Important information

Information Security and Data Protection

Kyloe is committed to protecting the information we handle about individuals, clients and other companies we work or otherwise interact with.

We have measures in place to protect information against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration or disclosure.

We comply with the GDPR. In the US, we subscribe to the EU-US Privacy Shield framework, which means we follow the Privacy Shield principles for the collection, use and retention of personal data which is passed to the US from entities in the EU. Our Privacy Shield policy can be found here. If there’s a conflict between our policy and the Privacy Shield principles, the principles will always prevail.

Secure Approach
We take a secure approach in every area of our service delivery. Here’s a summary of the measures we have in place:
  • We only process client data (including personal data) to deliver our commitments under signed Agreements we have with our clients
  • We limit access to systems (both internal and client) to the relevant people who need to deliver on our commitments to our clients.
  • We subscribe to identity management software so we can appropriately secure, restrict, manage and audit access to our internal and client systems.
  • We use multi factor authentication and strong passwords (changed every 90 days) on our internal systems where appropriate.
  • We secure our desktop infrastructure behind secure firewalls, protected by anti-virus software (which is automatically updated), and encrypt our hard-drives with Windows 10 professional BitLocker.
  • We operate a closed network, meaning there is no direct internet connection into any Kyloe computer.
  • We control wireless access points with WPA2 security and strong passwords.
  • We install all Kyloe computers with remote controlled monitoring.
  • We use industry leading cloud service providers (data centres), accredited with industry leading certifications on availability and security, to host and protect the data we handle.
  • We use cloud service providers for our internal management of information. They are secured with enterprise grade systems, with audit logging of access, restricted user accounts and data back-up.
  • We deliver data security and risk awareness training to all Kyloe employees.
  • We keep all Kyloe employees up to date with changes in security standards and legal requirements.
  • We have strict confidentiality provisions in our employment contracts with employees, and Agreements we have with clients.
  • We operate a ‘shut down’ process for leavers.
  • We share sensitive information, including personal information, securely – encrypted when sent by email or other open platform.
  • We only share user names and passwords separately via two distinct platforms (e.g. email and telephone).
  • We use a self-destruct tool when sending passwords by email: http://privnote.com.
  • We don’t keep personal information for longer than necessary to fulfil contractual obligations with clients.
  • We follow industry guidance on the retention and deletion of data.

What we expect of clients

We ask all of our clients to let us know if they have a specific security request. We also rely on our clients meeting certain obligations – we expect them to:
  • Remember that Kyloe is the data processor (as defined by GDPR) of any personal data provided to us in our role as service provider. The client is the data controller.
  • Know that the client is the data controller of any information (including personal information) uploaded to a Kyloe product, or passed to Kyloe for any other reason (including a data migration), and is responsible for its accuracy.
  • Make sure their own internal security measures are appropriate and to meet the legal obligations on the protection of personal information.
  • Obtain the necessary consents or waivers from the relevant persons so that Kyloe can deliver any agreed services in accordance with the law.
  • Comply with all applicable laws when using Kyloe’s services and products

ICO
Kyloe is registered with the Information Commissioner’s Office and we keep up to date with the latest developments and best practice guidelines. More information on the ICO and information security can be found on their website: www.ico.org.uk.

We handle access requests for information in accordance with legal requirements.

Reporting a Data Breach
In the event of a data breach, Kyloe will follow the data breach reporting process and inform the ICO when it is appropriate.

Questions?
Please ask if you have any questions. Your Kyloe contact will be happy to assist.