1 | Security & Compliance

1 | Security & Compliance

Security

Flowte is a web based SaaS solution which runs in the cloud. Our servers are hosted by Amazon Web Services and protected from DDoS and known IPs through Cloudflare.
All web servers run through a NAT gateway, which is backed up by a VPN in a secure CIDR block.
There is no direct access to our VPN where the database and servers reside and any indirect access follows strict Audit log and security protocols inline with current advice.
All passwords to the web system are hashed and salted securely.
Flowte is integrated with Stripe for our payment processing and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.)



GDPR Compliance


Introduction 
The European Union has taken a significant step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018.  Under the regulations EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed.  This rule clarifies how the EU personal data laws apply even beyond the borders of the EU.  Any organization that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data. 
The new regulations replace the Data Protection Directive 95/46/EC 

Definitions 
Data Controllers – those who determine what personal data is collected and how it is processed; and 
Data Processors – those that process personal data on behalf of a ‘Controller’ 

And gives more rights (power and control) to 
Data Subjects – any individual who can be identified, directly or indirectly, by the data (Personally Identifiable Information, PII) held against them 

What are the strengthened Rights for Data Subjects? 

Individuals now have the 
Right to be informed – clarity about who uses their data 
Right of access – to see what data is held on them 
Right to rectification – to have it amended if inaccurate 
Right to erasure – to be deleted on request 
Right to restrict processing – to specify in what ways their data can be used   

What should customers be doing to get GDPR-ready? 

We understand that for our customers, in their role as data controller, meeting the GDPR requirements will take time and effort.  It is likely a myriad of systems and third-party applications are in use to run their business. 
If you are still at the stage of reviewing what you need to do to demonstrate compliance here is a suggested checklist: 

1. Create a data privacy team to oversee GDPR activities and raise awareness 
2. Review current security and privacy processes in place and where applicable, revise your contracts with third parties and customers to meet the requirements of the GDPR 
3. Identify the Personally Identifiable Information (PII)/Personal data that is being collected 
4. Analyse how this information is being processed, stored, retained and deleted 
5. Assess the third parties with whom you disclose data 
6. Establish procedures to respond to data subjects when they exercise their rights 
7. Establish and conduct Privacy Impact Assessment (PIA) 
8. Create processes for data breach notification activities 
9. Continuous employee awareness is vital to ensure continual compliance to the GDPR 

At Flowte we are aligning ourselves with this new regulation by reviewing our data inventory and data flows; and revisiting and amending contracts with our third-party service providers to meet the requirements of the GDPR. 
From the perspective of our customers - yourselves - this will involve setting us up as a data processor where you will be responsible for the data control. 

Penalties for Non-Compliance 

If your business is found to be in breach of GDPR you face a hefty fine.  The maximum can be up to 4% of your annual global turnover or €20 Million, whichever is greater. The fines are imposed for infringements like: 
Insufficient customer consent to process data 
Not having your records in order 
Failing to notify the relevant authority and data subjects about a breach 

Basic Principles
The Client 
As an organisation that collects personal data in order to fulfil a sales function you are classed as a Data Controller.  Your obligations under the regulations include, but are not limited to: 

1 | provide clear information to your customers about the personal data you collect, for what purpose, and the Data Processors you use (this would include Flowte and is typically addressed in a Privacy Policy) 
2 | protect personal data against accidental loss, unauthorised access, or unlawful processing (this is typically addressed in a Security Policy) 
3 | written agreements with processors that are given access to your customer’s data, that require them to act only according to your instructions and make sure they comply with all data protection requirements (this is typically addressed in commercial contracts) 
4 | informing the data subject (end customer) within 72 hours of first becoming aware of a data breach 

In addition you should follow the basic data protection principles of: 

1 | Lawfulness, fairness and transparency – the basic tenets of how you handle and manage your customer data 
2 | Purpose limitation – how long you have been keeping the data 
3 | Data minimisation – identifying what data is held and for what purpose; and not keeping more than is necessary 
4 | Accuracy – making sure the data you hold is accurate 
5 | Data retention – is the data you hold still necessary for the original purpose of processing 
6 | Security – how secure is the data you hold 

Flowte
Flowte as the ticketing platform, is classed as a ‘Data Processor’ as we simply process your customer’s data as part of the service we provide to you and your customers. You are still the sole owner of that data – we just store and process some of it in order to generate customer tickets, business reports and such like.  Under the regulations our obligations include, but are not limited to: 

1 | process data fairly, lawfully, and for legitimate purposes 
2 | implement all appropriate security measures to protect the personal data 
3 | informing the controller immediately of any data breaches 
4 | keep internal records of all data processing activities 

At Flowte data security has always been the cornerstone of our business.  Flowte is a web-based SaaS solution which runs in the cloud.  Our servers are hosted by Amazon Web Services and protected from DDoS and known IP’s through Cloudflare. 
Flowte is integrated with Stripe for our payment processing and is certified to PCI Service Provider Level 1.  This is the most stringent level of certification available in the payments industry. 

As a data controller you must have a valid lawful basis in order to process personal data.  Organisations are free to determine which of the six defined bases are applicable to each of their activities, as defined in Article 6 of the GDPR – and this should be recorded in your Privacy Policy.  For most of the organisations we work with this is likely to be on the basis of ‘legitimate interests’.  The rationale for this can include: 

1 | no sensitive personal data is collected (eg. racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences) 
2 | the amount and type of data collected is minimal and deemed reasonable to expect for the fulfilment of the activity (eg. to process a sale for tickets to be delivered to a customer it is necessary to collect a name, address and payment details) 
3 | there is a minimal privacy impact on the individual based on the range of data held and how it is used 

For organisations that choose to use the lawful basis for processing data based on ‘consent’ the regulations introduce enhanced rights for individuals.  Flowte has a number of features which can be used by the data controller to assist with, and demonstrate, compliance with these requirements: 

1 | Consent should be explicit and require a positive opt-in
In Flowte under Admin > Settings > you have the option to set the ‘Marketing Question Online’ to NO: 
This setting can be complimented by a custom defined message by populating the ‘Custom Online Marketing Question’ field: 
Online users would have to positively opt-in to email marketing if they wished to: 
There is a similar setting for ‘Marketing Question Back Office’ giving the ability for back-office operators to manually opt-in a customer if consent was given; and use the Note field in the contact record to detail this action: 
The same principle can be followed for any other Contact Tag managed in this way (eg. where specific contact tags have been created to capture consent for direct mail marketing or telephone marketing). 

2 | It should be easy to withdraw consent
The data controller should document how an individual can withdraw their consent (typically addressed in a Privacy Policy).  Flowte allows a record of manual changes to be maintained using the contact Note field (CRM > Contacts- as below): 
 
All email communications should carry an ‘Unsubscribe’ link and this should be recorded in the email marketing client being used.  For customers using the Flowte Marketing app, any change in the customers marketing preferences - for example when they choose to Unsubscribe from an email campaign - will automatically be updated in their contact record (the Venue Marketing field will show Opt Out). 
For customers using an alternative email marketing client a documented process should exist defining any ‘Master/Slave’ relationships. 

3 | Right to be forgotten
Individuals have the right to request that their personal data is erased. 
This can be achieved in Flowte using the ‘Remove’ button against the contact record (CRM > Contacts): 

When the contact is removed they will no longer be a searchable record under Contacts:   


4 | Request for information
Individuals can request to see what data is held on them by the data controller – and organisations must respond within a maximum of 1 month to any such request (unless it is deemed to be complex, in which case extensions are allowed). 
Within Flowte you can navigate to the contact record then simply ‘print screen’ and save as a PDF document which can then be forwarded to the individual making the request. 
 
General Considerations
1 | Data security
To support your obligation to restrict unauthorised access to personal data you can use the Flowte feature set of ‘Users & Roles’ under the Settings menu. 
This allows you to create granular access to the system by restricting top-level or sub-level menu options and apps. 
 

2 | Terms & Conditions
The data controller is also advised to review the Terms of Service (T&C’s) they make available to customers which are managed in Flowte under Settings > Account Info > Storefront.  Similarly, with the Privacy Policy.  It is here where you can inform your customers why you are keeping their data; for how long; their right to opt out; and who to contact should they wish to change their preferences or be removed. 
 
Best practice would suggest these should include any specific references to third party data sharing and the legal basis for this – as defined in your Privacy Policy – such as the sharing of data with The Audience Agency for purely benchmarking purposes.  With Flowte these policy statements are available for view throughout the online checkout process. 
 

Disclaimer
This guide is meant solely to educate you on GDPR and the information provided, and any views expressed, are those of Flowte only and should not be construed as Legal advice or be replaced for Legal advice. 
Flowte does not take the responsibility of misinterpretation or misunderstanding of the content by the reader and Flowte makes no warranties, express, implied, or statutory, as to the information in this guide. 
You are advised to seek the guidance from a Legal Consultant/Advisor in your compliance project.  

GDPR TRAINING

The Company has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the data protection laws and principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category data is one of our top priorities and we are proud to operate a ‘Privacy by Design’ approach, assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.

The Company ensures that:
We protect the rights of individuals with regards to the processing of personal information
We develop, implement and maintain a data protection policy, procedure, audit plan and training program for compliance with the data protection laws
Every business practice, function and process carried out by the Company, is monitored for compliance with the data protection laws and its principles
Personal data is only processed where we have verified and met the lawfulness of processing requirements
We only process special category data in accordance with the GDPR requirements
We record consent at the time it is obtained and evidence such consent to the Supervisory Authority where requested
All employees are competent and knowledgeable about their GDPR obligations and are provided with in-depth training in the data protection laws, principles, regulations and how they apply to their specific role and the Company
Individuals feel secure when providing us with personal information and know that it will be handled in accordance with their rights under the data protection laws
We maintain a continuous program of monitoring, review and improvement with regards to compliance with the data protection laws and to identify gaps and non-compliance before they become a risk, affecting mitigating actions where necessary
We monitor the Supervisory Authority, European Data Protection Board (EDPB) and any GDPR news and updates, to stay abreast of changes, notifications and additional requirements
We have robust and documented Complaint Handling and Data Breach controls for identifying, investigating, reviewing and reporting any breaches or complaints with regards to data protection
We have appointed a Data Protection Officer who takes responsibility for the overall supervision, implementation and ongoing compliance with the data protection laws and performs specific duties as set out under Article 37 of the GDPR
We have a dedicated Audit & Monitoring Program in place to perform regular checks and assessments on how the personal data we process is obtained, used, stored and shared. The audit program is reviewed against our data protection policies, procedures and the relevant regulations to ensure continued compliance
We provide clear reporting lines and supervision with regards to data protection
We store and destroy all personal information, in accordance with our retention policy and schedule which has been developed from the legal, regulatory and statutory requirements and suggested timeframes
Any information provided to an individual in relation to personal data held or used about them, with be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language
Employees are aware of their own rights under the data protection laws and are provided with the Article 13/14 information disclosures in the form of a Privacy Notice
Where applicable, we maintain records of processing activities in accordance with the Article 30 requirements
We have developed and documented appropriate technical and organisational measures and controls for personal data security and have a robust Information Security program in place

Through our strong commitment and robust controls, we ensure that all staff understand, have access to and can easily interpret the data protection laws requirements and its principles and that they have ongoing training, support and assessments to ensure and demonstrate their knowledge, competence and adequacy for the role. Our Training & Development Policy & Procedures and Induction Policy detail how new and existing employees are trained, assessed and supported and include: –

GDPR Workshops & Training Sessions
Assessment Tests
Coaching & Mentoring
1:1 Support Sessions
Scripts and Reminder Aids
Access to GDPR policies, procedures, checklists and supporting documents
Employees are continually supported and trained in the data protection laws requirements and out own objectives and obligations around data protection.