This policy statement is made by Tekk.ai Ltd. (“Tekk.ai”) and all its wholly owned subsidiaries. This policy is issued in compliance with the UK General Data Protection Regulation (“UK GDPR”).
This document applies our Cloud products Wealth.Assyst, 888hr.ai and TT Online (“Cloud Products”) and our hosted product TT Payroll SafeHost (“Hosted Products”).For terms not defined herein, please refer to our “Terms of Service” and “Privacy Policy”.
We are committed to protecting customer data through layered organisational, technical, and operational controls. We process customer data solely under the instructions of the Customer and act as a Data Processor under the UK General Data Protection Regulation (UK GDPR).
We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.
Each of our staff members, whether an employee or independent contractor (in this document the term “staff member” would include staff members and independent contractors), when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance, including awareness on phishing, secure development standards, and GDPR Article 32 compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.
We educate our staff members continually on information security, privacy, and compliance in our internal community where our staff members check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.
Our internal systems are hosted by reputable providers such as Zoho Corp and our product software services and applications are hosted on reputable cloud providers, with security controls aligned to ISO 27001 and GDPR Article 28(1). We rely on their DDoS protection, network segregation, and compliance with global certifications.
Every change and new feature is governed by a change management policy to ensure all application changes are authorised before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyser tools, vulnerability scanners, and manual review processes.
For our Cloud Products, our robust security framework based on OWASP standards. OWASP-aligned practices are followed to mitigate threats like XSS, SQLi.
Customer data is stored in compliance with Article 25 (Data Protection by Design and by Default). All application changes follow change management policies.
In our Cloud Products, all customer data transmitted to our servers over public networks is protected using strong encryption protocols which comply with Articles 5(f), 32 of UK GDPR.
For our Cloud Products, we have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web we flag all our authentication cookies as secure.
In our Hosted Products, we deploy incremental security hardening. Access to the server is through RDP with per human user licences. Folders are segregated per customer, and access is controlled through a NTFS implementation in conformity with Articles 5(f), 32 of UK GDPR. Data resident on the server encrypted as per MS Access design.
In our Cloud Products, we hold the data in your account as long as you choose to use our Cloud Products. Data retention and deletion practices meet UK GDPR’s data minimisation and storage limitation principles. Data is purged or anonymised from active systems within 180 days post-termination and from backups within 30 days, thereafter, unless otherwise required by law.
It provides an extra layer of security by demanding an additional verification that the user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user’s password is compromised.
We employ technical access controls and internal policies to prohibit staff members from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.
For our Cloud Products, access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Furthermore, we facilitate such access through a separate network with stricter rules and hardened devices. Additionally, we log all the operations and audit them periodically.
MFA is required for cloud administrators. SSH access via passphrase-protected keys is implemented for the Cloud Products. All access controls are aligned with GDPR Article 32(2).
In our Cloud Products, we run incremental backups every day and weekly full backups of our databases. Backup data in the DC is stored in the same location and encrypted. All backed up data is retained for a period of 30 days. Backup availability meets availability requirements under Article 32(1)(c). If a customer requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved.
In our Hosted Products, we run full back-ups at least once a week and incremental (or full) back -ups every day. Back-up data in a data centre is stored in the same location and encrypted at rest, as the original data. A retention time of 30 days is applicable for all backed up data.
From your end, we strongly recommend regularly keeping copies of your data, where available, by exporting them from the respective Services through reports, data exports and other such tools and storing it locally in your infrastructure.
Our systems and data are hosted with reputable cloud providers and we benefit from their disaster recovery and business continuity platform. We run disaster recovery and business continuity drills regularly. Our hosting partners provide geographically redundant storage in accordance with GDPR’s availability and resilience requirements.
Our Incident Response manages identification, containment, notification, and documentation. Customers are notified if any incident occurs involving their data leading to a data breach, within 72 hours. Logs and supporting evidence are retained per Article 33/34. We will notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.
We respond to the security or privacy incidents you report to us through contact-us@tekk.ai with high priority. For general incidents, we may notify users through our WhatsApp, websites, blogs, forums, or social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organisation administrator registered with us).
In accordance with UK GDPR Article 33, we notify the Information Commissioner’s Office (ICO) of a breach within 72 hours after we become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, we notify the customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay when we become aware of it.
We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service, and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls. We have executed Data Processing Agreements (DPA) aligned with UK GDPR Article 28 with our sub-processors.
So far, we have discussed what we do to offer security on various fronts to our customers. Here are the things that you as a customer can do to ensure security from your end:
We secure the infrastructure, network, and platform. Customers must enforce access controls, MFA, manage permissions, and apply security controls to exported data. See our separate Shared Responsibility Guide.
Security is a shared responsibility. We will continue evolving controls to meet GDPR and industry best practices. For more, contact us at contact-us@tekk.ai.
