As well as TaxCalc’ s general preparations for GDPR as a data controller and data processor (detailed here: TaxCalc's approach to GDPR) the CloudConnect product has specific additional details. Our cloud service is a core processing focus and we operate it on a data processor basis. CloudConnect is continually under review and regular updates are performed to ensure it complies with regulatory changes such as GDPR.
CloudConnect databases are stored with Mythic Beasts LTD in the UK. Each server has a disk encryption to provide Security-At-Rest and Security-In-Transit. Our emergency disaster recover methodology uses similar process.
We have privacy and non-disclosure contracts in place with our providers to ensure security of the data held in our databases. Effectively this means that our providers can and will do no more than host devices and reboot the systems in the event of an outage.
Any successful access to any server is via explicit firewall permissions and multi-factor authentication (MFA) tooling. These technical methods are coupled with extensive data protection policies in our employment contracts to ensure that staff do not access data held within customer databases without your explicit documented instruction.
Each database we hold for you is protected with unique usernames and passwords to prevent intra-server breaches. They are ‘ring-fenced’ as individual databases (rather than using one big database).
We remove database backups from our servers frequently, retained as per our Backups Attachment to the Cloud Service Agreement.
Monitoring, Testing and Remediation
Our 24/7 in-house monitoring and alerts system includes issue detection (including breach/intrusion) is handled by our Cloud team.
The automated monitoring system has hundreds of sensors implanted throughout our Cloud infrastructure. These alert us if there are any detectable problems. The quantum of ‘detectable’ is of course a moving target. New threats emerge constantly, the environment of the internet changes and as we develop the service, as with any software provider, we occasionally incur bugs too - which we aim to fix as soon as possible.
We have a whole team dedicated to maintaining and developing the CloudConnect service. Ongoing activities include:
Cloud Server Supplier Confidence
Our data servers are operated by Mythic Beasts (main servers) and Bytemark. As mentioned above when deciding to use suppliers we have privacy and non-disclosure contracts in place to ensure security of the data held on the databases. We also engaged in lengthy due diligence process – in selecting Mythic Beasts, for example, we ensured that there would be no US data authority entanglements.