Contact

Shared Responsibility

For Our Cloud Products And Hosted Products

For terms not defined herein, please refer to our Terms of Service.

Security and data protection are shared responsibilities between Tekk.ai Ltd and its wholly owned subsidiaries, Assyst and TT Software, collectively the “group” or “Group”,  (the Data Processor) and you (the Data Controller). This model reflects principles under the UK GDPR, clarifying operational and legal accountability across control areas.

This document applies our Cloud products Wealth.Assyst, 888hr.ai and TT Online (“Cloud Products”) and our hosted product TT Payroll SafeHost (“Hosted Products”).

Customer’s responsibility

Let’s look at how you are responsible for protecting your data in the cloud and the security of your devices.

Data accountability

You are responsible for:

  • The data you share and receive over the cloud. You decide whom you share it with, the period, and the means of sharing.
  • Ensuring the privacy of data you handle using our Services, to ensure that you do not accidentally or willingly make any private content publicly available.
  • Maintaining the accuracy of the data that you process in your system.
  • Ensuring that your Service account is not used by you or others on your behalf for spamming or illegal activities, that our Services are only used for their intended purposes.

Passwords

You are responsible for creating a strong password and safeguarding it when you use it to log in and access the cloud.

Client and end-point security

  • The compromise of one of your endpoints (whether your laptop, desktop, or smart phone) will render all other controls ineffective.
  • You are responsible for your end-point security and are expected to keep your browser services, mobile OS, and mobile applications updated to the latest version and protected against vulnerabilities.
 

Shared responsibility

Responsibility of control that will apply to both you and us.

Identity and access management

For our cloud-based services we provide infrastructure for managing user accounts through:

  • User registration, de-registration options, and specifications on how to use them.
  • Role based access control (RBAC) functionality for managing access rights of your cloud users.
  • Strong authentication techniques such as multi-factor authentication.

You are responsible for:

  • Implementing strong user access management controls.
  • Configuring strong passwords based on the organization’s policy and protecting them.
  • Enforcing Multi-Factor Authentication for your organization’s users.
  • Administering user accounts and privileges—configuring user roles according to the principle of least privilege.
  • Defining the administrator(s) of the organization’s account and having a proper process for ownership transfers. Taking necessary steps to ensure that your organization does not lose control of its administrator accounts.
  • Periodically reviewing the list of users with access to data and removing access for anyone who should not have it.
  • Frequently reviewing devices linked to the organization’s user accounts and removing unused or unauthorized devices.
  • Monitoring your organization’s user accounts for malicious access or usage.
  • Notifying us of any unauthorized use of your organization’s accounts.
  • Educating your users on the importance of good password management, the risks on credential reuse, social logins, and phishing attacks.

These responsibilities align with Article 32 of the UK GDPR.

Data Management

For our cloud based services, we provide a platform for you to manage your data with:

  • Data sharing features for administrator and user-level controls.
  • Data retention and disposal—we hold the data in your account as long as you choose to use our services. Once you terminate your user accounts, your data will be deleted from the active database within 180 days. The data deleted from the active database will be deleted from backups three months thereafter.
  • Access limitations features to limit staff members from accessing customer data and ensure that they can only do so if there is a specific reason.

You are accountable for:

  • Due diligence while processing information belonging to special categories (for example, personal/sensitive data) by applying appropriate controls to comply with the requirements of applicable legislation.
  • Configuring proper sharing and viewing permissions.
  • Regular reviews of your account to identify any suspicious activity.
  • Maintaining up-to-date contact information with us.
  • Taking your data out of the system once you stop using our services. Otherwise, it will be subject to permanent deletion without any scope for recovery.
  • Customers are responsible for maintaining a lawful basis (Art. 6/9), data minimisation, and ensuring only authorised access using permissions and audit reviews.

Managing data to other parties

We work towards having secure integrations and extensions to our applications by:

  • Marketplace Applications: Performing functional testing, security testing, and privacy testing once an application is submitted to us. We also perform product review and content review.
  • Sub-processors: We assess sub processors for GDPR compliance and sign DPAs (Art. 28).


We expect you to:

  • Enable or disable third-party integrations after taking into consideration the data that gets shared to third-party environments. You must review the terms and the privacy policy of the third-party service regarding the collection, use, or disclosure of data.
  • Mark your preference on whether you would like to share your details with vendors every time an extension is installed.
  • Assess the suitability of the Marketplace Apps and the reasonableness of the requested permissions prior to installation.
  • Notify us of any malicious behaviour identified in the Marketplace Apps.
  • Customers must evaluate the privacy terms of integrations and review app behaviour. Misuse should be promptly reported to us.

Data subject rights

We are accountable for:

  • Offering tools to fulfil access, correction, and erasure rights under Articles 12–23.
  • If a data subject contacts us directly, we will notify the customer. Customers must respond to requests within required timelines.

You are obliged to:

  • Honour and handle requests from customers for data access, rectification, deletion, and restrictions in processing of their personal information. Customers must respond to requests within required timelines.

Encryption and Security

Cloud Products

For our cloud based services, we safeguard your data using encryption at transit and at rest in the following ways:

  • Data in transit: Customer data transmitted to our servers over public networks is protected using strong encryption protocols.
  • Data at rest: Personally identifiable information in the customer data is encrypted at rest.


Security in Hosted Products

In our Hosted Products, we deploy incremental security hardening. Access to the server is through RDP with per human user licences. Folders are segregated per customer, and access is controlled through a NTFS implementation in conformity with Articles 5(f), 32 of UK GDPR. Data resident on the server encrypted as per MS Access design.

We suggest you to:

  • When the data from our cloud is downloaded or exported into your environment or synced within integrations in our Services or with any other third-party integration, you need to ensure that relevant encryption controls are applied. For example, enable disk encryption on your devices and password protect exported data, etc.

Backups

For our Cloud Products, we are equipped with a robust system to enable requests for data restoration and provide secure access to it within the retention period.

For our Hosted Products, we run full back-ups at least once a week and incremental (or full) back -ups every day. Back-up data in a data centre is stored in the same location and encrypted at rest, as the 

original data. A retention time of 30 days is applicable for all backed up data. 


Incident management

From our side, we ensure to:

  • Report all incidents of breach that we are aware of and that applies to you along with impact details and suitable actions. For incidents specific to an individual user or an organization, we will notify the concerned party through the email(s) registered with us.
  • Track such incidents and close them.
  • Implement controls to prevent recurrence of similar incidents.
  • If requested, we will provide additional evidence related to the incident that applies to you.


We expect you to:

  • Take actions suggested by us in case of a breach.
  • Meet your data breach disclosure and notification requirements, such as notifying your end users and data protection authorities when relevant.
  • Report security and privacy incidents that you are aware of to contact-us@tekk.ai.
  • Customers must apply encryption and password protection to any downloaded / exported data and integrations, per GDPR security principles (Art. 32). 

Awareness and training

We take complete responsibility for:

  • Training our staff members ( the term “staff” collectively referred to herein is to both employees and independent contractors) to be security-conscious and to adhere to a secure development standard. Newly hired staff members take part in mandatory security and privacy training in addition to receiving regular security awareness training via informational emails, presentations, and resources available on our intranet.
  • Training our staff members on appropriate handling of cloud service customer data.

You are responsible for training cloud users on:

  • Standards and procedures for the use of our services.
  • How the risks related to our services are managed.
  • Risks on the general system and the network environment.
  • Applicable legal and regulatory considerations.
  • Secure use of cloud services, password hygiene, phishing risks, and legal responsibilities under data protection laws.

Policy and compliance

We adhere to a set of guidelines, such as:

  • We have a comprehensive risk management program in place and effectively implement the controls.
  • We operate within the law of various jurisdictions where we operate from.
  • We provide evidence of compliance with applicable legislations and based on our contractual requirements.
  • We provide compliance documentation and help customers with DPIA support where applicable


We expect you to:

  • Evaluate regulations and laws that are applicable to you and to review our compliance with regulations and standards that are needed for your business. You can request for additional information to serve as evidence of our compliance.
  • Understand our policies, our policy assessment methods, and how we process data.
  • Conduct DPIA as required by the data protection laws applicable to your organisation before / while processing data
  • Before you process any personal/sensitive data, assess your lawful basis. In case your lawful basis is consent, ensure you obtain the consent from your customers.
  • Assess the suitability of our cloud-based services based on the information we provide and ensure it is sufficient to meet your compliance needs.
  • Understand the risk profile and sensitivity of the data hosted in our services and apply appropriate controls.
  • Customers must assess lawful basis, conduct DPIAs, and verify our suitability for processing under UK GDPR.


Our responsibility

We are responsible for the protection of the cloud and related controls that run all our Services.

Data security

  • We are responsible for the isolation of your data stored with us. Each customer’s service data is logically separated from other customers’ data using a set of secure protocols in the framework.
  • We are responsible for the confidentiality of your data stored with us at rest, in transmission, and during processing.
  • We are responsible for the integrity of both your data and system data such as logs and configuration data.
  • We are responsible for traceability and control of your data, such that at any given time, the physical location and processing of data can be known.

Availability

  • We are responsible for ensuring that our services are available, however we do not offer an uptime SLA.
  • As a customer, you can contact us  at any time to know the current site status, as well as past disruptions.

Business continuity

  • We are responsible for having a business continuity plan in place for our major operations such as support and infrastructure management.
  • We keep the application data on industry leading cloud providers.

Network controls

We are responsible for operating a secure production network. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Access to production networks is strictly controlled.


Host infrastructure and Physical security

Our applications are hosted by reputable cloud providers, and we rely on their physical security protocol and infrastructure.


Conclusion

The shared responsibility model for cloud security provides clarity on security expectations for cloud users and cloud service providers. However, an understanding of the expectation is just the first step. Users must take action on these responsibilities by creating policies and procedures for their portion of cloud security. We will continue to work hard to keep your data secure.

For any further queries on this topic, feel free to contact us at contact-us@tekk.ai.