1. Purpose and scope
ABCIS maintains a strict policy regarding the security of data and information collected during the course of business.
a) This Data Protection Policy outlines ABCIS’s expectation of its employees and contractors when dealing (collecting, handling and storage) with data in the usual course of business of ABCIS and is to be adhered to by all employees, contractors and individuals with access to ABCIS’s systems or networks and where ABCIS accesses a customer’s systems and/or their networks.
(b) The information and data the subject of the Data Security Policy includes all restricted, confidential information or sensitive data of ABCIS and its customers/clients, employee record data, all personnel data, all financial data (of ABCIS or clients/customers of ABCIS), all administrative data, all data provided by customers or their advisors in the course of engaging with ABCIS (data).
(c) This Data Protection Policy safeguards information in physical and electronic form.
(a) ABCIS’s nominated data security officer is responsible for:
(i) keeping ABCIS updated about data protection responsibilities, risks and issues;
(ii) reviewing all data protection procedures and related policies, in line with an agreed schedule;
(iii) arranging data protection training and advice for the people covered by this policy;
(iv) handling data protection questions from customer, employees and anyone else covered by this policy;
(v) dealing with requests from companies and individuals to see the data ABCIS holds about them;
(vi) checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
(b) ABCIS also takes steps to:
(i) ensure all systems, services and equipment used for storing data meet acceptable security standards;
(ii) perform regular checks and scans to ensure security hardware and software is functioning properly;
(iii) evaluate any third-party services the company is considering using to store or process data. For instance, cloud computing services.
3. Employee requirements
Employees must abide the following requirements:
(a) where requested by ABCIS, employees and contractors are required to complete ABCIS’s security awareness training and agree to uphold any acceptable use policy of ABCIS;
(b) if an employee or contractor identifies an unknown, unescorted or otherwise unauthorised individual at ABCIS, the employee or contractor must immediately notify the data security officer;
(c) visitors to ABCIS must be escorted by an authorised employee at all times. If an employee or contractor is responsible for escorting visitors that employee or contractor must restrict them to appropriate areas;
(d) employees and contractors must not to reference the subject or content of sensitive or confidential data publicly, or via systems or communication channels not controlled by ABCIS. The use of external email systems not hosted by ABCIS to distribute data is not allowed;
(e) to maintain information security employees must ensure that data is not left on their desk unattended;
(f) employees and contractors must use a secure (strong) password on all ABCIS systems;
(h) employees must take every opportunity to ensure that data is up to date and accurate;
(i) terminated employees and contractors will be required to return all records, in any format, containing personal information;
(j) employees and contractors must immediately notify the data security officer in the event that a device containing data, or access to data, is lost (for example mobile phones, laptops, etc);
(k) if an employee or contractor has been approved by ABCIS to work remotely that employee or contractor must take extra precaution to ensure that data is appropriately handled;
(l) data that must be moved is to be transferred only via business provided secure transfer mechanisms (e.g., encrypted USB keys, file shares, email, etc); and
4. DATA SECURITY
(a) Unless required in the course of providing its services, ABCIS will not share or sell a customer’s data to any third party without the consent of the relevant customer.
(b) ABCIS uses best endeavours to protect restricted, confidential or sensitive data from loss to avoid adversely impacting its clients/customers.
(c) Sensitive data requiring protection includes:
(i) sales and supply data, particularly sales information, orders, forecasts, and other customer information (as applicable)
(ii) credit card details, bank account numbers and other financial identifiers;
(iii) email addresses, names, addresses and other combinations of personally identifiable information; and
(iv) documents that have been explicitly marked confidential.
(d) Electronically stored data will be protected from unauthorised access, accidental deletion and malicious hacking attempts:
(i) data is to be protected by strong passwords that are changed regularly;
(ii) servers containing personal data are sited in a secure location;
(iii) data is backed up frequently and backups tested regularly;
(iv) all servers and computers containing data are be protected by approved security software and a firewall;
(e) In cases of
(i) improper transmission of data to third parties,
(ii) improper access by third parties to data; or
(iii) loss of data,
(collectively referred to as data security events) the data security officer shall be immediately notified.
(f) All data security events will be investigated by the data security officer to identify the cause of the relevant event, ascertain the extent of the event and minimise any impact of the event on the customer.
(g) Any affected customers of a data security event shall be notified by the data security officer as soon as reasonably practicable.
(h) ABCIS shall comply with all applicable privacy laws in the event of a data security event.
5. Rights of Data Subject
Every customer (data subject) has the following rights:
(a) a data subject’s enquiries are to be handled by the data security officer;
(b) the data subject may request information on which data relating to it has been stored, how the data was collected, and for what purpose;
(c) if data is transmitted to third parties, information must be given to the data subject about the identity of the third party recipient;
(d) if data is incorrect or incomplete, the data subject can request that it be corrected;
(e) the data subject can object to the processing of its data for purposes of market/opinion research; and
(f) the data subject may request its data to be returned or deleted if the processing of such data is no longer required.
6. System Access
(a) For the purpose of installing and supporting our software, ABCIS uses a third-party remote access application called SplashtopSos (https://splashtop.com).
(b) SplashtopSos is a cross-platform application which supports Windows and MacOS clients/servers. This can be downloaded and run without installation for one-time access which requires the user to give SplashtopSos the 9-digit access code.
(c) Once we enter the code and attempt to connect, the user is prompted to accept or deny the remote access attempt.
SplashtopSos can be installed on your back-office server for easy access in future. If the user gives permission, we will set a password for unattended access. If unattended access isn’t granted or required by ABCIS, you will be prompted with the same prompt to accept or deny remote access.
(d) ABCIS reserves the right to alter its process and/or software for accessing a customer’s system.
7. Data Storage
ABCIS has a client application which is installed on the same computer the back-office software is hosted on. This client application communicates with our servers via secure HTTPS. It calls home every 60 seconds requesting instructions. The client then executes those instructions by making API calls to the back- office system’s endpoints or by querying the database directly. Instructions are to retrieve data from or to push invoices through the back-office system. By having a client application on the back- office server, no direct access or port forwarding is required, leaving the customer’s network secure.
8. Data Storage
ABCIS’s database and application servers reside in a data centre which sits behind a firewall. All communication between ABCIS’s servers and the client applications is over secure HTTPS and authentication is handled by our authentication API. Authentication is configured individually for each client and each account only has access to data for the store the account is assigned to.
9. Data Collected
The only data ABCIS collects is specific to the services that ABCIS provide. For Click Invoicing and ABCIS’s reporting suite which includes store performance (KPI) reports, ABCIS collects product information, supplier product (supplier costs), purchases and sales for products/departments. ABCIS does not collect POS transactional data (such as loyalty).