Privacy Policy

Last Updated: 07/01/2019


We are committed to protecting and respecting your privacy. This page explains how we may gather and use information about you. All use of such information is governed by the principles and practices set out in this statement.

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

The purpose of this document is to consider how this regulation may affect our own in house management systems, as well as our customers and in turn their customers when using our Technopoly products and services.

We do not profess to be GDPR experts, nor do we expect the following to be treated as formal advice or in any way a legal consent or recommendation. We do expect our customer to take their own advice and inform us of any specific requirements they may have for our consideration.

We understand that the core remit of this regulation is to give each individual the right to consent to their personal data being collected and used for any purpose, to allow them to be able to know what data is being held about them, as well as for that individual to have the right to have their data deleted upon request.

Our position is that we will consider any actions that may be necessary to make our systems compliant with this regulation and to work closely with our customers to understand any requirements they may have and which we should take into consideration going forward.

Technopoly provides software products that by their very nature provide facilities to store personal data. This may involve personal names and details of customers and suppliers contacts as well as our customer employees and their customer’s employee information that may be required to provide services to the customer and any individual. This information may be held in part or across different system modules on our in-house customer and project management databases as well as our customer-facing products and services.

HMRC

We understand that any requirements by HMRC by way of legal compliance to meet their needs for reporting and tax compliance supersedes all other requirements.

Technopoly Internal Systems

It is the policy of Technopoly to never distribute or sell on any information to any other third party for any other purpose unless legally required to do so.

CMD Systems

Technopoly has an internal Customer Management Database, customer file areas and other systems that run on its in-house servers. These hosts all the information required to market our products, hold customer contact information and service agreements as well as licence and contact management information.

These systems are private and protected internal and are accessed by all employees of Technopoly by a unique username and password. Employees are bound to uphold full confidentiality of the information stored in these systems as part of their terms of employment.

My World

Our Customer Support and Management Portal is a web-based application hosted off site within a secure data centre in the UK.

Access to this portal is by a secure TLS protected domain and by a customer derived username and encrypted password. Access is isolated to user specific information and where permission is authorised company specific information is also available.

Passwords may be changed by the user at any time and we always recommend that a strong password is used and regularly changed by all users.

Personally identifiable information stored within the portal will be populated by an authorised person at the respective companies and therefore infers consent for us to hold this information unless notified otherwise.

Some data such as cookies stored on user’s computers and are essential to execute private and secure sessions and for sales transactions within our website. These cookies hold no personal information and can be deleted manually. Please see our Privacy Policy for further information.

New Features

As part of a raft of improvements to My World we will also be increasing our security measure for all users. These changes will include stronger password requirements and encryption methods as well as the ability to edit and delete some personal information as required.

A one time request for consent of existing information already stored will be requested prior to the release of the new My World system.

Sage Accounts

Technopoly uses Sage accounts and holds customer and contact information to allow the production of financial instruments, including invoices, purchase orders credit notes, statements and reports.

Other information as required by HMRC is stored and used solely for the purposes of complying with their requirements and legislative compliance.

Technopoly Software, Products and Services

Technopoly supplies these software products for use by our customers. The software is licensed to the customer, but the data contained therein is solely the responsibility of each customer.

It is, therefore, the responsibility of the customer for gaining consent for the collection, use and storage of any data held in these systems.

Web Applications

Technopoly provides several web applications some of which transfer personal data from the customer’s local internal system up to the web application. The transferred information is only that essential for functionality such as names, contact information, usernames and passwords. It is the responsibility of the customer to acquire consent for this information to be held on their internal system and associated web application.

It will also be the responsibility for the customer to delete this data from their internal systems if requested to do so. Deleted information will automatically be reflected on the web application during the transfer process.

Data Imports

Where customers provide information for us to import to any application or web site, which may include employee information from their customers. We would expect that consent has been given from any individual whose information is supplied, prior to the release of this data to us.

Technopoly may store any import spreadsheets or data files provided on their own in-house servers in a dedicated customer file area.

Data Links

Where Technopoly has been engaged to provide data links (including API’s) from its systems or web ordering sites to other third party or customer in house procurement systems, (Punch out’s, order imports, EDI links and API’s, etc.).

We would expect the customer to be responsible for gaining consent to the collection, use and storage of any data held in these systems, and for any subsequent additions of information that may be transferred to our web ordering or customer applications.

Data Deletions

In respect to the “right to erasure” of any personal data, we would advise the following procedure:

Because the systems we supply depend on links between an employee record and their orders, or timesheet information, it will be necessary to maintain the integrity of any links, otherwise, the reports and other data links within the system will not be able to function.

To comply with any request for records to be deleted, we would advise that the key employee identifier, usually their employee number be maintained within the system and that their employee name, payroll number, be edited to be just their initials and the word deleted added.

There are also the options to flag an employee as left / ”no longer employed” with a date, this option will need to be flagged to not show that individual’s records in any live system.

Other employee information under this top-level record can then be edited/deleted, including personal records such as driving licence documents, details, date of birth, mobile phone numbers, individual delivery addresses etc.

Customers and their customers may then use their own internal procedures to verify that these deletions have been made and formally record these on their own internal systems to notify the individual concerned.

Access to internal systems

To provide support to our customers, access to the customer’s personal computers, servers and systems is often required. This access is facilitated in one of the following ways:

  • LogMeIn™
    This web application offers a secure method to access remote computers without the requirement to know any user personal user names or passwords.
  • TeamViewer™
    This web application offers a secure method to access remote computers without the requirement to know any user personal user names or passwords.
  • Windows Remote Desktop (RDP)
    In order to access a user machine via RDP knowledge of the recipient’s Windows™ username and password is required unless a specialized account has been created for Technopoly’s personal use. Consent for these credentials is requested at the time of creation and consent for access is requested, from a director or other authorized employee, prior to every connection where the target machine is a user’s personal computer. All RDP usernames and passwords are stored in our internal system to limit the transmission of these credential for future use.

Internal security policies

Technopoly’s internal security policies have been amended to improve procedures and reduce the transmission of sensitive information.

Information we may request or store

Where required to offer support and services Technopoly may request the following information either verbally by telephone or by email.

  • Names of employees
  • Basic Company information
  • User, account and company information already present in any product licensed from Technopoly
  • Account usernames
  • Product information

Information we will NEVER ask for or store in an unencrypted format

Technopoly will never ask for the following information under any circumstance and if this information is requested it should never be divulged.

  • Passwords (System, web, account or third party) With the exception of RDP for which approval should be from a director or other pre-authorised personal.
  • Debit, credit, bank or associated financial information. Apart from a bank account, sort code and third-party merchant/vendor setup information (e.g PayPal).

Cookies

Our website, like many others, stores and retrieves information on your browser using ‘cookies’. This information is used to make the site work as you expect it to. It is not personally identifiable to you, but it can be used to give you a more personalised web experience.

We respect your right to privacy and as such do not use any cookies or services to track, monitor or infringe on your privacy in any way that we deem to be invasive. The cookies we use are strictly for website functionality and performance tracking only.

System Session Cookies:

These cookies are used by our website to store anonymous session and login tokens. They may identify you as a single user when you move between pages, but carry no personally identifiable information and are destroyed when you close your browser, unless you actively choose to be remembered for easier login on your next visit.

Performance Cookies

From time to time we may use cookies to monitor this sites performance and activity.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Managing Cookies

Some cookies are necessary for the website to function and cannot be switched off without limiting access and functionality. They are usually only set in response to actions made by you which amount to a request for services, such as logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Other non vital cookies such as Google analytics can be blocked without restricting website functionality. We ask that you do not block these cookies as they are a valuable tool in helping make our website better.

If you do wish to block cookies you will find that your browser already has the tools to give you control. You should find these settings and other site features in your browsers privacy options.

Finally, if you do not wish to set cookies for this site and are unable to manage your cookie settings then please discontinue using this website.

Use of Forms

This site contains a number of forms you can fill in to provide us with information about yourself when requesting services, such as:

  • Asking us to contact you.
  • Signing up to our email newsletter.

We use this information purely for the purpose of providing you with the services you are requesting, or to keep you informed about new developments we think you may be interested in.

Your information will be held by Technopoly Ltd. Employees will only have access to your information if they need it to provide our services.

We do not generally share this information with any third parties, except where we use data processors to act on our instructions to provide our services. We will not pass on details to any other data controller without your express prior consent unless we are required by law to do so.

Controlling your Personal Information

You may request details of personal information which we hold about you under the Data Protection Act 1998. A small fee will be payable. If you would like a copy of the information held on you please contact us by any means provided on our contact page here.

If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the address provided. We will promptly correct any information found to be incorrect.

Links to other Websites

We may from time to time publish links to other websites we believe to be of interest. However, we have no control over these sites, which are not governed by this privacy policy.


Online Security Statement


1 WEB SERVER SECURITY

Technopoly’s web servers are hosted by the ISO accredited ANS in a secure web hosting facility. Their general security statement is included below.

Disclaimer Whilst ANS has made every effort to ensure the accuracy of all the information and statements herein the accuracy, reliability, or completeness of the furnished data is not guaranteed or warranted in any way and ANS and its representatives disclaim liability of any kind whatsoever, including, without limitation, liability for quality, performance, merchantability and fitness for a particular purpose arising out of the use, or inability to use the data. 06/11/2014 – ANS client distribution only SECURITY STATEMENT

Access Control Administration

PCI DSS and ISO 27001 have a number of requirements.

Please refer to the standards for more information.

ANS regularly audits access and deletes access rights in a timely and tractable manner.

ANS has specific accounts for accessing client solutions.

Access to the administration of the ANS network is highly restricted to the network team and the ANS IT Director only.

Our passwords follow PCI DSS standards which dictate password length, construction, rotation and threshold limits. These apply to both engineers and clients.

ANS only refresh passwords for clients with the PCI service.

Anti-virus Protection

ANS does offer anti-virus protection to clients.

Please refer to specific solution for details and entitlement.

Application/User Layer

Application security and authentication is not the responsibility of ANS.

Development and test environments are not the responsibility of ANS unless taken as part of the solution.

Live production data and its use is not the responsibility of ANS.

Backups

Accurate and complete records are kept of backups.

Backup data is not encrypted.

Backup data is not periodically validated. Disclaimer Whilst ANS has made every effort to ensure the accuracy of all the information and statements herein the accuracy, reliability, or completeness of the furnished data is not guaranteed or warranted in any way and ANS and its representatives disclaim liability of any kind whatsoever, including, without limitation, liability for quality, performance, merchantability and fitness for a particular purpose arising out of the use, or inability to use the data. 06/11/2014 – ANS client distribution only

Certifications & Accreditations

ANS has a number of accreditations that show our commitment to continuous business improvement through our people, practices and technology in the hosting world.

PAS 2060:2010

ISO 27001:2005

ISO 9001:2008

PCI DSS

Investors in People Recognition

The ISO 27001:2005 and PCI DSS standards require a significant commitment to security from ANS. They are designed to ensure the selection of adequate and proportionate security controls that protect information assets.

Please refer to our website for the latest information: http://www.ans.co.uk

Change Management

ANS has a change management process. Engineers work with clients to define the changes and the work instructions are reviewed and approved by a team leader. All change records are documented in ANS internal systems.

Our change management process is not invoked for all changes. It is primarily used for service affecting planned changes. However, we use a ticket system to record all client issues and requests.

Data Integrity

ANS do offer various options for protecting data integrity e.g. hardware RAID.

ANS do not run any periodic checks on the integrity of client data.

ANS do not take responsibility for the integrity of client data or backup data.

Please refer to specific solution for details and entitlement.

Disaster Recovery

There is a documented disaster recovery plan as part of ISO 27001 for ANS operations, but this is not specific to client’s individual solutions.

There is not an official maintenance window. Schedule maintenance typically takes place between 0001 and 0400 and requires 5 business days’ notice. See terms and conditions for specific timelines.

General Network

All traffic not required is denied, but these changes depending on the client’s requirements.

All network changes are documented and must be requested in writing.

Network configurations and changes are all documented using a version control system. Disclaimer Whilst ANS has made every effort to ensure the accuracy of all the information and statements herein the accuracy, reliability, or completeness of the furnished data is not guaranteed or warranted in any way and ANS and its representatives disclaim liability of any kind whatsoever, including, without limitation, liability for quality, performance, merchantability and fitness for a particular purpose arising out of the use, or inability to use the data. 06/11/2014 – ANS client distribution only NAT may be used in your solution if you have a dedicated firewall. Please refer to specific solution

ANS do not encrypt traffic by default across the network. However, clients can apply SSL or VPN technologies to achieve this.

General Security Policy

All employees are familiar with our information security policies.

This is a requirement of ISO 27001 and is part of the ANS induction and regular information security awareness training programme.

All employees with access to client servers (restricted data) have background checks.

ANS enforces strict standard procedures for building client solutions.

Security incidents are recorded and marked for record and review and affected clients notified. Post action plans are created to minimise future incidents of the same nature or cause.

Intrusion Detection & Intrusion Prevention

By default ANS do not offer intrusion detection services. However, they are available e.g. a dedicated firewall can be upgraded to include an intrusion prevention and detection module.

Please refer to specific solution for details and entitlement.

Logging

By default ANS do not enable logging due to the negative impact on performance and storage space other than basic operating system logging to local devices.

By default, ANS log all traffic that has been denied by the firewall. Within the log, only SRC/DST, IP address and ports will be recorded.

Clients are responsible for the administration of their databases and determining whether to utilise roll back transactions.

For network peripherals ANS logs all ANS engineer activity and changes are all logged by the individual engineer.

For client servers ANS engineers must log all activity performed.

ANS uses a logging server for all network related logs.

Operating System & Software Patches

ANS does offer automatic patching of the operating system to clients. To ensure availability to the overall solution software and applications above the operating system are only patched on demand.

Please refer to specific solution for details and entitlement. Disclaimer Whilst ANS has made every effort to ensure the accuracy of all the information and statements herein the accuracy, reliability, or completeness of the furnished data is not guaranteed or warranted in any way and ANS and its representatives disclaim liability of any kind whatsoever, including, without limitation, liability for quality, performance, merchantability and fitness for a particular purpose arising out of the use, or inability to use the data. 06/11/2014 – ANS client distribution only

Physical Security

PCI DSS and ISO 27001 have a number of requirements. Physical security for all ANS sites – including the data centres is in scope for external assessments for PCI DSS and ISO27001. Physical controls are maintained 24/7/365 and are subject to both regular internal and external audits. Please refer to the standards for more information.

ANS physically host client systems in one of the privately owned data centres in the UK.

All visitors are logged.

VPN & Remote Access

Dedicated firewalls:

a. ANS use IPSec VPN and supports up strong encryption algorithms. ANS prohibit split-tunnelling of VPN.

b. Clients with dedicated firewalls can request up to 5x IPSec Remote access and 2x site to site VPN’s being setup.

c. Remote administrative access does not requires two-factor authentication unless part of our PCI service.

d. Non-console administrative access is encrypted.

e. VPN user authentication is usually done by the firewalls local database. Please see specific solution for details as other options are available.

Vulnerability Scanning & Penetration Testing

ANS do offer annual security audits. ANS's security partner Secarma can offer security audits.

ANS do not run vulnerability scans on the network. There are periodic external checks as part of the PCI DSS accreditation. ANS's security partner Secarma can offer security scans.

Clients are not permitted to perform penetration testing on their environment without seeking approval from ANS.

ANS do not perform penetration testing on client environments.

2 DATA TRANSFER

Technopoly’s web products including Retail and Trade e-commerce packages use the following data transfer methods:

  1. DTSX Packages: Technopoly Use Microsoft Business Intelligent Development Studio (BIDS) to transfer data between local and remote databases.

This data is not encrypted and contains information such as product and order information, prices, customer names and contact details.

This data does not contain any financial or credit information such as credit or debit card information, third party user accounts or password information.

2. File Transfer Protocol (FTP): Technopoly uses FTP to transfer data such as product information such as product, company and finishing images and product linked documents or videos. This information is not encrypted.

Financial information such as credit, debit card and payment merchant login details are not transferred between servers. A direct link to the payment site is established and a payment is made on the merchant’s server directly. This information is secured and encrypted using SSL.

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

Where requested an SSL certificate can be applied directly to any of our hosted websites to ensure all data on the website is encrypted.

3 Customer Domains

Unless otherwise agreed customers will be responsible for providing, managing and paying for their own domains.

4 Customer modifications

Any customer who has access to the content managed portion of any web ordering portal, (NOP Retails e-commerce sites), will be responsible for ensuring that any changes to their content and administration user settings, will only be performed by a competent person, and will not interfere with the operation of their site.

If any disruption of service is caused by any such change, is the responsibility of the customer to rectify the changes made.

If Technopoly is required to intervene in order to restore or correct the operation of any site, then this work will be charged for according to our current terms and rates for support. These charges may include additional services from ANS.

5 Customer change requests

If any customer, having reviewed the above, required a higher level of security to be implemented or deployed onto any of their web ordering portal sites, supporting databases or file transfer protocols.

They must make a formal request in writing to Technopoly, who will then instigate measures to discuss and arrange any new requirements.

These may be subject to a charge according to our current terms and rates for support. These charges may include additional services from ANS.