We've put together answers to some of the main questions you might have relating to GDPR.
What has Asset Bank done to ensure it is GDPR compliant?
We have been working on a cross company program to ensure we are compliant and can support our customers with their compliance. This includes a comprehensive organisation wide audit and gap analysis, creating a detailed action plan of changes we need to implement. This has included process changes, security and product improvements, supplier reviews and ensuring we have compliant contracts in place. We've provided a summary of our activity here.
Does Asset Bank store customer data in the EU?
Customers can choose to have their Asset Bank hosted in either our EU, USA or Australian data centres. By default, all of our EU customers data will be hosted in the EU and our standard EU server location is the Republic of Ireland.
Will my data ever be transferred outside of the EU?
Our EU data centres ensure that the main hosting of your Asset Bank data remains in the EU. We use a select number of suppliers to help us provide our support and consultancy services to you and some of these providers are based outside of the EU. For transfers outside of the EU the GDPR requires that appropriate safeguards are in place to protect that data - all of our industry leading suppliers offer the required safeguards so that these transfers are suitably protected.
More details on our carefully selected suppliers and international data transfer can be found here.
Data is transferred to our offices in the UK as part of our support and consultancy work. If the UK leaves the EU, then this will be an international transfer under GDPR rules. Our latest data processing agreement includes the required contracting commitments to ensure such transfer remains compliant under any Brexit scenario.
What security measures does Asset Bank have in place to protect customer data?
Our data centres are provided by Amazon Web Services (AWS) which is an industry leading supplier of hosting services for organisations across the globe. AWS have extensive security in place along with a robust approach to compliance - more details on AWS's policies can be found here.
We are ISO27001:2013 certified and security of data is a consideration for each aspect of our products and services. Our hosting infrastructure, as well as being protected by AWSs services, includes several layers of protection, including data encryption, backups, regular security patching and strong access controls. Security is a key consideration in our product development and we're also rolling out improvements to security when we transfer your data outside of Asset Bank.
Our Security section has more information on how we protect your data.
Can we audit your compliance and will you complete a security questionnaire for us?
We are committed to ensuring that our customers can be confident in our compliance and provide several resources to support an audit of our security and practices, all inline with GDPR requirements.
The FAQs on GDPR in general and security more specifically give an overview of our security practices and how we manage data. For those seeking detailed information about our specific practices we have provided our own Security Questionnaire - this covers the range of information organisations typically need to find out in order to assess our services. Additionally, we can, on request, provide our Information Security Policy and Data Protection Policy, to provide further insight into our approach.
We are also able to provide, on request, evidence of the independent external audits of our security practices, demonstrating our ISO27001:2013 compliance and our GDPR compliance.
Our aim is for these sources to provide sufficient information for our customers to assess our security and consider if our practices meet their requirements. Where further details are required our support team will be happy to answer specific questions, and we will always seek to update our own Security Questionnaire where relevant.
Our Data Processing Agreement makes additional allowances for us to support our customers with any further auditing, as an additional chargeable service.
Do you have a GDPR Data Processing Agreement or compliant contract I can sign up to?
Yes - we have a Data Processing Agreement and Standard Contractual Clause available for all our customers to sign up to and you can find more information and access it here.
Will you only process our data in accordance with our instructions, and for the purpose of providing your services to us?
Yes - We will only ever process your data for the purposes of providing our services to you. Specifically, for the purposes of providing your Asset Bank, along with any support services or consultancy that you may ask us to provide. We will never use your data for any other purposes without your written instructions or permission.
Is access to our data restricted to only those people who need it?
Yes - access to our customers data is carefully controlled. Only those within the company who need access to provide our services to you are able to access Asset Banks. Access to the infrastructure of our cloud hosting services is additionally strictly limited to members of our infrastructure team. We never use client data in our testing or development process.