General Data Protection Regulation
Compliant data is a critical business resource.
Responsibly collecting and using personal data collected online is not just a legal requirement for companies in the European Union. It is critical to building user relationships across online platforms. To build trust, companies need to be clear with consumers about how they use data and obtain consent in compliance with the General Data Protection Regulation (GDPR).
We continuously monitor for malicious activity, proactively identifying and mitigating security risks, while working hard to stay ahead of the latest threats.
we have an extra level of external, independent assurance that we’re doing the right things to help protect our systems and services. We also take a lot of care to ensure our employees are vetted and have a deep understanding of how to protect your data. For a deeper insight on how we keep your data safe, please read on below.
Physical Security measures
We only use software where our client's information is held securely in data centres located in the United Kingdom across multiple availability zones to guard against localised, physical failure. These data centres meet the strictest security standards, including ISO 27001, 27017 and 27018 certification, and comply with the EU General Data Protection Regulation (GDPR).
All information that passes between your software and our computer (“data in use/transit”) is securely encrypted over HTTPS using TLS v1.2, according to industry standard best practice. The strongest encryption algorithms (SHA 256) afforded by your browser are prioritised.
We encrypt all information we store on your behalf (“data at rest”). This includes data in our database and any files that you upload. We enforce 256-bit AES encryption as standard.
We utilise state-of-the-art systems to monitor, record and alert on anomalous activity within our operational environment.
Distributed Denial of Service (DDoS) mitigation is automatically applied by our hosting provider. Meanwhile, we employ in-built application rate limiting and alerting, which includes protection against brute force login enumeration.
We do not store User passwords in our database.
The cloud platforms we use perform a continuous, automated assessment of their systems to ensure that they adhere to industry-standard security best practices at all times.
All access to the software underlying systems and data is protected through unique credentials with two-factor authentication. Everything is logged and reviewed through an immutable, centralised audit trail.
We are bound by the UK’s Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) and fully respect the rights of individuals in compliance with the EU GDPR. We do not sell, rent or share data with any third party unless previously agreed as part of any contractual arrangement (or any legal or regulatory requirement).
Our staff are vetted prior to employment by our internal People H.R department. Checks include proof of identity, proof of right to work, police clearences and proof of activity.
We also maintain a suite of internal information security policies, procedures and guidelines, including incident response plans, which all staff, contractors and third parties must follow. These are reviewed at least annually.
Regular audits are performed and the whole process is reviewed by management to ensure only staff with an explicit business need have access to the necessary data and systems on an ongoing basis. All employees must sign confidentiality agreements, attest to following Maple Hill Outsourcing Services policies and guidelines and follow an online annual security training and awareness programme.
We go to great lengths to make sure your business data is stored safely. These technical and organisational measures help ensure the confidentiality, integrity and availability of our systems and your data at all times.