RMP Connect Trust & Security

This is the official location for all of RMP Connect’s security policies, data management, legal and compliance information. You will find answers to all of your security questions here.

Index

Product & Functionality

What is RMP Connect?

RMP Connect is an online software solution for collecting data captured through various sources. It comprises the following:

RMP Connect also makes use of the following third party services which are not covered by this policy.


Our approach to data security

Handling your data is our primary business, and we take personal data protection, privacy and security very seriously. The documents here explain how we handle data collected when a client uses RMP Connect software.

We have made a commitment to over-invest in a continuous and growing security program since we first established RMP Connect, and we strive always to go beyond what would usually be expected of a business of our size at any given moment in time.

Here are a few practical examples of security controls within our product:

We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of data.

We also make use of external security experts from time to time to appraise our work and our data protection procedures.

Glossary

For clarity, here are some terms we use in our security documents, and what they mean:

The Processor Us, RMP Connect
The Controller You, Your Business
The Application The RMP Connect Software

Data ownership, acceptable use & access to collected data

Unambiguously, the data you collect is your data and reserved solely for your own use.

Data and Personally Identifiable Information collected via our software is stored for the sole use of the Controller.

We facilitate the reliable collection and storage of data on our customer's behalf, and our intentions will always be framed by this.

Some members of the RMP Connect technical staff from time to time will have restricted access to the data we store on your behalf in order that we can carry out absolutely necessary service tasks such as the monitoring and improving the quality and performance of our own services, however under no circumstances are we or any third party able to access your data for any other purpose, such as but not limited to marketing or communication purposes.

Data will never be disclosed to any third party except in accordance with our Privacy Policy. The exceptions are:


Compliance & accreditations

Working with UK & European organisations

We fully comply and operate within the jurisdiction of UK and EU data law.

Working with US, UAE & other international organisations

As a company registered in the UK and storing data within the EEA, we are regulated by European laws which are widely considered more strict than many outside of the region.

Much of our compliance covers the core requirements of data law abroad, however we believe that European laws and the protection of rights of the individual and ownership of data currently provide the best protection of data anywhere worldwide.

If you are unsure about how this impacts your use of RMP Connect, we suggest you seek additional legal advice. We generally find compliance teams find parity even where we do not comply to a specific foreign law.

Data Processing Addendum (DPA)

We have developed a Data Processing Addendum/Agreement (DPA) that we will enter into with anyone that uses our service and requires one. This service is free of charge. The DPA forms part of a contract of service with RMP Connect (who are the Data Processor) and you as our customer (as the Data Controller). The DPA reflects the parties' agreement with regard to the processing of personal data performed using the RMP Connect service. You may find this document useful in meeting your own GDPR (General Data Protection Regulation) commitments.

You can request a copy of the RMP Connect DPA via help@rmp-connect.com.

Accreditations & Certifications

We continually and successfully work with data providers and organisations that already work within standardised frameworks such as ISO 20071, and we understand you may need to see accreditations as part of your assessment. We have gathered all the relevant documents for review.

RMP Connect is working towards meeting its own first international standards, so our current approach is to provide our own body of documents and policies that meet the requirements of organisations that do maintain these standards.

Our data is stored within certified facilities and our infrastructure built upon certified services.

View Data Service/Facilities Accreditations & Certifications

Registration with the UK Information Commissioner (ICO)

We are members of the United Kingdom's Information Commissioner's Office (ICO) Data Protection Register in the United Kingdom, and our registration number is Z1066396.

The Relationship Between You & Us

WHAT THE ICO SAYS IN PLAIN ENGLISH
The Controller collects and processes Personal Data in connection with its business activities. You use RMP Connect to collect and store data from your customers.
The Processor processes Personal Data on behalf of other businesses and organisations. We manage that data for you.
Article 17(2) of the Data Protection Directive 95/46/EC provides that, where processing of Personal Data is carried out by a processor on behalf of a Controller, the Controller must choose a Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with those measures; It is your responsibility to ensure our standards are good enough to meet your legal obligations and organisation’s own standards. We are always willing to try to help you meet whatever data obligations are required in order to use our software.
Article 17(3) and 17(4) of the Data Protection Directive require that where processing is carried out by a Processor on behalf of a Controller such processing shall be governed by a contract or legal act binding the Processor to the Controller, stipulating, in particular, that the Processor shall act only on instructions from the Controller and shall comply with the technical and organisational security measures required under the appropriate national law to protection Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of processing; We will manage the data in accordance with agreements we will make with you. These are outlined in our policies and terms and conditions when you sign up or start using our products. It is our responsibility to put measures in place to secure personal data you store with us.
The Processor takes all measures to protect Personal Data processed by the Processor on behalf of the Controller against a Security Incident and against all other unlawful forms of processing, as required under applicable national law. Such Technical and Organisational Security Measures shall include, as a minimum standard of protection, the following types of security measures: organisational controls, information security management systems; physical security; physica l access controls; entry controls, virtual access controls, transmission controls, assignment of responsibility controls, availability and separation of responsibility controls, security and privacy enhancing technologies; awareness, training and security checks in relation to the Processor’s Personnel; incident response management/business continuity; and audit controls/due diligence. We are required to put in place measures to protect the data we store on your behalf at organisational, server and application levels.

Data handling & encryption

Some of the content on this page is restricted and only available on request. You can request full access by emailing help@rmp-connect.com.

Data Life & Disposal

Data Life, Retention & Protection

Data associated with your RMP Connect account (including personal information and collected data) is retained for as long as you have a RMP Connect account and for a longer period as may be required by law.

We don’t cancel accounts for inactivity. If you have a licence which later expires, your data will be retained for a period of up to 12 months. After that period we will contact you about archiving your data.

You may delete your data when logged into RMP Connect the application at any time.

Permanent Deletion

To permanently delete data in your RMP Connect account click the Delete button on the “View all students” page and confirm. Once deleted from your account, you can contact us to request a permanent deletion of the soft-deleted data. The data will be automatically deleted after 7 days.

Backup Copies

Residual copies of data deleted from your account may remain on backup media as permitted by law. This data generally disappears after 90 days as old backup media gets overwritten with newer backups, which will result in total, permanent, unrecoverable deletion.

Hardware Management & Disposal

Computer equipment and storage media are securely reformatted and repurposed or destroyed beyond repair at their end of life. Our hosting provider shreds end-of-life hardware (although we are unable to provide certification for individual pieces of hardware), and we use secure erasure or destroy any storage media we use within the organisation.


Servers & physical location

Data centre location

Our UK based Data Centre is located in Manchester (we refer to this as our UK data centre in this document) and is operated by Layershift. Layershift hold the following security related accreditations.

We store backup data and some auxiliary data in Amazon's AWS S3 in London (UK). Accreditation and certification details of both these services/facilities can be viewed below:

Physical security

Our Data Centre implements the following access controls at its premises and facilities:

Specification & Server Access

Server Software Updates

Our Software Update Policy is here.

How Personal Data Enters Our Software

Personal data enters the application from the Akkroo API once a valid Akkroo account is linked to your RMP Connect account, CSV imports initiated by users of the application and data entry by users within the application.

How Personal Data Leaves Our Software

Personal data leaves the RMP Connect application when you export it as a downloadable file or you establish an integration with a linked Pure360 email account and you choose to export a segment of your database into the email platform.

Third-party Services

Some of our optional product features such as (SMS messaging) require the use of third-party services outside of the EEA. Where we must work with third-party contractors or data services located in other jurisdictions, we prefer to work with companies that operate within government-backed schemes such as the EU-US Privacy Shield (previously Safe Harbor) scheme where possible.

Where possible we also always aim to anonymise data (decoupling it from the source) when transferring data to third parties.


System architecture

Some of the content on this page is restricted and only available on request. You can request full access by emailing help@rmp-connect.com.

Service Failure, Backups & Disaster Recovery

Servers

Backup schedule

Please note, we don’t operate as a backup and archival service, and we can not guarantee the storage of data once collected, so we always encourage our customers to follow common sense and take sensible actions to make their own backup provisions in addition to the measures we take.

Disaster Recovery & Resilience

Our comprehensive backup schedule and redundant, versioned, distributed backup means that in the event of a major disruption, we are in a strong position to recover very recent data and return servers to an operational state.


Policies

Privacy Policy

We will notify account owners by email if we make changes to our privacy policy.

Privacy Compliance Violation & Remediation Policy

Any incident of privacy violation surrounding collected data is logged centrally and reviewed quarterly. Remediations will be proposed and timescales for implementation agreed and recorded in the log.

Staff Security Privilege Auditing

Emergency Staff Privilege Escalation Policy

Should we ever need to grant emergency privileges to internal or external personnel for any reason, this action is logged in our Emergency Access Log with full reasoning. We also log when those privileges are revoked.

Application Password Policy

Some of the content on this page is restricted and only available on request. You can request full access by emailing help@rmp-connect.com.

Internal Password Policy

Some of the content on this page is restricted and only available on request. You can request full access by emailing help@rmp-connect.com.

Embedded Passwords Policy

Some of the content on this page is restricted and only available on request. You can request full access by emailing help@rmp-connect.com.

Mobile, Desktop & Remote Access (Working Out of Office/From Home) Policy

We permit RMP Connect team members to work from home and away from our dedicated office spaces. We require all team members to take care with their RMP Connect issued devices when they are working outside of a dedicated RMP Connect office space, and we also apply a number of additional user verification controls to RMP Connect online services and administration features.

Access to RMP Connect online services are only available over a secure, encrypted connection.

Our staff have access to our software service on mobile, desktop and when working remotely because our service is offered as Software as a Service (SaaS). Access to RMP Connect online services are only available over a secure (HTTPS) internet connection.

In addition, for technical users with escalated access privileges, we manage access through key based role and permissions management.

Internal Network Security Policy

Any new service, protocol and or additional grant of port access are first required to be reviewed and approved by our internal senior technical team, and only allowed when supported by a legitimate business case.

Any new system level components installed with vendor default settings in place are reset beforehand to remove risk of insecure defaults.

Any redundant components, protocols, services and functions are shut down and removed as soon as technically feasible.

Email, Removable Media & Customer Data Transfer Policy

It is our policy that Customer Confidential data must not be sent via email or any publicly accessible electronic communication service without first being encrypted with a secure password that complies with our internal password policies. Data should only be transitted this way when other internal facing methods are not available. Passwords must be transmitted by a unassociated medium other than the medium the files are transmitted, such as via phone call.

We also do not ordinarily permit the storage or transfer of Customer Confidential data on removable media such as USB keys and external hard drives. Should it be necessary or unavoidable, any such data transferred or stored on removable media must be encrypted with a secure password that complies with our internal password policies.

Company Owned Device & Operating System Policy

Our staff are issued with modern Apple devices for the conduct of their work, and we encourage them to run all updates in a timely manner, advise them on security. Critical OS updates are enforced by the manufacturer, or by us as necessary.

We deliver security training to all new team members and enforce disk encryption for all company issued devices.

Security Incident & Breach Reporting Policy

We maintain a centralised, fast, secure reporting system for the communication of all security and privacy issues. If a security or privacy issue is raised, a director of the business is immediately notified to co-ordinate the evaluation and necessary response, and the nature of the incident is logged alongside details, who is involved, actions taken and proposals for future action.

Should it be determined as necessarily significant during this evaluation, we will communicate the nature of the security incident or breach to affected parties including customers as soon as we are able within the context of the situation, and in a manner which we believe will not exacerbate the worsening of the issue.

We will also notify the relevant authorities as soon as feasibly possible.

To view our full Security Incident & Breach Reporting Policy please contact help@rmp-connect.com

Data retention & protection policies

How we handle data life in our data retention and protection policies can be found here.

Clean Desk Policy

We run a clean desk policy at RMP Connect. We do not print or handle printed versions of customer data at all if we can avoid it as we are primarily a digital operation, but in any rare instance when we should have to handle such documents, any such items will be stored in locked cabinets in the office overnight and securely destroyed on-site when no longer needed.

Internal Data Access Policy

Staff privileges are assigned appropriately based upon their specific roles, and reviewed when employment ceases or when they change roles.

When a staff member leaves employment at RMP Connect, we deactivate access to staff accounts as soon as we physically can, which is usually immediately. This deactivation always occurs within 48 hours of the end of their employment. Accounts are deleted within 30 days. This process is logged.

Software Update Policy

Application Updates are managed with a formalised version control flow, and go through a process of development team testing, wider internal testing (both automated and human), and pre-release testing with the live database.

The final deployment of an Application update is automated and migrating to a new version often requires no humanly noticeable downtime.

Our servers are updated with new patches automatically by our hosting provider Layershift. They also monitor for zero-day critical vulnerabilities and implement fixes within 24 hours or sooner where a patch is available.

Browser Support Policy

We support the current and immediately prior major version of each major web browsers. We offer limited support for specific versions of Internet Explorer. We provide a list of currently supported web browsers below.

In general, RMP Connect supports the current and prior major release of Chrome, Firefox, Internet Explorer and Safari.

We sometimes are asked why we don't support certain older versions of web browsers. Why are we ending support for IE8, IE9 & IE10?

We constantly evaluate which browsers to support, and consider which ones will give our users the best and most secure experience. This enables us to focus on areas that will add the most value for all our customers. There are three key reasons that drive our decisions:

Older browsers are less secure. Trust and security are incredibly important to us at RMP Connect. There are more and more security vulnerabilities discovered in these older browsers as time passes, and so we are committed to discourage use of these insecure browsers by dropping support in line with the manufacturer's recommendations. Microsoft will stop supporting IE8, IE9 & IE10 in January 2015. For more information, please see their website: microsoft.com/en-us/WindowsForBusiness/End-of-IE-support. Our customers have the best experience when they use newer browsers. Our customers will only benefit from the best and fastest technologies when using the newest browsers, and older browsers simply cannot provide all the features required to allow a full-featured web experience.

What is changing?

In 2014, Microsoft announced that they would end support for IE10 or below in January 2016. At the same time RMP Connect, will also stop actively supporting these older browsers. That doesn’t mean our services won’t work for anyone on these browsers, however it does mean if you’re running IE8, IE9 or IE10, some features/functionality may stop working in time and we won't actively be building fixes as the percentage of active users has dropped below a significant threshold.

Help & Support Policy

We do not currently record phone calls made to our support team, however we may opt to update this policy in the future.

Policy Review Schedule

We review all of our internal policies on an as-needed basis, and also on a scheduled annual basis.


Penetration Testing

We carry out scheduled three-layer penetration test conducted by a trusted third party security company each year. Our last penetration test was performed in November 2018.

Our policy is that all reported issues are assessed within three business days, and remedied as fast as possible.

The scope of our penetration tests consist of:

An abbreviated summary of our most recent penetration test (scope, results and remedial) is available to download on request. For reasons of infrastructure security, we will not be able to supply the unabridged report.

Some of the content on this page is restricted and only available on request. You can request full access by emailing help@rmp-connect.com.

Want to find out more about RMP Connect?

Request a demo

or contact our team at help@rmp-connect.com or give us a call on 020 3056 7721, we'd love to hear from you!

Get started

Fill in the information below and a member of our staff will get in contact to discuss Connect with you, or you can give us a call on 020 3056 7721

Request a demo