Data Protection & Security
We take the responsibility of data protection and security very seriously. For this reason we have developed all of our systems from the ground-up with security foremost. We have put in place a code of practice to ensure integrity at all times and we have a regular programme in place for auditing data security and protection.
For a brief overview of our security and data protection procedures, please see the following video:
Our code of practice that governs how we protect and handle sensitive data is based on the following key principles:
- Data is only stored when it is absolutely necessary to do so
- Data is only stored in a secure environment using industry-standard encryption techniques
- Data is never shared with any third-parties
- Data is transferred between storage locations only when it is absolutely necessary to do so
- All data that is transferred between storage locations is done so via a certified secure connection
- Only approved individuals who work for Pro Delivery Manager are given any access to the data, and only when their role dictates that this is absolutely necessary
These key principles are applied in the following ways.
Our latest audit has identified that the storage of sensitive data is limited to the following locations:
- Client databases hosted in UK data-centre
- Mobile device memory (temporary)
- Computer system at software developer premises (temporary)
Further details regarding how and why data is stored at these locations is provided below.
Client databases hosted in UK data-centre
In order to provide our order and delivery management service we need to store information about your delivery depots, your customers, your customer's orders and courier tracking data (location data) on a web server that is accessible over the Internet.
A separate database is created for each PDM account holder. The database of each account holder thus only contains information relating to their business and customers.
Each database is secured by a strong password. The password is only known by the website services that require access to the data.
The databases are hosted on dedicated servers at Memset, a UK-based data-centre. Please see Memset's security policy for details on how these servers are maintained within a secure environment.
The web servers are maintained by our development team at IB Computing. Memset staff do not have access to the web server consoles. Only selected staff at IB Computing have access to the web server consoles. In addition to access control by user account authentication, access is restricted to a single IP address which is used only by IB Computing.
The web servers are protected from unauthorised access by the following technologies:
- Hardware firewall at Memset (includes Denial-of-Service attack detection and prevention)
- Software firewall on each server
- Anti-virus software
- Windows Server group policies
- Windows Server user authentication
To mitigate unauthorised intrusion, IB Computing ensure that the servers have the latest security patches an anti-virus software updates applied. For further information on how server security is audited, please see our section on auditing below.
Mobile device memory
In order to use the PDM app for managing deliveries when there is no Internet data connection available, customer, delivery depot, courier and scheduled delivery information is downloaded to the mobile device when the courier logs in.
All sensitive data downloaded by the app is stored in a temporary memory area. This means that when the user closes or logs out of the app this data is cleared from the memory storage area. No sensitive data is stored in the device's persistent memory area apart from updates to delivery data that is waiting to be synchronised back to the web server. As soon as any data is synchronised with the web server this data is cleared from the persistent memory area on the device.
All data transmitted, is encrypted using an industry-standard encrypted format. The app source code is encrypted by a security certificate. The app is run in production mode so that it cannot be accessed via debugging tools.
Computer system at software developer premises
If one of our clients requests that we assist with importing their customer database to the PDM system, a member of our development team at IB Computing may temporarily store the data import file provided by our client on their computer system. Once the data has been successfully imported however, such data import files are permanently deleted.
No other sensitive data is stored at IB Computing's premises.
Our latest audit has identified that the transmission of sensitive data is limited to the following occasions:
- Transmission of data between the mobile app (PDM App) and web server
- Transmission of data between the PDM web application (PDM Web) and web server
- Relocation of databases between web servers
Transmission of data between the mobile app and web server
Data is transmitted over public networks. If the app is permitted to use a mobile data connection then data may be transmitted over the network of mobile carriers. Whatever networks are used for data transmission, data is kept secure at all times by using encryption as described below.
All data transferred between the mobile app and web server is encrypted using a industry-standard security certificate provided by AlphaSSL. The data is encrypted using a 2048-bit key.
Transmission of data between the web application and web server
Data is transmitted over public networks via the user's Internet Service Provider. Whatever networks are used for data transmission, data is kept secure at all times by using encryption as described below.
All data transferred between the online delivery manager website and web server is encrypted using a industry-standard security certificate provided by AlphaSSL. The data is encrypted using a 2048-bit key.
Relocation of databases between web servers
On occasion it may become necessary to transfer a client's database to another web server. On such occasions, the work is carried out by qualified staff at IB Computing. Sensitive data is transferred directly between servers using a secure connection.
Our latest audit has identified that access to sensitive data is controlled at the following points:
- Login to PDM Web/App by account users
- Login to web server consoles by staff at IB Computing
Further details regarding access control at these points is provided below.
Login to PDM Web/App by account users
When a user logs in, their login details are transmitted in encrypted format to the web server hosting the client's database. If the login credentials match a known user account a unique session key is generated and returned to web browser. Future requests for data access made by the user to the web server are authenticated by the unique session key.
The user can log out of PDM Web or PDM App using the button provided for this purpose. The session key is cleared upon log out.
Login to web server consoles
Only selected staff at IB Computing have access to the web server consoles. In addition to access control by user account authentication, access is restricted to a single IP address which is used only by IB Computing.
We regularly audit all of our systems to ensure that our code of practice is being followed meticulously.
IB Computing carry out an additional regular audit to ensure that all hosted data is secure and has not been compromised.
Data Protection Governance
Pro Delivery Manager are registered with the Information Commissioner's Office for Data Protection purposes. Their registration number is ZA06570.
IB Computing are registered with the Information Commissioner's Office for Data Protection purposes. Their registration number is Z1207765.
Both Pro Delivery Manager and IB Computing have developed their data protection policies in line with the guidance provided by the ICO.
Each client that resisters an account with Pro Delivery Manager should also be registered with the Information Commissioner's Office for Data Protection purposes. This is a requirement stated in our Terms and Conditions of service. We expect our clients to use our services in line with guidance provided by the ICO.