GForces and Compliance

Our compliance with applicable legislation.

Building trust and confidence
GForces is proud to commit to the 'Your Data Matters' campaign, in association with the Information Commissioner's Office. This banner shows that we have pledged to support our clients and the data rights of our service users.

GForces compliance function

To enable GForces to deliver class-leading automotive ecommerce solutions for global vehicle manufacturers, the world's largest dealer groups and independent retailers throughout the UK, Europe, America, APAC and MENA. Ensuring our NetDirector® software platform is compliant is critical to our future and demonstrates why we continue to be recognised by the best for being the best. We review compliance with regulatory, legislative, operational and industrial best practice on an ongoing basis.

On the 25th May 2018, European data protection regulations was updated for the first time in over two decades. The EU General Data Protection Regulation (GDPR), replaced the 1995 EU Data Protection Directive. The GDPR strengthens the rights individuals have over personal data relating to them. It also aims to unify data protection laws across Europe, regardless of where data is processed. And yes, it will still be enforced in the UK after Brexit, as the UK has updated its Data Protection Act 1998 to the Data Protection Act 2018 to supplement the GDPR.

In addition to the GDPR, the Directive on security of network and information systems (NIS Directive) was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. This was transposed into UK law in May 2018 as the Network and Information Systems Regulations 2018 in response to the numerous cyber security incidents we have seen, as systems can be an attractive target for malicious actors, and they can also be susceptible to disruption through single points of failure. GForces takes cyber security very seriously and throughout the development lifecycle, continuously scans for vulnerabilities to ensure data is secure.

GForces is committed to compliance with laws in all the countries in which it operates. We are also committed to enabling our clients to comply with those laws through the comprehensive privacy and security protections built into our services, software, products, and technology.


What does GForces do to support you?

As a GForces client, you will typically act as the Data Controller for any personal data you provide to GForces in connection to your use of our services. And as a Data Controller, you will determine the purposes and means of processing personal data, while we, as the Data Processor, will process that data on your behalf when you use our products and services. To help ensure that there are the appropriate agreements in place to continue processing data, GForces drafted a Data Processing Addendum to the SaaS terms and conditions.

As a Data Controller, you are responsible for making sure your business, and your data processors, have the right measures in place, at both a technical and organisational level, for you to easily demonstrate that any data processing is done in compliance with the law. This is why GForces maintains and continually improves an Information Security Management System (ISMS) that is external audited and conforms to and meets the requirements of international standard ISO 27001:2013. Further information about GForces ISMS can be found below.

GForces continues to be aware of changes to legislations regarding data security and privacy and will always plan to ensure that the NetDirector® suite of technology supports compliance to these. In preparation for the GDPR, all enquiry forms were changed to allow consumers to be informed about how their data was being processed with the addition of in-form and modal window statements of fair processing, opt-in marketing preferences, and the ability to capture age consent to prevent the processing of data of minors.

In addition, GForces created the data preferences centre, a one-stop-shop where a data subject can exercise their rights under the GDPR to update their marketing preferences, make a subject access request, and make other specific requests about their data. Our commitment to both GDPR and providing the best levels of customer service means that we will continually look to improve our GDPR offering.

To ensure security in email distribution, the decision has been made to migrate our email services to Amazon’s Simple Email Service (SES), which will support GForces strategy for scalability, and provide a more reliable service to GForces’ customers.

As part of implementing appropriate technical and organisational measures, GForces only holds data collected from online enquiries in its raw format for a period of thirty one (31) days, after which it will be anonymised using technologies which do not allow this process to be reversed. This helps to reduce the risk to data subjects should data be compromised. GForces also supports the transfer of data to many third party lead management or CRM systems ensuring that data is available in the systems that you want it stored in.

We are continually researching future changes in laws which have the potential to affect our clients. To support this, we make any necessary technological changes to ensure compliance.


GForces information and data security Q & A

As part of any businesses due diligence process for selecting a new service provider, information security and privacy is always near the top of the list of things to check. GForces has always been transparent about it endeavours to protect your data and information gathered within its NetDirector® suite of technologies and the below should help start the process.

 

 

 

Certifications and registrations

 

Question

GForces response

What security certifications does GForces have?

ISO27001:2013 certificate number 215585 which can be validated here

ICO Registration

Registration number Z2800235 which can be validated here

 

Systems and applications

 

Question

GForces response

Where are GForces data centres?

Data centres are located in;

  • Dublin, Ireland
  • Sidney, Australia
  • Seoul, South Korea
  • Singapore, Republic of Singapore
  • Tokyo, Japan
  • Frankfurt, Germany
  • London, United Kingdom

Which data centre is used will depend on the client’s primary operations location.

Is the data encrypted?

Yes, GForces encrypts all data at rest to AES-256 bit using Amazon Web Services (AWS) Key Management Service (KMS). Data in transit is encrypted using Transport Layer Security (TLS) versions 1.1 and 1.2 depending on the application and browsers supported.

Will the servers in the data centre be shared with non GForces clients?

No, all infrastructure is dedicated.

 

Business continuity

 

Question

GForces response

Does GForces have a business continuity plan (BCP) that is reviewed, tested and updated at least annually?

Yes

How is business continuity managed in the cloud?

GForces uses high availability zones within its infrastructure to ensure that in the event of an incident, client’s websites can continue to be served.

When was the BCP last tested?

July 2018

 

Incident management and breach notification

 

Question

GForces response

Does GForces have a process for managing security incidents and data breaches?

Yes, GForces has an incident management policy which details GForces approach to the management of security and privacy incidents.

How soon will GForces notify you of a data breach?

We would notify you without delay.

Has GForces identified all supervisory authority in each country it operates?

Yes

Has GForces had a data breach in the last 12 months?

No

 

Access control

 

Question

GForces response

Who at GForces has access to your data?

GForces operates a least privileged access policy and only the employees of GForces who need access will have access.

How often is user access reviewed?

User access is reviewed quarterly.

Is user access logged?

Yes, all user access is logged with automated alerting when suspicious activity is identified. Logs are retained for a period of 2 years.

Are logs protected from deletion or amendment?

Yes

What user authentication is used to access cloud databases?

With the exception of AWS, only GForces DevOPS engineers have privileged access. Various authentication methods are used including MFA and VPN.

 

Physical and system security

 

Question

GForces response

Does GForces conduct Penetration testing or Vulnerability scanning at least annually on all networks and software applications?

Yes, vulnerability scans are done using static analysis tools every time code is modified. Full stack vulnerability scans are conducted annually on all software products. Pen tests are also conducted annually. We also allow clients to conduct independent pen tests and vulnerability scans.

What firewalls are in place to protect data against unauthorised access?

Web Application Firewall’s (WAF) are enabled on servers. A firewall is enabled at all GForces sites for web access.

Do all hosting servers and devices used to access data have Anti-Virus protection?

Yes, GForces laptops and desktops use ESET Anti-Virus. Web applications use an anti-virus agent to scan uploaded files.

What physical security arrangements are in place to protect client data, including building access and physical server access.

All data centres are owned and operated by AWS. Physical security for our servers is managed by AWS. Physical security to GForces facilities is managed by GForces and third-party security companies with 24x7 monitoring.

 

Application development

 

Question

GForces response

What procedures do you have in place to ensure that acceptance criteria for new information systems, upgrades and versions are established and tests are performed prior to deployment?

We have a secure development policy. The development life cycle is;

1. Business Requirements

2. Data Protection Impact Assessment

3. Functional and Technical Specification

4. Development

5. First review and analysis

6. QA

7. Automated tests (functional and security)

8. UAT

9. Live

Are there separate development, test, UAT and production environments?

Yes, we have separate environments for Development, System Testing, UAT and Production. No employee has access to all.

Is production data used in test or development environments?

GForces has a full suite of test data used for development and testing. Production data may be used to evaluate and diagnose a defect where the defect is a result of data in the production environment.

 

Data retention and backup

 

Question

GForces response

For what period is data retained?

Data retention periods are defined in the ‘Data Service Summaries’ provided to all customers. Retention is different for each software product and service.

For what period is data stored in backups?

Data is backed up and stored for 14 days, after which it is permanently deleted.

Where are the data backups kept?

Backups are kept at the same data centre where the data resides, in an isolated environment from the raw data.


 

Are you ready? Let’s go.

*
*
*
*
Product of Interest:
For information on how we use your data when submitting an enquiry, please see our privacy policy