As part of the regulations, you are required to provide information about how your client’s personal details are stored. Here’s the information about how Zebranet stores personal information, should you (as a data processor using Zebranet’s services) be asked.
Our servers are housed in a data-centre in Sheffield and access to the physical boxes requires key card access through several sets of doors, and a person can only get access to the physical machine if they have prior authorisation and are on the allowed list of people for that machine. Servers are connected to a battery UPS which will provide 3 hours of power should there be an issue. If, after 2 hours the power is not restored then there is a diesel generator for the building which will provide unattended power for the next 48 hours. Then it can run indefinitely as long as the diesel is topped up.
For more information about our hosts and their processes, please go here.
We back up the data using an offsite backup solution which synchronises the backups with the server here at the office, and we keep a rolling 7 day backup of all the databases which is taken every day at 3am. We do regularly test the backups for integrity, and have restored data back to live databases for clients in the past. The websites which go online are only ever pre-complied, and source code is never stored on the servers.
The servers can only be remotely accessed from Zebranet’s office IP address, so they cannot be contacted from any computer unless it’s physically here or connected by VPN. We use non-standard usernames and 12 digit complex passwords to access the server and only one account has remote access rights to the server again limiting access options further.
Each of our client’s data is all on its own database so that information isn’t shared with any other applications other than their own instance. In terms of franchises, the whole franchise network is stored on one database, but only that franchisee’s data is presented to them. In some cases, head office are given access to dashboard data (number of bookings, class-split, etc.) but they don’t have access to client’s individual records.
However, the weakest link in all of this is the end user. If passwords aren’t secure or you save you passwords in your browser then the data you hold can be at risk. We don’t store any customer bank details on the system. When using PayPal, WorldPay or Stripe (on applicable systems), the customer is taken to the merchant’s processing page in order to make payment. Our system is then sent a success/failure code, so at no point is the customer’s card details entered into our system.
However, if a user’s login was compromised, then the person would only have access to their data and none of the other client’s databases (or in the case of franchisees, other franchisee’s data). This is an unavoidable situation which we work with clients to control.
Zebranet is registered with the ICO as a data controller. This essentially means we hold the data entered into any of our hosted systems, but we don’t do anything with it, other than back it up and restore it as required.
If you delete a customer’s data from the system, then that data will remain on our servers until the backup cycle is finished (7 days). That data won’t be accessible from the live systems, only in the case of a data restore.
You can see our ICO register entry here.