Important information

Information Security and Data Protection

Kyloe has measures in place to protect information against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration or disclosure.

Personal data is handled in compliance with GDPR. We subscribe to the Privacy Shield Framework, which means we follow the Privacy Shield Principles for the collection, use and retention of Personal Data which is passed to the USA from entities in the EU. Our Privacy Shield policy can be found here. If there’s a conflict between our policy and the Privacy Shield Principles, the Principles will always prevail.

Secure Approach
Kyloe takes a secure approach in all of our service delivery. Here’s a summary of measures we have in place:
  • Only processing client data (including personal data) for the purpose of performing our obligations under signed Agreements we have with clients
  • Limiting access to systems (internal and client) to relevant persons in order to perform our obligations under signed Agreements we have with clients
  • Subscribing to identity management software to appropriately secure, restrict, manage and audit access to internal and client systems
  • Using multi factor authentication and strong passwords (changed every 90 days) on our internal systems where applicable
  • Securing desktop infrastructure behind secure firewalls, protected by anti-virus software which is automatically updated, and encrypting hard-drives with Windows 10 professional BitLocker
  • Operating a closed network meaning there is no direct internet connection into any Kyloe computer
  • Controlling wireless access points with WPA2 security and strong passwords
  • Installing all Kyloe computers with remote controlled monitoring
  • Using industry leading cloud service providers (data centres) accredited with industry leading certifications on availability and security to host and protect client data
  • Using cloud service providers for internal management of information secured with enterprise grade systems, and audit logging of access, restricted user accounts and data back-up
  • Incorporating data security and awareness training into our team onboarding
  • Keeping our team up to date with changes in security guidelines and standards
  • Incorporating strict confidentiality provisions into our employment contracts and contracts with clients
  • Operating a ‘shut down’ process for leavers for all systems
  • Sharing sensitive information securely, ensuring it is encrypted when sent by email or other open system
  • Issuing user names and passwords separately via two distinct platforms (e.g. email and telephone)
  • When issuing passwords by email, a self-destruct tool is used: http://privnote.com
  • Not holding personal information for longer than necessary and appropriate to fulfil contractual obligations with clients
  • Following industry guidance for retention and deletion of data

What we expect of clients
We ask clients to tell us if they have specific security requests. We also rely on our clients meeting certain obligations – we expect them to:
  • Remember that Kyloe is the data processor (as defined by GDPR) of Personal Data provided to us in our role as service provider, and the client is the data controller
  • Know that the client is responsible for the information uploaded to Kyloe+ products, or passed to us for any other reason (including a data migration), being accurate
  • Make sure their own internal security measures are appropriate and meet legal obligations to protect personal information
  • Obtain applicable consents or waivers from relevant persons necessary for Kyloe to provide agreed Services securely and in accordance with the law
  • Comply with applicable laws when using our Services.

ICO
Kyloe is registered with the Information Commissioner’s Office and we keep up to date with the latest developments and best practice guidelines. More information on the ICO and information security can be found on their website: www.ico.org.uk.

Access requests are handled in accordance with the law.

Reporting a Data Breach
In the event of a data breach, Kyloe will follow the data breach reporting process and inform the ICO when applicable.

Questions?
Please always ask if you have any questions. Your Kyloe contact will be happy to assist.