Data Security Schedule
Your data security is our priority. Viewteam has been designed from the ground-up applying industry best-practice to ensure your data is kept secure. Here are the technical and organisational security measures that we use to secure Viewteam and protect your personal data.
Data location and physical security
Our data centres are located in the UK and hosted by Amazon Web Services (AWS) with their world-class physical, environmental and infrastructure controls. This means we keep our customers’ data compliant with the latest GDPR safety requirements.
Data minimisation and retention
We only collect and store the minimum information that is necessary to provide our service to you. If personal data is no longer required it is deleted either by you with regards to your users, or by us either before or when the data hits its maximum retention period.
Protecting your data
Your data is encrypted at rest using industry AES-256 encryption standards. All data moving between you and Viewteam is encrypted and sent securely. TLS 1.3 is enabled where your device is compatible. All data moving through the Viewteam service infrastructure is encrypted using appropriate encryption technology.
Internal access controls
We apply the ‘principle of least privilege’ with role-based access controls for our team to limit access to the minimum level for each role. All our team members have signed confidentiality agreements and undergo regular GDPR training. We use two-factor authentication where possible. We do not access or process customer data on a day-to-day basis. The only time we may need to access personal data is in a response to a problem with an account or to help resolve a customer support question.
Resilience and availability
We use Cloudflare to provide web application firewalls and DDOS protection to provide resilience and ongoing availability. Viewteam is geographically spread and load balanced across multiple Cloudflare CDNs. We maintain redundancy throughout our infrastructure in order to reduce the likelihood of outages and minimise the risk of low or slow availability or loss of data.
User set-up, identification and authorisation
Only you, the customer and the administrators you set up within Viewteam can invite and remove users and apply permission levels in your account. All users set their own passwords. Passwords for signing in are hashed using industry best practices. We utilise a time-based one-time password (OTP) for two factor authentication and recommend all users set this up within their Viewteam profile. You can also use Microsoft 365 Single Sign-On (SSO) to access Viewteam.
Testing, evaluating and assessing the measures
Penetration testing is carried out with industry standard tools on a periodic basis. We also run automated tests that monitor our infrastructure and use an external service to monitor availability.
Event logging
Events are recorded in log files, allowing us to review when and by whom personal data was entered, altered or deleted. Filtered access to the event log showing event actions relevant to clients is available to administrators within Viewteam.
Data source and quality
All of the data processed is provided directly by you (the data controller) or your end users (the data subjects).
Data transfers
We use sub-processors to help deliver Viewteam. Sometimes this means transferring your data to a third party, with data centres outside of the UK or EEA. Details can be found in our Privacy Notice.
Payment card details
We use Stripe (https://stripe.com/gb) to process all our payments. Stripe are a PCI Service Provider Level 1 organisation. Payment card details are sent encrypted directly to Stripe meaning we don’t need to store debit/credit card information. You can read more about security at Stripe here: https://stripe.com/docs/security
Security questions or concerns and reporting security problems
If you have any questions or need further details, or if you discover a flaw in our security, please let us know by contacting our support team.