Orovia Group Limited
Date: May 2021
This document outlines frequently asked questions regarding the policies, procedures and governance measures that Orovia Group Limited (“Orovia”) has in place to ensure best practice in terms of data protection. This document is designed to support Orovia’s compliance strategy in respect of the retained EU law version of the Data Protection Regulation (as it forms part of the law of England and Wales) (“GDPR”).
Frequently Asked Questions
- Overview of Orovia’s Processing Activities
- Does Orovia process any customer personal data in the performance of its services?
Yes, in order to perform services for a customer, Orovia will need to process personal data supplied by the customer. Orovia will act as a data processor on behalf of the customer, who is the data controller. Orovia will only process personal data in accordance with the written instructions of the customer as set out in Orovia’s contract with the customer (or as otherwise agreed in writing).
The personal data supplied by the customer may include, without limitation: names of individuals, account information, payroll numbers, salary details, contract titles and continuous service dates. The personal data supplied will not typically include any special category personal data, although it is possible for the customer to add special category personal data in certain fields.
- Who is responsible for data protection at Orovia?
Steve Cowley (email@example.com) is Orovia’s data compliance officer. The data compliance officer can also be contacted by phone on 01138800995.
- Where does Orovia hold customer personal data?
Orovia’s software is hosted at UKFast, which is a recognised national Data Centre located in the Manchester, England.
- Who has access to customer personal data?
Orovia’s support team has access to customer personal data. Orovia restricts access to customer personal data to only those employees who require access to perform their job function in the delivery of the service to the customer.
- Does Orovia use sub-contractors to help in the delivery of its service?
Orovia obtains support services from outside the European Economic Area through Orovia Software Private Limited (“OSPL”), which operates in India. Orovia has a GDPR compliant data processing agreement in place with OSPL and has ensured that adequate safeguards are in place to protect the personal data being transferred to OSPL through the adoption of standard contractual clauses which have been approved by the European Commission. No physical transfer of customer personal data takes place during the provision of such support services. Controlled remote access is granted to OSPL’s staff in India only for the limited purpose of providing support services where Orovia is unable to provide the support services itself.
- Where does Orovia perform its services from?
Orovia performs its services from its offices located at Gibson Lane, Melton, North Ferriby, East Riding of Yorkshire, England, HU14 3HH.
- Compliance with GDPR
- What steps have been taken by Orovia to convey an awareness of GDPR to staff?
At a senior level, Orovia’s company directors were in consultation with Orovia’s solicitors to ensure that appropriate steps were taken to update Orovia’s policies and procedures in accordance with GDPR. Staff are updated on a regular basis and appropriate data protection training is provided at all levels. All staff undertake a data protection training course and are required to complete and receive a CPD certified certificate regarding data protection before they are permitted to process personal data.
- Are Orovia’s contracts compliant with GDPR? If not, what steps have been taken by Orovia to update Orovia’s contracts to comply with GDPR.
Orovia has updated its contracts to comply with GDPR.
Orovia is in the process of varying any existing contracts which are not compliant with GDPR to ensure that they are compliant.
- What steps have been taken by Orovia to update its policies pursuant to GDPR?
Orovia obtained legal advice and updated its data protection policy and other associated policies in line with GDPR. The updated policies were circulated to staff and appropriate training was provided in respect of the policies before GDPR took effect.
- On termination of the contract, or on completion of the relevant processing, how does Orovia intend to delete the relevant customer personal data or return it to the customer?
On termination of the contract, or on completion of the relevant processing Orovia will, unless otherwise agreed, securely remove the customer personal data from the site. If the customer requires its data to be returned to the customer, then Orovia can export the data to the customer using a range of formats. The manner in which the data will be returned to the customer will be discussed on termination of the contract or on completion of the relevant processing.
- Is any customer personal data transferred outside the European Economic Area and, if so, what steps are taken ensure the personal data is adequately protected?
Save for in relation to the support services detailed in question 1.5, customer personal data is not transferred outside the EEA. Orovia has ensured that adequate safeguards are in place to protect the personal data being transferred to Orovia Software Private Limited through the adoption of standard contractual clauses which have been approved by the European Commission.
- Does Orovia share customer personal data with any third parties and, if so, what agreements are in place?
Orovia’s software is hosted at UKFast and support services are provided by Orovia Software Private Limited and appropriate GDPR compliant agreements are in place with both organisations. Save as set out above customer personal data is not, and will not be, shared with any other third parties without the customer’s prior written consent.
- Security Measures
- What security protocols are in place to protect customer personal data?
Data is secured within its destination within a MS SQL database at UKFast and are protected by standard database security protocols. The details of the connection string including its authentication are stored within the application in an encrypted format to remove its availability from system administrators. As part of UKFast’s policy, the platform and all data are protected by a suitable firewall infrastructure.
All customers are required to use SSL encrypted communications with Hyper Text Transfer Protocol Secure (HTTPS) certification.
All data transferred between data centres is encrypted in transit
- What accreditations and certificates does Orovia hold in relation to its ICT system?
The infrastructure of UKFast is protected under principles of ISO 27000. Orovia’s server has a rigorous security patch policy. Orovia has undertaken a CREST Certified Infrastructure Tester examination and is a Cyber Essentials certified company. Orovia regularly has its software and network infrastructure penetration tested.
- What procedures are in place to govern the use of Orovia’s ICT system?
Orovia has secure operating procedures in place to control the use of Orovia’s ICT systems (which includes home and mobile working). These are in line with the requirements for Cyber Essentials certification.
- What controls are in place to ensure that information is only available to users of Orovia’s software who require and are granted access?
Orovia’s software has a robust method of authentication based on a unique username and password. A second level authentication is a configurable option which requires each user to obtain a unique PIN in order to access their account in addition to their password. In addition, if required by the customer, Orovia can enable ADFS (Active Directory Federation Services) which enables the user to be identified by their existing system account.
- How and where is information backed up?
Data is backed up off server every 24 hours. The second level back up which takes place twice daily can be used in the event of a significant failure. All hard drives are mirrored. Orovia takes daily onsite backups and weekly offsite backups. All daily backups can be restored within 6 hours and weekly backups can be recovered within 8 hours.
All planned outages and maintenance tasks are carried out between 23:00 and 06:00 hrs. This is to ensure that there is no downtime for customers during normal office hours. Information relating to any planned outages is provided to customers in advance.
- Has the security of Orovia’s ICT systems been evaluated through appropriate testing?
Orovia’s ICT systems are regularly monitored and tested by third parties both externally and internally to ensure that they are appropriately secure and updated. Such audits are performed in accordance with the internationally recognised ISO 27001 standard and the audit trails are available to administrators. Please also refer to question 3.2.
- What mechanisms are in place to ensure Orovia’s employees receive appropriate data protection training upon appointment, and regular updates to policies and procedures, as relevant for their job function?
Organisational and individual responsibilities for data protection are set out in the individual’s employment contract and within our policies, which are in the process of being updated in line with GDPR. All employees receive appropriate data protection training relevant to their job role. Please refer to question 2.1.
- Responding to an Incident
- Does Orovia have policies in place which set out how information security incidents, and breaches to the confidentiality of personal data, should be managed and who it should be escalated to?
Orovia has in place a business continuity plan, which includes disaster recovery (available on request) and an escalation procedure which all staff are made aware of. Staff receive training on how to recognise and respond to an information security incident.
- In the event of a personal data breach, what action would Orovia take?
In the event that Orovia becomes aware of a customer personal data breach, Orovia would notify the customer without undue delay and would take reasonable steps to assist the customer. Orovia would document any action taken in relation to the customer personal data breach.