| | Data Controller : Data Processor
Agreement Plus | |
|---|
| | Whereas the Data Controller wishes to to have their Bespoke Application Service provided and the Data Processor wishes to provide that Bespoke Application Service; this is a private statement of that Agreement in compliance with UK laws including GDPR Article 26. Both parties understand that this formal agreement document may be shared with the Information Commissioners Office. |
| 2. Parties: | | Data Controller means Owner. | | Data Processor means Application Service Provider. |
| 3. Glossary of Terms: | | BAS means Bespoke Application Service as owned by the Data Controller and provided by the Data Processor. | | Owner means Data Controller who own intellectual property as the Bespoke Application Service, its business data and its associated procedures. | | ASP means Application Service Provider as the Data Processor who provides the Bespoke Application Service that is owned by the Data Controller. | | GDPR means General Data Protection Regulation as a replacement of the Data Protection Act as UK law. | | ICO means Information Commissioners Office as the UK data protection regulator. | | DPO means Data Protection Officer as part of the service provided by the Data Processor. | | DPIA means Data Protection Impact Assessment as managed as a strategic document by the Data Protection Officer provided by the Data Processor. | | ITIL means Information Technology Infrastructure Library as the international standard ISO 20001 and the organisation structure with roles provided by the Data Processor. | | HTML means Hypertext Markup Language as the programming method used to present the Bespoke Application Service to the Data Controller. | | CSS means Cascade Style Sheet as the layout style method used to present the Bespoke Application Service. |
| 4. This Agreement: | | 1. The Data Controller is of the opinion that the Data Processor has the necessary qualification, experience and abilities to operate the Bespoke Application Service for the Data Controller. | | 2. The Data Processor is agreeable to operate the Bespoke Application Service for the Data Controller on the terms and conditions set out in this Agreement. |
| 5. Bespoke Application Service: | | 1. Both parties agree that the Bespoke Application Service as defined by its specification of business requirements is owned by the Data Controller. | | 2. Both parties agree that the scope of the Bespoke Application Service is limited by the specification of business requirements provided by the Data Controller to the Data Processor. | | 3. Both parties agree that the Bespoke Application Service shall include relentless evolutionary commercial improvements to the business requirements as specified by the Data Controller to the Data Processor. | | 4. Both parties agree that the Bespoke Application Service shall include the services of a Data Protection Officer provided by the Data Processor who is responsible to the ICO for the protection of business data processed by the Bespoke Application Service. | | 5. Both parties agree that the Bespoke Application Service shall support any number of approved people working from any number of approved locations in any number of approved countries as specified by the Data Controller. | | 6. Both parties agree that the Bespoke Application Service shall support any number of approved languages, any number of approved time zones and any number of approved currencies as specified by the Data Controller. | | 7. Both parties agree that the Bespoke Application Service shall be usable from any kind of Internet connected computer as a desktop, laptop, tablet or smart phone using any modern operating system and secure browser. | | 8. Both parties agree that the Bespoke Application Service shall be available as specified in attached schedule 811 as potentially 24 hours per day, 7 days per week, 52 weeks per year without downtime for modification or patching or upgrades. | | 9. Both parties agree that the Bespoke Application Service shall be fully compliant with the General Data Protection Regulations with respect to article 32 protection by design default using pseudonymised and replicated encrypted data to ensure that business data cannot be lost or stolen. | | 10. Both parties agree that the Bespoke Application Service shall not involve any software and shall not require any application program to be installed. |
| 6. Improvements: | | 1. Both parties agree that ITIL Change Management process shall be deployed by the Data Processor for improvements specified by the Data Controller, to include:- | | (a) Change Manager to prioritise and schedule. | | (b) Project Manager to plan interactions and implications with regard scope and existing data values. | | (c) Development Manager to build applicable business rules. | | (d) Validation Manager to test effect of the improvement against a proven set of business procedures. | | (e) Deployment Manager to deploy business rules and revise existing business data as planned. | | (f) Audit Manager to review impact on the business procedures. | | 2. Both parties agree that the Data Processor shall apply technical improvements to protect against threats and attacks according to ITIL best practice. | | 3. Both parties agree that the majority of business improvements provided by the Data Controller shall be deployed within the duration specified in schedule 821 and any improvement that does not extend the scope of the Bespoke Application Service shall be deployed as specified in schedule 822. | | 4. Both parties agree that the commercially viable business improvements that extend the data stored by the Bespoke Application Service shall be deployed as specified in schedule 823. | | 5. Both parties agree that the Request Fulfilment Manager provided by the Data Processor shall manage the life cycle of every improvement request that is provided by the Data Controller. | | 6. Both parties agree that the Service Level Manager provided by the Data Processor shall manage the service level Agreement as attached as schedules 811, 821, 822 and 823. |
| 7. Data Protection: | | 1. Both parties agree that the Data Protection Officer provided by the Data Processor for the benefit of the Data Controller shall review and revise the Data Protection Impact Assessment (DPIA) every 3 to 6 months. | | 2. Both parties agree that the Data Protection Officer responsibilities are limited to the business data processed by the Bespoke Application Service and excluding any business data processed by local client computers. | | 3. Both parties agree that the Data Protection Officer is the single point of contact for the ICO in the event of a data breach within the Bespoke Application Service and excluding any external business data. | | 4. Both parties agree that an adequate authentication service shall be used by all approved people and that no back-doors shall be provided. | | 5. Both parties agree that no "super user" or "system administrator" role shall exist with the right to access readable business data. | | 6. Both parties agree that the Data Processor shall undertake continual monitoring of all transactions and consolidation of behaviour to ensure that any criminal behaviour is stopped and blacklisted to prevent it happening again. | | 7. Both parties agree that the Information Security Manager provided by the Data Processor shall continually deploy adequate security measures to minimise the strategic risks identified by the Data Protection Impact Assessment (DPIA). | | 8. Both parties agree that all personally identifiable information and associated business data shall be encrypted using many different methods to ensure that readable data cannot be stolen. | | 9. Both parties agree that encrypted data shall be replicated to many different secure data centers to ensure that data cannot be lost. |
| 8. Interface: | | 1. Both parties agree that the Bespoke Application Service involves safe and secure electronic communications that shall be used as the principal interface between the Data Controller and Data Processor. | | 2. Both parties agree that the Bespoke Application Service includes a secure shared business support facility that shall be used as the primary communications method. | | 3. Both parties agree that in the event that the business support facility cannot be used, then the secure "contact us" message facility shall be used. | | 4. Both parties agree that private, confidential or sensitive business information shall not be communicated and leaked by phone or email. | | 5. Both parties agree that phone messages and email messages containing business information shall be physically erased by the end of each day as if they did not exist. | | 6. Both parties agree that the Bespoke Application Service shall include a secure self-service support facility to reduce delays with a 24*7 service. |
| 9. Education: | | 1. Both parties agree that the provision of the Bespoke Application Service includes guides to how facilities may be used, but specifically excludes education liabilities. | | 2. Both parties agree that each party shall manage their own business work instructions, staff training, policies and procedures. | | 3. Both parties agree to the provision of training for their own people that should not impact on the education of other people. | | 4. Both parties agree that the Knowledge Manager provided by the Data Processor shall consolidate business rules, policies and procedures as advice to approved people upon request. The Knowledge Manager is not liable for people who do not have the skills or experience to use facilities of the Bespoke Application Service. | | 5. Both parties agree that induction training of their own people is managed by and is the responsibility of each party. |
| 10. Replicated Data: | | 1. Both parties agree that the Business Continuity Manager provided by the Data Processor shall replicate all encrypted business data to a number of secure data centers to ensure that business data cannot be lost or stolen. | | 2. Both parties agree that the Data Controller may take backups of their own business data from time to time, but such data could never be reused by the Bespoke Application Service. | | 3. Both parties agree that in the event of a failure of one data center, business shall continue to be provided by other secure data centers. When switching between data centers, those transactions that were active at the time of the hardware failure may need to be started again. Once data is marked as "saved" then it exists in at least two physically different data centers where it is unlikely to be lost. | | 4. Both parties agree that readable business data is not stored in any physical place and that only unintelligible encrypted data is hidden in many secure data centers. |
| 11. Approved People: | | 1. Both parties agree that the Data Controller shall specify who and when approved people may access the Bespoke Application Service. | | 2. Both parties agree that the majority of Data Processor people shall never access the Bespoke Application Service or its business data. | | 3. Both parties agree that the Second Level Support people provided by the Data Processor shall have access to the Bespoke Application Service with the same rights as any approved person so support requests can be replicated and improvements verified. All business data is encrypted so no other Data Processor people can access any readable business data. All Second Level Support people are service contract bound to retain data privacy and confidentiality of business data. | | 4. Both parties agree that the Data Controller may assign different functional roles and different data access rights to different approved people. Not everybody will have identical skills and experience, so alternative ways of working may evolve to accommodate the needs of different approved people. | | 5. Both parties agree that the Second Level Support people provided by the Data Processor shall only process business data under the written direction of a shared support request provided by the Data Controller. |
| 12. Problem Management: | | 1. Both parties agree that the Data Controller may request the Data Processor to carry out analysis and reporting of a historic incident. | | 2. Both parties agree that the Data Processor shall use ITIL problem management procedures to analyse an incident, to prevent an incident from happening again, to replace infrastructure where that is a cause and to configure the Bespoke Application Service to work as expected. | | 3. Both parties agree that the Incident Manager provided by the Data Processor shall carry out initial analysis of any reported incident. | | 4. Both parties agree that the Problem Manager provided by the Data Processor shall resolve any incident that cannot be resolved by the Incident Manager. |
| 13. Term of Agreement: | | 1. Both parties agree that the term of this Agreement shall be one calendar month. | | 2. Both parties agree that the Agreement may be terminated at any time without any liabilities. | | 3. Both parties agree that this Agreement may continue without interruption to a subsequent month where the Bespoke Application Service provided by the Data Processor is adequate for the Data Controller to pay the amount due as acknowledgement. This means: that the service is provided for a month and that months service is paid so the service can continue to the next month. | | 4. Both parties agree that where the Data Controller chooses not to make a payment for a months service then the Data Processor shall have provided that months service free of charge to be paid for by adverts, marketing and associated third party means. | | 5. Both parties agree that the Bespoke Application Service only exists for the benefit of the Data Controller and when the Data Controller does not need the Bespoke Application Service then it must be terminated and destroyed. |
| 14. Payment: | | 1. Both parties agree that the Data Controller shall pay the Data Processor the monthly subscription fee agreed in schedule 801 attached to this Agreement. | | 2. Both parties agree that the currency of this Agreement shall be UK sterling as GBP. | | 3. Both parties agree that the monthly subscription fee stated in schedule 801 is net of any taxes that may be imposed by UK Government. This means: that Value Added Tax will be charged in addition to the agreed monthly amount in schedule 801. | | 4. Both parties agree that the Data Processor shall invoice the Data Controller on the first day of the calendar month for payment by the Data Controller within that calendar month for the previous calendar months service. | | 5. Both parties agree that where payment is not made within the calendar month then this Agreement has been terminated without any liability. | | 6. Both parties agree that the monthly amount agreed and specified in schedule 801 shall be reviewed each year based on actual capacity used and revised to match the capacity to be provided for the next year. | | 7. The Data Processor is responsible for all taxes relating to the monthly payment made by the Data Controller and shall indemnify the Data Controller in respect of any such payments made by the Data Controller. | | 8. Both parties agree that no expenses, training, maintenance, new release, termination or other charges will be made with respect to this Agreement. | | 9. Both parties agree that no late payment charges will be made with respect to this Agreement because the term of the agreement is one calendar month. | | 10. Both parties agree to monitor commercially viable charges for such Bespoke Application Services with the expectation that the Data Controller will switch when the price is too high and the Data Processor will not not match service levels when the price is too low. | | 11. The financial stability of the Data Processor is maintained by the Data Controller paying the monthly fee in arrears for as long as the Data Controller wishes. The Data Processor maintains financial stability by ensuring that no Data Controller ever exceeds two percent of the total infrastructure capacity. | | 12. The financial liability to the Data Controller shall never exceed one months subscription fee. |
| 15. Secrecy: | | 1. Both parties agree to keep secret this Agreement and all benefits and obligations reflected by this Agreement, except as required by UK laws. | | 2. Both parties agree to conform with each and every aspect of the General Data Protection Regulation to keep business information secret so it can never be lost or stolen by a third party. | | 3. Both parties agree that they will not disclose, divulge, reveal, report or use for any purpose, any business information which the other party has obtained, except as authorized by the other party or as required by law. This means that business data owned by the Data Controller shall not be accessed or changed by the Data Processor without the prior written consent of the Data Controller. | | 4. Both parties agree to conform with GDPR provisions to keep secret any Personally Identifiable Information (PII) such as the names of people. Both parties agree that people shall be identified by role and job title, rather than by name to prevent the leaking of PII. | | 5. Both parties agree that Data Processor people are service contract bound not to be involved in any survey, marketing, conference or publicity regarding the Bespoke Application Service. |
| 16. Intellectual Property: | | 1. Both parties agree that the Data Controller owns the copyright and intellectual property rights to all business data, the Bespoke Application Service and all policies and procedures. | | 2. Both parties agree that the Data Processor shall use its best endeavours to defend the Data Controllers intellectual property rights and ensure access to all business data at all times. | | 3. Both parties agree that the Data Processor shall not access and not process any business data without prior written consent. | | 4. Both parties agree that the Data Controller has the right to download their own business data at any time and that the Data Processor shall provide every assistance in this endeavour. | | 5. Both parties agree that the Bespoke Application Service includes forms, pages, lists and reports presented using HTML, CSS and JavaScript source code that are owned and may be saved by the Data Controller. | | 6. Both parties understand that Personally Identifiable Information is owned by the Data Subject and not by the Data Controller. The data subject has the right to access, rectify, object and erase their Personally Identifiable Information at any time. |
| 17. Relationship: | | 1. Both parties agree that this Agreement does not create a partnership or joint venture. | | 2. Both parties agree that the Data Processor is acting as an Application Service Provider (ASP) for the Data Controller and not as an employee. | | 3. Both parties agree that a large number of people are used by the Data Processor to provide the Bespoke Application Service on behalf of the Data Controller and the Data Processor shall use alternative people from time to time. | | 4. Both parties agree that the Data Processor uses its own infrastructure to provide the Bespoke Application Service from many secure and secret data centers. | | 5. Both parties agree that there is no representation, warranty, collateral Agreement or condition affecting this Agreement except as expressly provided in this Agreement. | | 6. Both parties agree that this Agreement shall be governed by the laws of England. |
| 18. Indemnification: | | 1. Except to the extent paid in settlement from any applicable insurance policies and to the extent permitted by UK laws, both parties agree to indemnify and hold harmless the other party and its respective affiliates, officers, agents, employees and permitted successors and assigns against any and all claims, losses, damages, liabilities, penalties, punitive damages, expenses, reasonable legal fees and costs of any kind or amount whatsoever which result from or arise out of any act or omission of the indemnifying party,, it respective affiliates, officers, agents, employees and permitted successors and assigns that occurs in connection with this Agreement. | | 2. Both parties agree that this indemnification shall survive the termination of this Agreement. |
| 19. Warranty: | | 1. The processor represents and warrants that it will perform the Bespoke Application Services with reasonable care and skill. | | 2. The Bespoke Application Service provided by the Data Processor to the Data Controller under this Agreement will not infringe or violate any intellectual property rights or other right of any third party. | | 3. Subject to the Data Controllers obligation to pay the monthly subscription fee to the Data Processor, either parties liability in contract, tort or otherwise (including negligence) arising directly out of or in connection with this Agreement or the performance or observance of its obligations under this Agreement and every applicable part of it shall be limited in aggregate to the monthly subscription fee. | | 4. To the extent it is lawful to exclude the following heads of loss and subject to the Data Controllers obligation to pay the monthly subscription fee, in no event shall either party be liable for any loss of profits, goodwill, loss of business, loss of data or any other indirect or consequential loss or damage whatsoever. | | 5. Nothing in this clause will serve to limit or exclude either parties liability for death or personal injury arising from its own negligence. |
| 20. Provisions: | | 1. Both parties agree that in the event that any of the provisions of this Agreement are held to be invalid or unenforceable in whole or in part, all other provisions will nevertheless continue to be valid and enforceable with the invalid or unenforceable parts severed from the remainder of this Agreement. | | 2. The waiver by either party of a breach, default, delay or omission of any of the provisions of this Agreement by the other party shall not be construed as a waiver of any subsequent breach of the same or other provisions. | | 3. Both parties agree that headings are inserted for the convenience of both parties only and are not to be considered with interpreting this Agreement. | | 4. Both parties agree that this Agreement shall not be changed in any way, except that its attached schedule shall be reviewed and revised from time to time. |
| 21. Dated and Confirmed: | | 1. Date: ___ | | 2. Data Controller: ___ | | 3. Data Processor: ___ | | 4. This agreement is verified and confirmed by both parties each month when the Data Processor issues an invoice on the first day of the month and the Data Controller pays that invoice during that calendar month to acknowledge the provision of the Bespoke Application Service and to confirm that this agreement is to be continued for the following calendar month. |
| 22. Document Control: | | 1. Document Title: Agreement: Data Controller and Data Processor. | | 2. Reference: 161208. | | 3. Keywords: Agreement: Data Controller and Data Processor. | | 4. Description: Agreement: Data Controller and Data Processor. | | 5. Privacy: ITIL public shared with all approved people. | | 6. Issued: 11 Jun 2017. | | 7. Edition: 1.7. |
| 23. Addendum (not part of agreement) |
| 24. Schedule: | | 801 Payment: monthly subscription net amount as one twelfth of the agreed annual cost of service with an annual review based on actual capacity used. | | 811 Availability: 24 by 7 without any downtime for maintenance. | | 821 Improvement Day: majority of business improvement requests are resolved within one day. | | 822 Improvement Week: all business improvements requests that do not expand the scope of the data are resolved within one week. | | 823 Improvement Month: business improvement requests that expand the scope of business data are resolved within one month. |
| 25. Technical Cost of Service: | | 1. The technical cost of providing the Bespoke Application Service is the accumulation of many costs that include:- | | (1) Processor Capacity: the cost of processing cycles on multiple servers in many data centers. | | (2) Storage Capacity: where each month additional primary data, secondary data, archived data, evidence data and log files accumulate. | | (3) Network Capacity: where larger document file uploads can cost more than a days normal transactions. | | (2) Support Capacity: where knowledge engineers are available 24*7 driven by first and second level support teams. | | (2) Business Continuity Capacity: with a large number of replicated data centers ready and able to provide business continuity. | | (2) Availability Capacity: with built in redundancy and no single point of failure. | | (2) Privacy Capacity: where many layers of encryption with many thousands of encryption keys mst be managed with complete secrecy. | | 2. The cost of energy for cooling and for processing, the cost of fire suppression and the cost of physical security are significant. |
| 26. Business Cost of Service: | | 1. The business cost of providing the Bespoke Application Service cannot be based on technical factors, but can be based on business Key Performance Indicators (KPI) that include:- | | (1) Stored Business Data: as reported in KPI for each significant data object. Business data is stored in primary stores, secondard stores, archived stores. All business data is replicated to many data centers. | | (2) Transactions: as the number of transactions made by each approved person each working day. | | (3) Authentication: as the monitored sign-in procedure where hundreds of attacks are stopped, blocked and blacklisted every day. |
| 27. Sample alternative Agreement: | | 1. The ASP provides the Owners specified Bespoke Application Service for a month and the Owner pays for that months service. | | 2. The Owner can terminate at any time by not paying an invoice with no other liabilities. | | 3. The Owner can provide improvement requests that (when commercially viable) will be implemented as soon as is practical. Sorry a "time machine" or "transporter" may not be commercially viable - yet. | | 4. The ASP will provide the Data Protection Officer needed to manage the ICO with the Data Protection Impact Assessment documentation. | | 5. The ASP uses pseudonymised and replicated encrypted data to eliminate the threat of data being stolen or lost; and to eliminate the risk of a data breach. | | 6. The limit of all liabilities between the parties shall never exceed one months subscription fee. | | 7. The Owner will specify the annual cost of their Bespoke Application Service for each year and is will be paid monthly as one twelfth of the annual cost. The annual cost will go down when the computing capacity is reduced and will go up when the capacity is increased. | | 8. The Owner will specify their Bespoke Application Service requirements for 24*7 online support, advice and guidance. The ASP does not provide education and does not provide software. The ASP will provide the Request Fulfilment Manager to run the First and Second Level Support teams that respond to all support requests. | | 9. The Owner will specify their Bespoke Application Service access roles, locations, countries, time zones and languages for their approved people. | | 10. The Owner will specify their Bespoke Application Service availability and business continuity requirement where it is not 24*7. | | 11. The ASP will provide the Compliance Manager to ensure that the Bespoke Application Service complies with all laws, regulations and best practice. | | 12. The Owner may switch from a service paid by subscription to a free of charge service at any time. The free of charge service model has its own unique terms of use. |
| 28. Services provided by Data Processor as Application Service Provider: | | 1. Chairman of the Board. | | 1.1 Portfolio Director. | | 1.2 Demand Director. | | 1.3 Finance Director. | | 1.4 Supplier Director. | | 1.5 Personnel Director. | | 1.6 Architect Director. | | 2. Design Division: | | 2.1 Service Catalogue Manager. | | 2.2 Service Level Manager. | | 2.3 Risk Manager. | | 2.4 Capacity Manager. | | 2.5 Availability Manager. | | 2.6 Business Continuity Manager. | | 2.7 Information Security Manager. | | 2.8 Compliance Manager. | | 3. Transition Division: | | 3.1 Change Manager. | | 3.2 Project Manager. | | 3.3 Development Manager. | | 3.4 Deployment Manager. | | 3.5 Validation Manager. | | 3.6 Configuration Manager. | | 3.7 Knowledge Manager. | | 4. Operations Division: | | 4.1 Support Manager. | | 4.2 Incident Manager. | | 4.3 Request Fulfilment Manager. | | 4.4 Access Manager. | | 4.5 Problem Manager. | | 4.6 Operations Manager. | | 4.7 Facility Manager. | | 5. Improvement Division: | | 5.1 Service Evaluation Manager. | | 5.2 Process Audit Manager. | | 5.3 Improvement Manager. | | 5.4 Continual Improvements. | | Please see ISO 20001 ITIL for detailed responsibilities for each role. It is necessary to have all the above qualifications, skills and experience available to build, operate and improve Bespoke Application Services that are compliant with UK laws, regulations and best practice. The Request Fulfilment Manager provides the First Level Support and Second Level Support teams working 24*7 where only the Second Level Support team have normal sign-in access to the Bespoke Application Service and its business data. No other role has access to any readable business data. |
| Mission: | | 1. The owner wants to use their own bespoke application service and they want their own bespoke application service to continually evolve at the same rate as their business requirements. | | 2. The ASP wants to provide and operate the owners bespoke application service with continual improvements as specified by the owner. |
| Brokerage Service: | | 1. The owner wants the very best brokerage service in the UK, but the owner is obliged to use the best brokerage service that the owner can specify and use. | | 2. The ASP wants to provide and operate the very best brokerage service in the UK, but is obliged to provide the brokerage service specified by the owner and used by the owner. | | 3. The scope and productivity of the owners bespoke application service is limited to what the owner can specify and use. | | 4. Many tasks manually undertaken by the owner are never properly documented, cannot be automated and limit the scale of the business. |
| One Customer Focus: | | 1. Your ASP has a one customer focus so the customer is treated as if they were the only customer in the world and the ASP has focus to help that customer in every possible way. | | 2. Your ASP recommends that the Owner adopts a one customer focus as an open and transparent community of partners. | | 3. The threat of disclosing the business of one customer to another customer has been eliminated. | | 4. The threat of every disclosing the existence of one customer to another customer has been eliminated. | | 5. The indignity of every asking an existing customer to act as reference for another customer has been eliminated. | | 6. The indignity of asking a customer for referrals for other customers has been eliminated. | | 7. The disclosure of a list of past or current customers has been eliminated. |
| Delegation: | | 1. The ASP has learnt to delegate all tasks to Eliza and has taught Eliza to continually provide the bespoke application service without every stopping. | | 2. Eliza operates on rack of servers in a large number of secure data centers so Eliza can continue to provide the bespoke application service when any data center is not available. | | 3. Eliza is continually being taught new encryption methods that are layered on top of one another so in the event that one encryption method is broken, other layers of encryption continue to keep data private, safe and secure. | | 4. Business data is continually replicated between a large number of secure data centers so data cannot be lost because a large number of copies exist at any point in time. | | 5. The threat of recovery failing due to poor backup strategies has been eliminated because backups are obsolete. |
| Continual Improvement: | | 1. The threat of Eliza becoming obsolete has been eliminated. | | 2. Eliza is continually improved with business change requests so the owners bespoke application service stays relevant to the owners business. | | 3. Eliza is continually being taught compliance with technology best practice and international standards to stay one step ahead of criminal agencies. | | 4. Hundreds of attacks have been identified and stopped every hour of every day of every year for the past twenty years - not a single vulnerability has been detected. | | 5. The nature of Eliza being driven by business rules is years ahead of software vendor products that have new vulnerabilities discovered every month. |
| Data Protection: | | 1. The threat of a data breach has been eliminated. The threat of a data protection compliance issue has been eliminated. | | 2. A qualified, skilled and experianced Data Protection Officer is provided as part of the bespoke application service. | | 3. Data protection requirements have been learned, qualifications gained and procedures expanded to comply with each and every clause of GDPR. | | 4. Eliza has been taught pseudonymisation and protection-by-design as recommended by the Information Commissioners Office (ICO). | | 5. Data Protection Impact Analysis (DPIA) documentation has been prepared and verified for compliance with ICO reporting requirements. | | 6. Annual DPIA reviews have been scheduled with penetration tests by external specialists scheduled for every 6 months. |
| Environmental Management: | | 1. ISO 14001 Environmental Management Standard has been deployed with an energy and environmental management service to cut the cost of doing business. | | 2. Data centers have traditionally had a very high environmental impact and high energy cost, so whatever can be done to mitigate these impacts will be done. | | 3. Every rack of servers in each data center is powered by a set of batteries that are charged by solar and cheap overnight electricity. | | 4. Servers have been upgraded to have variable power requirements so as the transaction load reduces, power consumption reduces. | | 5. Servers are lightly loaded so complex air conditioning can be replaced with fresh air circulation. | | 6. A large number of lightly loaded servers has proved to be better for the environment that a few powerful servers that take a lot of chilled air to keep them cool. |
|
|