Security and GDPR
Last updated: 2nd June 2020
Security of your data is our first priority and this page outlines some of our operating procedures and security practices.
We, our, us - Online Youth Manager Ltd - registered office 12 West Links Tollgate, Chandler's Ford, England, SO53 3TG.
You, your, user - a person logging on via the Login page.
Section - the entity that is registered with the system that members belong to (e.g. a Scout section, Guide unit, Boys' Brigade section, club, unit, etc).
Support team - our employees or contractors who have access to provide support to you.
We place strict access controls over your data and are committed to ensuring that nobody has access to your data that shouldn't.
If you contact our support team, you will grant them temporary access to your section(s) so that they can provide support to you. Members of our support team are vetted and have strict rules and controls about what they can do with their access, and their usage is monitored. They cannot access your section(s) unless you contact support.
The operation of our systems requires that some of our employees and contractors have access to the systems that store and process your data. Our employees and contractors are prohibited from using this access to view your data unless absolutely required.
Our employees undergo periodic data, security and privacy training, and they are bound by Non Disclosure Agreements.
Usage of our system by users, the support team, employees and contractors is logged. We track every login, including the time, device details, IP address and a fingerprint of the device. This data is automatically purged after a period of time.
We have a password policy requiring passwords to be at least 8 characters with two different types of characters, and that the password is not in the top 10,000 commonly used passwords. Passwords are stored using a non-reversible method.
We have a compulsory secondary layer of authentication that requires all users to enter certain characters from an answer to a security question when they logon on a new device (if they aren't using Two Factor Authentication). The available security questions are obscure and are unlikely to be known by others (e.g. "Mother's maiden name" is not an option).
If users forget their credentials, they can only reset their password after receiving an email with a time-restricted link. If they have forgotten their security answer, they can only reset their password after a text message/phone-call with a verification code.
Users can opt to use Two Factor Authentication that provides them with a code that expires in 60 seconds.
Users are automatically logged out of the system after a period of inactivity.
Users who attempt to login with invalid credentials too many times will be temporarily blocked from the system.
Users are encouraged to periodically review their access control lists to ensure fellow users have the right access.
We contract respected security firms to perform 'penetration testing' (sometimes known as 'ethical hacking') to ensure that data can only be seen be the right people.
Our data is replicated in two separate data-centres from separate providers in London to ensure that we can provide business continuity. We have off-site backups in a third location.
We do not share personal data to third-parties, with the exception of the third party processors outlined below who process data according to our contracts with them.
We are not responsible for the data that users add within the system, including its accuracy. This includes, but is not limited to, contents of external links, activities, emails, downloads and attachments.
Our mobile system stores data for offline use by users - sensitive personal data is encrypted on their device.
The system automatically removes data held on the device when the user no longer has access to the section. In the event of a device being lost, users can contact our support team to tell the device to remove its data when it is next used online.
Our data is encrypted in transit and at rest.
Database backups are encrypted individually and off-site backups have full-disk encryption too.
Our employees' computers have full-disk encryption (although your data is not stored on employees' devices).
Intrusion Detection Systems
We have systems that monitor the usage and automatically block users who appear to be malicious.
Firewalls and Software Patching
Firewalls are configured according to industry best practices and all unnecessary ports are blocked.
We perform automated network vulnerability scanning and software patching.
Database and filesystem backups are taken daily, and are stored for a week.
Weekly database backups are sent off-site and stored for six months.
Daily filesystem backups are sent off-site and stored for one week.
Data Retention and Processing Duration
We do not automatically delete personal data and will continue processing data until it is deleted. Users can delete data from with their sections according to their access rights.
We operate under the laws of England and Wales.
Third Party Processors
Users may pay for services using a credit or debit card. We use Braintree Payments to process the data - we do not store any cardholder data.
Parents are able to make payments to their sections. Payments can be handled by GoCardless, who are regulated by the Financial Conduct Authority. We do not receive bank details.
Parents are able to make payments to their sections. Payments can be handled by Stripe, who are regulated by the Financial Conduct Authority. We do not receive card details.
Amazon is used to store file uploads/images, and send emails.
Linode and Digital Ocean
Linode and Digital Ocean are our hosting providers.
TextAnywhere and Clockwork SMS
TextAnywhere and Clockwork SMS provide our SMS services.
Data Subject Rights (GDPR)
We will notify our users of any breach of data via email within 72hrs of identifying the breach.
Right to Access
Users are able to download information about members if required, and the support team can provide assistance if the downloads are not sufficient.
Right for Erasure
Users are able to delete all personal data, including from the audit trail.
Users can download personal information in a spreadsheet format. It should be noted that this requirement is only applicable if you use 'consent' for your lawful processing mechanism. 'Legitimate interests' is likely to be more appropriate and therefore consent is not required, as the data provided by parents is expected to be stored and processed for the purposes of running a Group/Unit and its associated events.
Privacy by Design
Our system is always designed with privacy as our top priority. Features are tested manually by our expert development teams, automatically as part of the development & deploy process, and through external security audits.
Data Protection Officer
Ed Jellard is the Data Protection Officer. He can be contacted via the Contact Us pages.