Question
Answer
Relevant GDPR Article
Please provide details of your Supervisory Authority


ICO

How do you monitor on-going compliance of their processes with Data Privacy legislation, regulation and policy?


Data Protection Officer performs these tasks

Do you use third parties to process our company data (including Cloud, downstream providers, etc), provide details of how you will ensure your third-party compliance with Data Privacy legislation, regulation, policy and our company Data Privacy requirements


AWS hosted servers

Do you comply with any accepted industry security standards and risk management methodologies

ISO 27001 and ISO 9001, both externally audited on an annual basis.

Do you allow customers to view your third-party security audit or certification reports?

Certificates are available if required.

Provide details of who is accountable for Data Privacy and responsible for compliance for our company data?

Purple support and security teams are responsible for this with support and oversight provided by Data Protection Officer.

Do you hold any certifications to demonstrate adequate Data Protection control?

ISO 27001 and 9001

If personal data is being transferred outside the EEA under this process, how will the you ensure your compliant with Data Privacy legislation, regulation and policy?

Purple do not transfer personal data outside the EU.

How will the you provide adequate responses to privacy requests? (information access, portability, erasure, amendment, processing, objections, automated decisioning, complaints)

Provided through data subject portal allowing individuals to view all data held on them by Purple.  Changes and deletion can be requested through this portal.

Is there a process in place for the correction of data? (example a subject has been marked as a male when in fact they are a female and want to correct that)

End users can view all their details through the portal and request changes.  They will be able to change the data themselves in the next release of the platform.

What processes and SLAs will you use, to ensure timely reporting of any suspected breaches or incidents.

In progress and in plan to be completed during Q1 2018.

Do you have a documented security incident response plan?

Yes, this is based on ISO Standards

We are working on Privacy Impact Assessments right now, the guidelines of the new law says that we need to execute such a PIA for the data processing of purple Wi-Fi (due Wi-Fi tracking)

Data Protection Impact Assessments (DPIA's) only have to be completed for any new systems post 25th May 2018, there is no requirement to perform these for existing systems

Please provide an outline of the data that will be captured and the method of capturing.  This should include grouping of data types e.g. personal (PI), operational etc.
Capture some PII data, from WiFi login (either via user-input web form or from social media network after user permission is granted), which is typically: name, date of birth, email, MAC address, and potentially a user's Facebook likes. This is configurable by the customer, the only compulsory PII info captured is email address, and there is the ability for the customer to add completely custom form inputs. Additional to this, Purple can also capture location data (MAC address and signal strength and/or approximated x/y coordinate), network/device data (IP addresses, connection times, data usage) and operational data (session state, etc). No financial data is collected or stored.

Please outline your data retention policies including any legal/compliance requirements.  This should include data deletion as well as data anonymisation.

PII data is automatically removed after 13 months of inactivity, or on request. When anonymising, any data that can be used to identify an individual is removed, but session/network/demographic (age, gender) data is kept indefinitely.

What are the Supplier's Data Privacy Strategy, Framework, Policy, Standards and procedures?

ISO 27001, ISO 9001.  Delivering final stages of project to ensure full GDPR compliance before 25th May 2018.

What Data Protection training and awareness is provided to leadership and colleagues?

Provided by DPO on an ongoing basis

Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed, stored and transmitted?

Yes, all providers are vetted against the requirements of EU data protection laws.

Does legal counsel review all third-party agreements?

Yes, all new agreements are reviewed by commercial legal and technical support teams.

Are all employees, contractors and third parties involved with the system subject to background screening e.g. vetted by a governing body?

Where required.

Is there an audit trail that can identify who and what personal data has been accessed?

There's a full audit trail of data access (and all portal usage) by user login, IP and datetime.

Are all personnel required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer information?

Part of standard employment terms.

Do you specifically train your employees regarding their specific role and the information security controls they must fulfil?

Every employee has access to online training regarding their role as well as the information security controls.

Do you have a robust starters, movers and leavers process in place to manage user access to systems, applications and data?  Please provide details.

Detailed in HR processes and as part of ISO standards

Has all sensitive data been identified in the system?

Sensitive data is not collected.

Can you provide the physical location/geography of storage of a customer's data?  (EU and EEA boundaries)

AWS Dublin data centre.

Can you ensure that data does not migrate beyond a defined geographical residency?  (EU and EEA boundaries)

Standard within GDPR compliant AWS hosting.

Is customer data available on request in an industry-standard format?

All customer data can be downloaded in industry standard formats.

Do you document how you grant and approve access to customer data?

Yes, based on ISO Standards

Does the system allow user access control policies to be defined?

Yes, based on ISO Standards

Do you restrict, log and monitor access to your information security management systems?

Yes, based on ISO Standards

Do you have the capability to recover data for a specific customer in the event of failure or data loss?  Please provide DR/BCP details.
Data will be securely stored in Dublin. Purple's infrastructure covers several zones in AWS Dublin so we'd be covered against a particular zone/data centre becoming unavailable. Amazon Web Services have additional EMEA hosting centres in London and Frankfurt, which would be our default option in the event of a Dublin failure.

Please confirm that any data that is handled by you is handled in compliance with information security policies?

All data handled by Purple conforms to our information security polices under ISO 27001 and ISO 9001.

Do you log and monitor systems and data flows, including any documents flowing through the systems? Please provide details of tooling.

All data activity is logged by the Purple application.

Do you provide customers with documentation describing your Information Security Management System (ISMS)?

These can be supplied if required

Do you have a documented, organisation-wide program in place to manage risk?  Please provide details.

Covered as part of ISO 27001 and ISO 9001.

Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines?  Please provide details.

All security policies and processes are monitored by Purple's security team.

Do you provide customers with geographically resilient hosting options? Provide details

Purple operate within Amazon's Web Services which is located in Ireland. Additional data centres are in Singapore and California.

Do you provide customers with infrastructure service failover capability to other providers? Provide details

Purple operate across multiple zones with AWS to ensure resolute failover contingency. London, Paris and Frankfurt cover European failover zones.

Do you collect capacity and use data for all relevant components of your service offering?

All data is anonymised and used for service analysis and planning

Do you ensure that security threat detection systems are updated across all infrastructure components within industry accepted time frames?

Standard ISO policy and covered via AWS services

Do you conduct vulnerability scans regularly as prescribed by industry best practices?

Performed by external agency

Do you have a capability to patch vulnerabilities in a timely manner?

Standard ISO policy and covered via AWS services

Do you have controls in place to restrict and monitor the installation of unauthorised software onto your systems?

Only authorised Purple staff are allowed to install new software onto servers.

Do you logically and physically segregate production and non-production environments?


Part of change control processes under ISO 27001

Do you have the ability to logically segment and encrypt customers data?

All data kept by purple is encrypted at the file system level.

Do you provide customers with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?

Supplied as part of standard documentation

Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings?

Part of ISO standard processes and associated documentation as well as Purple offers 24/7 support.

Are policies and procedures established for classifying, labelling, handling and the security of data and objects that contain data?



Do you provide open encryption methodologies (3.4ES, AES, etc.) to customers in order for them to protect their data if it is required to move through public networks (e.g. the Internet)?

Yes. All the network traffic between Purple, AWS and the client is using the latest encryption standards.

Are physical security measures at datacentres implemented and monitored?  Please provide details.

Part of AWS security.  Further details can be provided if required.

Can you provide customers with evidence documenting your policies and procedures governing asset management and repurposing of equipment?

Part of ISO documentation.

Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents?

AWS services include these as standard

Are changes made to virtual machines or moving of an image and subsequent validation of the image's integrity immediately notified to customers?



Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements?

AWS standards

Are the security vulnerability assessment tools or services in use appropriate for a virtualised environment?

AWS standards

Are data input and output integrity routines implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?

Input Validation is implemented across the application.

Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?

AWS provides best practices,
AWSSecurityWhitepaperPDF



Do you publish a list of all APIs available in the service and indicate which are standard and which are customised?

API Documentation

Are systems in place to monitor for security and privacy breaches and notify customers if a security or privacy event may have impacted their data?

In progress and in plan to be completed during Q1 2018.

Describe ways that the data can be entered, extracted and accessed to/from the system.  This should include any formats including apis/csv's.
Data entry is user input through WiFi access, via network stats, or from customer's vendor location engines (depending on the vendor). Data can be viewed via the analytics portal where it can also be downloaded in CSV format, or can be extracted via API.

Describe the reporting and analytical capabilities of the system including any out of the box capability and any configurability.

See training manual.

Describe which reference data/master data is held within the system.  Please provide a data definition dictionary including any front end configurable field definitions.

No customer-facing data dictionary available.

What mechanisms are there for the system to provide real-time data?


In-Memory database engines to provide the fastest response possible.

Describe what methods you have to ensure data integrity and error handling


Data Encryption, User Access Control Lists, Form Validation, Daily Snapshots and Backups in different Regions

What is the Supplier's Data Privacy Risk Appetite?

Low