GovernorHub Technical & Organisational Measures

Back-ups	The Processor maintains the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident affecting the Processing of the Personal Data. This includes use of the following measures: Backups are maintained through daily snapshots of the database, which are periodically tested for recovery. Additionally we take copies of database changes which can be used for more fine grained recovery and instant recovery. The recovery processes are periodically tested.
Portable devices	The Processor maintains a process for ensuring the integrity and security of portable devices. This includes use of the following measures: All devices are encrypted Secured by a password or pass code Where available Multifactor Authentication is enabled and enforced
Notion Encryption policy	The Processor maintains a process for ensuring that personal data is pseudonymised and encrypted as appropriate. This includes ensuring that all portable devices are encrypted and use of the following measures: All devices are encrypted Data that passes through or is stored within GovernorHub is TLS 1.2 or above encrypted Data in our databases is encrypted at rest (AES 256)
Firewalls and anti-virus	The Processor maintains a process for ensuring that appropriate firewalls and anti virus systems are in place. This includes use of the following measures: All workstations have professional Antivirus installed Each workstation regularly updates antivirus database Each workstation performs automated regular scans Performance of Antivirus is monitored centrally Firewalls protect office environments and Cloud infrastructure
Systems selection	The Processor maintains a process for ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services associated with the Processing of the Personal Data. This includes use of the following measures: We have defined performance objectives for service availability, these are regularly measured, any dips in performance investigated. Incidents & Events are logged, investigated, we perform incident reviews to ensure we constantly improve. All suppliers are reviewed for security in accordance with our supplier management policy We maintain a register of approved suppliers Periodic data protection training for all staff.
Personnel vetting	The Processor maintains a process for ensuring that its personnel accessing the Protected Data are vetted to ensure their reliability and integrity. This includes use of the following measures: Obtaining x2 References from past employers or character references
Independent testing including (penetrating testing and vulnerability scanning)	The Processor maintains a process for regular testing, assessment and evaluation of the security measures required by this Agreement. This includes use of the following measures: Monthly cloud application vulnerability scanning Automated container scanning on change Annual Penetration tests Achieves UKAS Accredited ISO 27001 standard Achieves CyberEssentails
Asset register	The Processor maintains a process for ensuring that the location of all its IT assets are known at all times. This includes use of an internal asset register which logs the location and ownership of all portable assets.
Passwords, tokens	The Processor maintains a process for ensuring appropriate passwords and tokens are used to access its systems. This includes use of the following measures: End-user passwords must be 8 characters or more End-users get feedback as to the riskiness of their chosen password
VPN	The Processor maintains a process for ensuring the security of its internal network. This includes use of the following measures: All access requests require user authentication and authorisation and permissions are granted on a granular basis. Audit logs are maintained for access to internal systems
Actions log	The Processor maintains a process for logging all interactions with the Protected Data. This includes the following measures: End-users have their own login and password which must be 12 characters or more. End-users get feedback as to the riskiness of their chosen password Access and updates to records are logged
SSL	The Processor maintains appropriate Secure Socket Layer technology to protect its systems and applications.
Permissions	The Processor maintains a permissions based process for using the Personal Data only for the purpose(s) prescribed by Client and not any other purposes and for making the Personal Data available to staff strictly on a 'need to know' basis and procuring that all staff members to whom it discloses Personal Data are made aware that the Personal Data is Confidential Information and subject to the obligations set out in this Agreement.
Data Minimisation	The Processor maintains a process for copying, reproducing or distributing Personal Data only to the extent necessary to enable the discharge of obligations under this Agreement and for no other purpose. The Processor minimises, to the fullest extent possible, the disclosure of Personal Data to third parties, such disclosure to be strictly as is necessary to enable the Processor to discharge its obligations to Client.
Confidentiality	The Processor maintains a process for treating and safeguarding the Personal Data as strictly private and confidential and taking all steps necessary to preserve such confidentiality. This includes use of appropriate contract terms used with staff and contractors handling such data.
Breach Handling:	The Processor maintains a process for informing Clients, as soon as reasonably practical, if the Processor becomes aware of or suspects that a Personal Data Breach has occurred. This policy is available upon request.
Training and Monitoring:	The Processor maintains a process for ensuring that all staff and Sub-Processors comply with this Agreement. This includes use of periodic GDPR training and compliance reviews as part of staff appraisals.