Understanding Data and Use
The first step to compliance is understanding the data we collect and store, and its required purpose. This data map is maintained as part of our customer and client journey reviews, as well as being considered during feature development for our software.
We make sure we only collect data that is required for us to fulfil the functions contracted to us by our clients, and ensure we have contracts or data sharing contracts in place to be able to do so. The data we collect is largely limited to non-sensitive data required for energy account management. The only exception is data we collect from consumers for the purpose of maintaining an up to date vulnerability register. This data is only held to ensure we can deliver any agreed priority services to vulnerable consumers.
We make sure the data we hold is up to date and accurate by initially ensuring accurate data is provided for setup, and then by having mechanisms and processes for both consumers and clients to be able to notify of changes to data, and also be able to update themselves through self-service portals.
We do not conduct any direct consumer marketing, and so don’t hold data for this purpose.
Security and Integrity
Our data policies ensure that we only hold data for 7 years, or until contractual commitments expire. Data is stored within secure UK hosted Azure servers, with key sensitive information protected using additional ASP Net hashing algorithms. Data in transfer is also secured using the best means for the method of transit, from sftp/ftps to secure API’s or TLS protection from the web application.
We maintain a robust backup policy so we can restore availability of data in a timely manner if needed, by capturing 35-day any-point-in-time restore as well as weekly full backups.
All data we hold is protected by robust user permissions for authorisation and authentication of users and access. Audit trails and system logs are stored to record data access and changes.
For physical data such as consumer post we have processes in place for handling, recording and disposing of physical letters and data using confidential waste.
We also ensure data security by utilising robust processes for physical access to our premises, including physical security, logging of access, and T&C’s for visitors to our office.
General IT
Good security begins with physical security. Our cloud server provider, Azure, maintain state-of-the-art physical security measures at all their data centres. Closer to home, all our premises have robust physical security measures including fob and key access, security cameras, and access tracking and control for our team and visitors.
Our IT systems are further secured using Checkpoint Endpoint Security and Mimecast to ensure security of devices and email communications. This includes Zero Phishing on fields within web applications and websites.
We utilise robust password management systems using LastPass to securely store and manage all passwords and sensitive information. Systems and software identified as high risk have mandatory two factor authentication in place.
Our office IT systems are scanned weekly by AppCheck to ensure good security, and change notification emails and alerts are configured for any critical systems of changes registered to network access (including unplugging or plugging in of new network sockets on our premises).
Software Measures
Our in-house built software is used to store consumer account and billing information, and is hosted on secure Azure servers with robust audit and back up policies in place.
Our software is scanned weekly by AppCheck to check for the latest known vulnerabilities, as well as it being built into our software deployment processes so security scans are conducted automatically for every release.
We have notifications configured for system and server changes, as well as holding user audit logs within the system. Mabdeck generated logs are stored for 7 years, and supplemented by 90 days application insights data.
Our system uses ASP.Net Core Identity for authentication, and a custom authorisation layer to ensure users can only access data they have permission to.
We also have measures in place to secure data in transit, including TLS for secure connections from the web server, anti-forgery tokens used to prevent data being modified in transit and ASP .Net core validation of HTTP requests to ensure data being passed in is valid and preventing injection attacks. Other entry points of data to the system are secured to avoid improper use, including use of secure APIs and sftp/ftps secure file transfer.
Effectiveness and Review
We have in place Director level responsibility for data protection and privacy through our Development and Director. This responsibility includes the at least annual review of all data process, policies and practices as well as ensuring our team are fully aware of their obligations and responsibilities through regular training. Our software team regularly review potential new threats and ensure our software versions are up to date to avoid exploitation.
We maintain open channels for communication that are underpinned by a no-blame culture to ensure team members feel able to report any issues, potential breaches, or flaws in our processes without hesitation and in good confidence.
We make sure we work with trusted third party experts to ensure our systems are secure, such as Microsoft Azure, AppCheck, Checkpoint, JAMF and Mimecast and invest heavily into having these systems integrated into our systems to ensure protection.