The Asperiti Group Limited
Data Privacy Policy Statement
For our own accounting and customer contact purposes we hold data in electronic and paper format. This information is limited to what is required to maintain our accounting records for the prescribed period required by law, which is seven years. The data comprises company name and address, contact names, telephone numbers and email addresses, and records of financial transactions. We use this information to send accounting documents such as invoices and statements to our customers by post or email, and occasional newsletters and promotions if express consent has been given for this.
For the purposes of providing a bureau accounts service, we also hold data regarding our client’s financial records, limited as above. We also provide a bureau payroll service, and are authorised by our clients to maintain employee records containing personal information such as home addresses, email addresses and telephone numbers. Again, this is limited to the minimum information required to run the payroll and to send payslips and reports both to our clients and their employees. If details of next of kin are recorded in our payroll system, specific consent will have been sought and received, and our payroll software has provision to record this consent with the date given. None of the data mentioned above will ever be intentionally or unintentionally disclosed to any third party unless we are required to do so by a legal request from Her Majesty’s Revenue and Customs or law enforcement agencies with a legal warrant.
Access to the above data is restricted to the Directors and designated staff of the Asperiti Group Limited. Physical data is held in locked filing cabinets. Once stored paper records are no longer required to be held, they are securely shredded and disposed of by an accredited third party who gives appropriate guarantees and certificates of secure disposal.
We take the security and confidentiality of our own and our customer’s data very seriously. Data held electronically in computer storage and retrieval systems are protected in several ways to prevent data breaches occurring.
All computers and servers on our premises are secured from physical access from any unauthorised persons. Offices are locked and only accessible to directors and staff.
All computers and servers are running supported versions of Windows operating systems, are fully patched up to date against security vulnerabilities and have industry standard anti-virus and anti-malware software installed and updated as often as required. Access to computers is by way of secure logins and passwords which are changed on a regular basis.
Computer software used to store our own and customer’s data is regularly updated as advised by the software vendors. Access to accounts and payroll software is protected by a further level of username and password requirement.
Staff who have access to accounts and payroll software have read and signed our privacy policy statement.
To prevent accidental loss of data, there are two separate data backup processes in place. One backs up all the data on our servers daily to a local backup device which is stored in a secured cabinet. A second process backs up critical data to a secure, encrypted, off-site backup service. This is also done daily.
Wi-Fi access to the company network is restricted to staff members who have password access. A separate guest Wi-Fi service is provided to keep the main network secure. Wi-Fi passwords are changed on a regular basis, and management of this is restricted to one designated staff member, a Director.
We take credit and debit card payments from our customers. To do this we use a hosted online service via a Gateway web page on a PC. Our access to this page is restricted to authorised users who each have their own password. This password has a forced expiry policy and must be changed at least every three months. No customer card details are stored on our systems, the card details are typed in live on the screen and not recorded anywhere else. Once the payment is authorised, the card details are removed from the screen.
Our company website does not contain any customer data. There is a secure download area provided for customers, this area is fully protected by a username and password.
Our email server uses the highest level of security, utilising SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) to authenticate our outgoing mail to third-party email servers. This helps to prevent spoofing of our email addresses and their use for phishing attacks. Our server is blocked from acting as an open relay, and customer email addresses are not accessible. Our staff are trained to detect and delete phishing emails from malicious third parties attempting to obtain confidential company information. We have an efficient paid-for anti-spam service that blocks a large proportion of unwanted or malicious mail.
If portable devices such as mobile phones, laptops and tablets are used, usually no confidential data is stored on the device, they are used to remotely access company data on our servers, and are subject to the same access restrictions as the local login would be. If, in the case of remote workers, copies of confidential company data is stored, it is protected by the use of corporate logons and passwords as though the device was in the office.
We take great care to protect confidential third-party data using the measures above, and continually review our systems to ensure the highest standards of data security.
Stephen N J Wade, Director
Asperiti Group Ltd. Registered Office: 153, Old Road, East Cowes, Isle of Wight PO32 6AX
Dated: 16th May 2018