IT and Information Security & Data Protection Practices

Last updated October 15th, 2019

The practices and processes set out in this document may be amended by Ironstone from time to time to comply with applicable laws and to reflect improvements of Ironstone procedures.

Ironstone has implemented appropriate technical and organisational measures to ensure necessary and appropriate level of security, both for IT and information security in general and for privacy specifically. We have further implemented routines for regular review of these measures, and our operations, policies, and procedures are reviewed annually to ensure that Ironstone meets all standards expected of Cloud service providers.

Our information security program includes internal policies and procedures which govern crucial security aspects, including but not limited to:

- risk management

- remote access and network management

- physical access and security monitoring

- data classification

- data sharing and storage controls

- service provider engagement and security

 

In general, Ironstone follows industry best practices for the implementation of secured transmission, storage, and disposal of information and of authentication and access controls within media, applications, operating systems, and equipment.

Ironstone has also implemented proactive security procedures such as perimeter defense and intrusion prevention systems. Vulnerability assessments and penetration testing of Ironstone Services are evaluated and conducted on a regular basis.

Processing of personal data

Ironstone only processes information you agree to give us, and according to applicable laws and regulations.

Ironstone only requires the minimum amount of personal information that is necessary to fulfil the purpose of your interaction with us.  We will never sell personal information to third parties.

Please refer to our Data Processor Agreement for further information for our processing of your personal data.

Investigation and Reporting of Security Incidents

Ironstone has a documented internal security incident response plan aligned with GDPR’s personal data breach notification requirements.

Due to our thorough training programs, a number of incidents or anomalies are handled by
Ironstone staff according to internal procedures and guidelines, thereby giving Ironstone security visibility of security threats affecting the company and the company clients. Examples of such reports are phishing, possible mishandling of credentials and inappropriate permissions.

Information Classification and Risk-Based Controls

Ironstone has implemented a multi-tier classification scheme to protect information according to risk levels. All information that Ironstone processes on behalf of its customers is given the highest levels of protection.

Use of Microsoft products

Ironstone extensively utilizes Microsoft productivity, collaboration, management tools, products, and software, thereby benefiting from Microsoft's extensive investment and experience in the security field. The use of Microsoft products enables Ironstone to set appropriate security controls and actions. We use the full Microsoft Security suite, such as, but not limited to; Advanced Threat Protection, Conditional access,  Cloud app security, and multi-factor authentication.   All products are configured according to Microsoft Best practices or industry standards, whichever provides the highest level of security.

Logical Security

In addition to adhering to various security best practices, Ironstone requires all employees to set up multi-factor authentication on all business accounts. This includes every single system used by Ironstone. User behaviors are closely monitored and anomalies will result in immediate account lockout.

Data Encryption at rest and in transit

Customer data is encrypted at rest whenever possible.

Security Compliance by Ironstone Staff

Ironstone takes appropriate steps to ensure compliance with our security measures and standards by our employees and contractors to the extent applicable to their scope of risk and performance, hereunder ensuring that all persons authorized to process customer personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

All employees receive privacy and security training during onboarding as well as on an ongoing basis. In addition, tailored business unit training and awareness sessions, for example, focused on social engineering are carried out throughout the year.

Retention and Deletion

Ironstone only retains customer personal data as long as necessary to provide services for our customers and within limits of applicable laws. Once the purpose of retaining personal data expires, Ironstone will return or delete personal data to the customer and will only retain a copy of such data if required by law, and to that extent, only the portion of personal data that is necessary.

Privacy by Design

Before launching any new product, Ironstone's privacy and product teams evaluate how such product collects, uses and stores data. This allows the business to identify any potential privacy and data protection risks early; therefore allowing for early resolution saving costs in the long term and ensuring that transparent and comprehensive information can be provided to customers.

Ongoing evaluations and improvements

Ironstone recognizes that data protection and data security are an important priority for our customers. As such, Ironstone continues to monitor legal developments and to improve its practices and processes.

Data Protection Officer

Ironstone has appointed a data protection officer (DPO) to oversee compliance with relevant data protection laws.  If you have any questions about our data protection or security practices, please contact the DPO

(DPO@ironstoneit.com)

We reserve the right, at our sole discretion, to update, change or replace any part of these terms by posting updates and changes to our website. Please check our website periodically for changes.