Information Security will be managed by the following personnel:
- Karl Holub, CTO and Data Protection Officer
- Kevin Kallmes, CEO
- Kathryn Cowie, COO
- Stephen Mead, Senior Engineer
Personnel changes #
In the event of a change in role, a departure, or a new hire, oversight of the affected security policies will be transferred to the new information security personnel. Management of information technology systems will be transferred to the appropriate engineer. Barring no sudden change, the transition will take place over two to eight weeks and will include training, knowledge checks, and progressively increasing responsibility over policies.
Data Protection Plan #
The Data Protection Plan helps us prepare to identify and protect personal data. A data protection impact assessment (DPIA) is required for projects where new data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” The plan here outlines our procedure for developing a DPIA.
Scope: This plan applies to all Nested Knowledge employees, and all contractors, consultants, temporary employees and business partners.
Definitions: High-Risk personal data includes:
- location and behavior data
- systematically monitoring a publicly accessible place on a large scale
- personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,
- genetic data, biometric data for the purpose of uniquely identifying a natural person
- data concerning health or data concerning a natural person’s sex life or sexual orientation
- data used to make automated decisions about people that could have legal (or similarly significant) effects
- children’s data
Data Protection Officer (DPO) #
The DPO, responsible for reviewing and approving data processing projects, is Karl Holub. In brief, the DPO:
- Is made available for all product & support teams, for reporting & planning any changes to data processing
- Monitors for changes that are of consequence to our data processing policies, including:
- Code changes and releases
- Third party vendors & subprocessor additions
- Internal tooling & workflow changes
- Monitors subprocessor communications for terms and conditions and subprocessor updates
- Maintains records of compliance, associated directly with the issue tracker, processor record
- Reports to the CEO on activities and compliance on a regular basis
DPO Email: karl.holub@nested-knowledge.com
Data Protection Impact Analysis Plan #
Nested Knowledge will fill out a data protection impact analysis before processing any high-risk personal data. This process involves the following steps:
- Identify the need for a DPIA – Nested Knowledge will explain board what the project aims to achieve and what type of processing it involves. If applicable, we will link to other documents, such as a project proposal.
- Describe the processing
- Nature of the processing: The company will describe how we collect, use, store, and delete data, the source of the data, and whether the data will be shared. If applicable, we will reference a flow diagram describing data flows.
- Scope of the processing: The company will classify the nature of the data, and determine whether it includes high risk and special category data. The DPIA will describe how much data will be collected, how often it will be collected, and how long it will be retained. THe DPIA wille estimate how many individuals will be affected by processing and which geographical will be covered?
- Context of the processing: the company will describe our relationship with the individuals who’s data is bring processed. Typically, Nested Knowledges processes application user’s data and employee data. We will answer the following questions: How much control will the data subjects have? Do the data subjects include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
- Purpose of the processing: Nested Knowledge will describe what we want to achieve by processing, intended effect on individuals, and the benefits of the processing.
- Consultation Process – We will describe when and how Nested Knowledge will seek individuals’ views – or justify why it is not appropriate to do so. We will describe whether we plan to consult information security experts, or any other experts.
- Assess necessity and proportionality – Nested Knowledge will answer the following questions in a DPIA: what is the lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you ensure data quality and data minimization? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
- Identify and assess risks – Nested Knowledge will describe the source of risk, likelihood of harm, severity of harm, and overall risk. Include associated compliance and corporate risks as necessary.
- Identify measures to reduce risk – Nested Knowledge will keep a record of options to reduce or eliminate risk, the effect on risk, residual risk, and whether or not the measure was approved.
- Sign off and record outcomes – The Data Protection Officers willsign off on risk-reduction measures and provide advice.
For templates to complete the above steps, refer to the ICO guidance
High-Risk Personal Data #
Nested Knowledge does not process high-risk personal data. Potential high-risk data types we may encounter in our industry include the following:
- Information on employee ethnicity, race, religion, sexuality, or political beliefs.
- Information on employee health and/or disability status.
- User location data and online behavior
Nested Knowledge values the privacy of our employee and users. We have no intention to process such data, but we will remain alert and develop a DPIA should our data processing plans change.
Training #
Employee training requirements are based on the data classification system. All employees and contractors will be provided with our data protection policy. Those who deal with confidential data, restricted use data, or high-risk personal data will be required to demonstrate understanding of our data protection procedures as well as GDPR requirements.
Communicating Updates #
As described in our Third Party Policy, we will notify users of changes to how their data is processed by email.
Backup Plan #
The purpose of this policy is to ensure that data used within Nested Knowledge’s systems is regularly backed up.
Scope: This policy affects all employees and contractors of Nested Knowledge. Employees who deliberately violate this policy will be subject to disciplinary action up to and including termination.
This policy applies to the public software application, the AutoLit review platform, as well as information systems operated internally at Nested Knowledge, such as company shared drives and purchased software. Reviews developed in the AutoLit software by parties external to Nested Knowledge are not covered in this policy.
Internal Company Backup Procedure #
Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. Copies of the personal computer files should be uploaded to the Nested Knowledge shared drive. This provides for a more secure backup of personal computer-related systems where a local area disaster could wipe out important personal computer systems.
Backup Strategies #
- Where a third party has been authorized to store backup media, a service level agreement (SLA) should be defined and documented, and in compliance with the IS Security Standards.
- Automated backup functions within software packages should be used where applicable.
- When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored.
Application Backup Procedure #
Backups are generated as database snapshots daily; transaction logs are streamed to storage and stored for 14 days (providing moment in time restoration within that window). Failure in either of these processes generates email alert to the technical lead. Database backups are fully exercised no more than every 3 months. Backups are retained 60 days. A failure in restoring a backup results in highest priority escalation with the development team on our product management software.
In addition to backups on our main cloud provider (AWS), we generate & store backups on a separate cloud provider (GCP) as a redundancy. These backups are generated every other day, retained 60 days, and exercised quarterly. Failure in the backup process results in email alert to the technical lead.
Restoration #
- Authorization to restore data from backup media that would overwrite existing production data must be obtained from Data Owners.
- Restoration of the current configuration must be within agreed recovery timescales
- Restoration of the AutoLit database is tested with quarterly by the development team. A successful restore requires taking a backup from stationary to deployed in our staging environment.
- Backups are manually compared for validity against existing projects
- Evidence of success backup is maintained internally, including time of test, verifiers, screenshots of successful staging deployment, and notes on any issues & remediations.
Testing
Backup and restore procedures must be tested at least annually. Issues with backups identified should be documented and remediated.Edit
Revision History #
Author | Date of Revision/Review | Comments/Description |
---|---|---|
K. Cowie | 10/14/2024 | Revised |
K. Holub | 12/13/2023 | Better defining DPO role |
K. Kallmes | 11/19/2021 | Draft approved |