OUR SECURITY POLICY & GDPR

We take seriously the security of your online cost management system:

Web Expenses, Hosted Expenses, Online Expenses, Cloud Computing, Software as a Service, and Software on Demand are all words that describe the same concept: Secure access to your Expense On Demand (EOD) system on any computer, anywhere, anytime. via the web browser across the Internet

The servers are hosted in the UK by one of the world’s leading infrastructure organizations2. No client software is required on the user’s desktop or network. This indicates that the activation of new users may be done swiftly and easily.

Keeping your data safe:

  1. You only own your own data in your EOD system. If you no longer want to use EOD, you can easily export all your data to text files or spreadsheets and import them into another system.
  2. Your data is safe with EOD. In fact, much more secure than most in-house applications, as data cannot be selected or downloaded without a valid password.
  3. The moment you sign up for your EOD subscription, the highest level of encryption, i.e. SSL 256K (AES), kicks in – meaning your data travels the internet fully encrypted

Our security:

  1. We take security very seriously. As a company registered under the Companies Act,2013 we strictly follow the Information Technology Act, 2008 as amended from time to time.
  2. We regularly audit our EOD facilities and services in line with best practices. For this purpose, once a quarter we perform penetration tests and vulnerability assessments not only of the application but also of networks and infrastructure.
  3. The application can only be accessed using SSL 256K AES encryption.
  4. Access to your subscription is via a secure password.
  5. Access to the database is through a single class that handles all interaction with the provider managed by SQL Server. Each client’s data is kept in a separate database within SQL Server. In Microsoft’s Multi-Tenant Data Architecture, this is known as the isolated model. An overview can be found here http://msdn.microsoft.com/en-us/library/aa479086.aspx.
  6. Within each client database, data is accessed through stored procedures stored in the database to ensure complete isolation of data access between clients. When data is added through the EOD web application, the data is encrypted at the data layer using SQL functions and a client-specific private key before being written to the database, ensuring that all sensitive data is encrypted at the field level at rest. Only required data is decrypted when accessed through the EOD web application. EOD includes full database level encryption using SQL Server 20xx transparent data encryption technology. This allows all database files (data and logs) to be encrypted when saved to disk. TDE is the optimal choice for bulk encryption to meet regulatory requirements or corporate data security standards. Using both of these technologies provides EOD with two-layer security, private key encryption of external database files and internal database field level data encryption, also using a (separate) private key.

100% Availability:

  1. Your data is backed up every day and backups are retained for 28 days on a rolling basis. Back-up files are retained on separate devices at the same location and remote locations, with full DR capability in
  2. Our EOD servers are held in highly secure, purpose-built facilities, and are managed around the With the most recent security updates, our servers are constantly updated.
  3. Redundant Cisco routers and stateful inspection firewalls are configured in failover
  4. The servers have two redundant 1 Gbyte fiber Internet connections and redundant power supplies and fire
  5. A 5 MVA diesel generator stands by in case of a power cut with fuel on site to provide at least 24 hours running at full design and SLA for refueling within 6 hours of call-out. Generators are configured to automatically fail over.
  6. Secure and separate VLAN for database & application/web
  7. Server load balancing and clustering has been implemented to ensure high availability
  8. Implementation of SAN to allow multiple servers to access the Each server has multiple data paths.
  9. Redundancy for precision HVAC, power and fire detection/suppression systems,
  10. Data is stored using raid disk technology, with a daily back-up to a secondary location. We use the https secure socket layer to ensure the encryption of all communications.
  11. Multi-level physical All areas of the centre are monitored and recorded using CCTV, and all access points are controlled.
  12. Software version control, device configuration control, user access privileges and security are standard features of our security
  13. Secure, scalable, and highly available SLA based operations services on a 24×7 basis is supported by our infrastructure operations management team.
  14. Infrastructure is actively monitored to provide a system-level perspective of support systems, network devices, application servers, web servers, databases, and virtually any component of infrastructure through the following:
    1. Multiple layers of hardened physical security
    2. “Man trap” entry
    3. 24x7x365 on-site security presence
    4. Closed-circuit television surveillance in reception and hallways
    5. Multiple layers of electronically controlled card access
    6. Card swipe system
    7. Authorized staff only based on access list who are adequately trained in the Data Protection Legislation and the handling of Personal Data
    8. Robust Escalation and Change management process
    9. Periodic auditing of the infrastructure and equipment and maintenance of Site Run Book in standard 
    10. The infrastructure is ISO 27001 certified, also has the SAS 70 Type II Certification, which is now called SSARedundant server groups are configured to automatically failover to ensure zero downtime

GDPR

The GDPR is coming, and Expense on Demand is here to help.

On May 25, 2018, a ground breaking new data protection law called the General Data Protection Regulation (GDPR) will enter into force in the European Union (EU). The GDPR expands the privacy rights granted to EU individuals and imposes many new obligations on organizations that trade in, track or handle EU personal data, regardless of where the organization is located. EOD is here to assist our customers in their GDPR compliance efforts through our robust privacy and security protections.

What is the GDPR?

The GDPR is a new comprehensive data protection law (in force since 25 May 2018) in the EU that strengthens the protection of personal data in light of rapid technological developments, increasing globalization and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws that currently apply with a single set of rules that are directly enforceable in every EU member state.

What does the GDPR regulate?

The GDPR governs the “processing” of data for EU individuals, which includes the collection, storage, transfer or use. Any organization that processes the personal data of individuals from the EU falls under the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the term “personal data” is very broad and includes any information relating to an identified or identifiable natural person (also called a “data subject”).

How does GDPR change privacy law?

The key changes are the following:

  1. Expanded data protection rights for EU individuals, data breach notification and other security requirements for organizations, as well as customer profiling and monitoring requirements.
  2. The GDPR also includes binding corporate rules for organizations to legalize the transfer of personal data outside the EU and a 4% penalty on global revenue for organizations that fail to comply with GDPR compliance obligations.
  3. In general, the GDPR provides a central point of enforcement by requiring companies to cooperate with the lead supervisory authority on cross-border data protection issues.

Does the GDPR require EU personal data to stay in the EU?

 

While GDPR does not require EU personal data to remain in the EU, it does not impose any new restrictions on the transfer of personal data outside the EU, subject to certain provisions. At EOD, we still make sure that EU users’ data actually stays in the EU. Also read the MSA.

What EOD is Doing:

EOD welcomes GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for EOD to deepen our commitment to data protection. Similar to existing legal requirements, GDPR compliance requires a partnership between EOD and our customers when using our services. EOD will comply with the GDPR when providing our services to our customers. We also strive to help our customers comply with GDPR.

EOD’s Commitment to Data Protection.

At EOD, trust is our #1 value and nothing is more important than our customers’ success and the protection of our customers’ data. EOD’s robust privacy and security program meets the highest industry standards. Over the past few years, we have consistently reinforced our commitment to protecting our customers through our actions:

What Customers Should Do

  1. Get Buy-in and Build a Team
    1. Raise awareness of the importance of GDPR compliance with organization leaders
    2. Obtain executive support for necessary staff resources and financial investments
    3. Choose someone to lead the effort
    4. Build a steering committee of key functional leaders
    5. Identify privacy champions throughout the organization
  1. Assess the Organization
    1. Review existing privacy and security efforts to identify strengths and weaknesses
    2. Identify all the systems where the organization stores personal data and create a data inventory
    3. Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
    4. Document Compliance
  1. Establish Controls and Processes
    1. Ensure privacy notices are present wherever personal data is collected
    2. Implement controls to limit the organization’s use of data to the purposes for which it collected the

data

  1. Establish mechanisms to manage data subject consent preferences
  2. Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
  3. Establish procedures to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
  4. Enter into contracts with affiliates and vendors that collect or receive personal data
  5. Establish a privacy impact assessments process
  6. Administer employee and vendor privacy and security awareness training
  1. Document Compliance
    1. Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts
    2. If required, appoint a data protection officer and identify the appropriate EU supervisory authority
    3. Conduct periodic risk assessments

GDPR: Fiction versus Fact

As you gear up your organization to comply with the forthcoming EU General Data Protection Regulation (GDPR), you may come across contradictory information about what the GDPR does — and does not — require.

One of the main challenges for organizations who are facing GDPR compliance is getting the resources to sort through the facts, and the fictions, of this new law. With that in mind, EOD has put together this guide to help clarify some common confusions around the GDPR and get you and your organization on the path towards compliance.

  1. Fiction: “Processing European personal data requires the consent of the data ”

Fact: Consent is only one of the legal bases one can use for the processing of personal data (Article 6(1)(a)). For instance, personal data can also be processed:

  1. when necessary for the performance of a contract to which the data subject (the individual whose data is processed) is a party;
  2. when there is a legal obligation to do so (such as the submission of employee data to a tax authority); and
  3. sometimes even on the basis of legitimate interests, such as commercial and marketing The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.
  1. Fiction: “European personal data must be stored within ”

Fact: The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (Chapter V, Articles 44-50).

  1. Fiction: “The GDPR requires EU personal data to be encrypted at ”

Fact: The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented (Article 32(1)). Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance. Despite not being mandated, EOD encrypts data at rest, which also includes dates.

  1. Fiction: “EU data subjects have an absolute right to have their personal data deleted upon ”

Fact: The right to have one’s data deleted is often referred to as “the right to be forgotten”. However, the right to be forgotten is not an absolute right. It has a limited scope and is subject to certain limitations (Article 17). In most cases, when considering a request for deletion several relevant factors have to be taken into account; this right will not apply, for example, if the processing is necessary for compliance with a legal obligation. However, data subjects do have an absolute right to prevent their personal data from being processed for direct marketing purposes.

  1. Fiction: “A data protection officer is mandatory for all companies subject to the ”

Fact: A data protection officer is only required by the GDPR when one of the following applies:

  1. the organization is a government institution;
  2. the organization processes certain sensitive types of data (such as data on health or religion) on a large scale as part of their core activities; or
  3. the organization systematically monitors people (for example, via cameras, or software which tracks internet behavior) as part of their core activities (Article 37(1)).
  1. Fiction: “The GDPR requires a data protection impact assessment for all processing activities involving EU

personal data.”

Fact: Under the GDPR, a data protection impact assessment (DPIA) is only necessary when it concerns high- risk processing of EU personal data, such as the following:

  1. large-scale processing of certain sensitive types of EU personal data, such as data concerning a

person’s health;

  1. systematic and extensive automated decision-making which produces legal or similarly significant effects on individuals, such as the use of fraud detection software; and
  2. systematic and large-scale monitoring of public space (for example, with cameras) (Article 35(3)).
  1. Fiction: “Profiling and automated decision making is prohibited under the ”

Fact: Profiling of EU individuals and automated decision-making involving EU personal data are not prohibited, but these processing activities may be subject to certain conditions. In particular, when decisions which legally or similarly significantly affect an individual are made automatically, the data subject:

  1. must be given meaningful information about the underlying logic, and about the significance and potential consequences for them; and
  2. must in some cases have the ability to require that a human being is involved in the process (Article 22(3)). A data protection impact assessment (see Myth 6 above) may also be
  1. Fiction: “If an organization is established outside the EU, the GDPR does not apply to its processing of EU personal data.”

Fact: Regardless of where an organization is established, the GDPR applies to EU personal data which is processed in the context of:

  1. offering goods and services (whether paid or not) to people in the EU; or
  2. monitoring the behavior of people in the EU, for example by placing cookies on the devices of EU individuals (Article 3(2)).

This document is a broad overview of some of the key aspects of the forthcoming EU General Data Protection Regulation (GDPR) and does not provide legal advice. We urge you to consult with your own legal counsel to familiarize yourself with the requirements that govern your specific situation.

  1. Expanded definition of “personal data”: The GDPR expands and clarifies the concept of personal data. While the basic concept of personal data largely remains the same, the GDPR makes it clear that location data and online identifiers, such as IP addresses, are considered personal data. The GDPR also expands the concept of sensitive personal data to include genetic data and biometric
  2. Expanded and new rights for EU individuals: The GDPR provides expanded rights for EU data subjects such as:
    1. Deletion: This right is sometimes referred to as the “right to be forgotten”. The data subject has the right to require that the Controller erase personal data about him/her in certain conditions, including if the personal data is no longer necessary for the original purpose of the processing or if the data subject withdraws consent for the processing. This right has been extended to the online world as a means to require internet service providers to delete out-of-date publicly available information, in particular that information which appears in search results.
    2. Restriction: Under the GDPR, a data subject has the right to obtain from a Controller a restriction on the processing of personal data in a number of circumstances, including if the accuracy of the personal data is contested by the data subject for a certain period of time. A restriction on processing means that the organization holding the data is entitled to continue to store it, but cannot process it any
    3. Portability of personal data: Data subjects also now have the right, in certain circumstances, to receive the personal data that they have provided to a Controller in a structured, commonly used and machine-readable
  1. Security measures: The GDPR requires Controllers and Processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented. At EOD, we have robust security measures in place that meet the highest standards in the industry, and these our outlined in our Security
  1. Breach notification: The GDPR requires organizations to report certain personal data breaches to the relevant data protection authority, and in some circumstances, to the affected data subjects. Controllers must notify the relevant data protection authority “without undue delay” (and where feasible, within 72 hours of having become aware of it), unless the breach is not likely to present any risk to the rights and freedoms of the data subjects concerned. If circumstances require it, Controllers may also be required to communicate the data breach to data subjects. Processors, for their part, are required to notify Controllers “without undue delay” after becoming aware of a personal data breach. EOD has covered these aspects in its
  1. Transparency: The GDPR requires that Controllers provide data subjects with information about their processing operations at the time when the personal data are This information includes the identity and contact details of the Controller, the contact details of the data protection officer (if relevant), the purposes and the legal bases for the processing of the personal data, the recipients of the data and a number of other fields to ensure that the personal data is being processed in a fair and transparent manner. In addition, Controllers are required to provide information to data subjects even in circumstances where the personal data has not been obtained directly from the data subject.
  1. Profiling: The GDPR introduces the concept of “profiling” or any form of automated processing that uses personal data to evaluate personal aspects and in particular to analyse or predict aspects relating to an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Data subjects must be informed of the existence of profiling and any consequences of the EOD does not