited. By continuing to use our website, you consent to our placing these sorts of cookies on your computer. You may prevent us from storing a cookie on your computer by setting your browser so that it will not accept cookies.
6. Data Disclosure
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
7. Third-Party Links
Links to third-party websites, plug-ins, and programmes may be found on this website. Third parties may collect or share data about you if you click on those links or enable those connections. These third-party websites are not under our control, and their privacy policies are not our responsibility. We advise you to read the privacy policies of every website you visit after leaving ours.
8. The Data We Collect About You
Personal data, often known as personal information, refers to any information about a person that can be used to identify that person. It excludes data from which the identity has been deleted (anonymous data). Different types of personal data about you may be collected, used, stored, and transferred by us, which we have categorised together as follows:
9. Data from a Third Party.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).
We continue to place a high priority on the security of your data. We've put in place technological and security policies, guidelines, and methods to secure the personal data under our control, whether online and offline, against unauthorised access, improper use, alteration, unlawful or unintentional deletion, and loss. All our "personal user data" is restricted in our offices when we're not online. Only Red Flag Alert workers have access to this information. However, keep in mind that no data transmission via the internet can be guaranteed to be completely safe. While we make every effort to protect your data, we cannot guarantee or promise the security of any information you submit us or that we store.
11. Data Retention
How long will you use my personal data for?
We will only keep your personal data for as long as it is necessary to fulfil the reasons for which it was acquired, including to comply with any legal, accounting, or reporting obligations. We consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements when determining the appropriate retention period for personal data.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
If you fill out a form on our website requesting information or provide details of your business email address, we will typically preserve your Identity, Contact, Marketing, and Communications Data for twelve months after your request, unless you express a desire to hear from us after that time-period has expired or where you have engaged RFA in providing a service to you as a client.
Unless you opt-out of receiving marketing from us, we will generally keep your Marketing and Communications Data for up to twelve months after your service contract finishes or expires (in which case we will keep a record of your opt-out request on our suppression list).
12. Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. You have the right to:
Request access to your personal data.
Request correction of your personal data.
Request erasure of your personal data.
Object to processing of your personal data.
Request restriction of processing your personal data.
Request transfer of your personal data.
Right to withdraw consent.
If you wish to exercise any of the rights set out above, please contact us.
No fee usually required
12.1 You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
You will not be charged a price to view your personal information (or to exercise any of the other rights).
If your request is manifestly baseless, recurrent, or exorbitant, we may charge a fair fee. In certain cases, we may also refuse to comply with your request.
12.2 What we may need from you
We may need to ask you for further information to verify your identity and validate your right to access your personal data (or to exercise any of your other rights). This is a security step to ensure that personal information is not shared with anybody who does not have permission to receive it. We may also call you to obtain further information about your request in order to expedite our answer.
12.3 Time limit to respond
Within one month, we aim to respond to all legitimate requests. If your request is extremely difficult or you have made a number of requests, it may take us longer than a month to respond. We will alert you and keep you updated in this case.
12.4 Request that we correct the personal information we have on you. This allows you to change any missing or erroneous information we have about you, albeit we may need to verify the veracity of the new information you submit.
12.5 Request that your personal data be erased. This allows you to request that we erase or remove your personal data if there is no compelling reason for us to keep it. You also have the right to request that we delete or remove your personal data if you have successfully exercised your right to object to processing (see below), if we have unlawfully processed your data, or if we are forced to erase your personal data by local legislation. Please keep in mind that we may not always be able to comply with your request for erasure due to specific legal reasons that will be communicated to you at the time of your request, if relevant.
12.6 Object to the processing of your personal data if we are relying on a legitimate interest (or those of a third party) and there is something about your circumstances that makes you want to object to processing on this ground because you believe it violates your basic rights and freedoms. You also have the right to object if your personal data is being processed for direct marketing purposes. We may be able to show that we have compelling legal grounds to handle your information that outweigh your rights and freedoms in some situations.
12.7 Request that your personal data be restricted from being processed. This allows you to request that we halt the processing of your personal data in the following circumstances: (a) if you want us to verify the data's accuracy; (b) if our use of the data is unlawful but you do not want us to erase it; (c) if you need us to keep the data even if we no longer require it because you need it to establish, exercise, or defend legal claims; or (d) if you have objected to our use of your data but we need to.
12.8 Request that your personal data be transferred to you or a third party. We shall give your personal data in a structured, frequently used, machine-readable manner to you or a third party you specify. This privilege only applies to automated information that you gave us permission to use or if we utilised the information to fulfil a contract with you.
Where we rely on consent to process your personal data, you can withdraw your consent at any time. However, the lawfulness of any processing carried out before you withdraw your consent will not be affected. We may not be able to offer you with some products or services if you withdraw your consent. If this is the case, we will notify you when you withdraw your consent.
13. International Transfers
Except as stated in this policy, we do not transfer your personal data outside the European Economic Area (EEA). Where we transfer personal data outside the EEA we will ensure appropriate safeguards are in place to protect that data. Please ask if you require details of specific safeguards.
14. Third Parties With Whom We May Share Your Data:
We may share your data with third parties who provide services on our behalf.
All our third-party service providers are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
We may also share your personal data with third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property or safety of our site, our users, and others.
Where your data is shared with third parties, we will seek to share the minimum amount necessary.
AIB GB MERCHANT SERVICES
Authenteq Tarbena GmbH
AWS (Amazon Web Services)
Blue Tahiti Software Ltd
Connell Data Ltd
Dun & Bradstreet Ltd
GB Group Ltd (GBG)
Google Ireland Ltd
Information Network Services Ltd
Microsoft Ireland Operations Ltd
Microsoft Azure Microsoft Ireland Operations Ltd
The Compliance Engineers
Tech City Labs Ltd
Trust Payments Ltd
Xero (UK) Ltd
Zen Internet Ltd
15. Privacy Support
If you have any questions or comments about privacy, please contact us at the above address
Last Modified August 2022