Adyton Data Security Policy 

Context and Overview 

Key Details 

• Policy prepared by: Bill Crose 

• Approved by board / management on: March 23, 2023

• Policy became operational on: March 23, 2023

• Next review date: Following random penetration test results and executive changes

Introduction 

Adyton needs to capture and use select information about individuals, businesses, and business processes. 

This policy describes how this data must be collected, handled, and stored to meet the company’s data protection standards and to comply with all applicable laws. 

As data security needs evolve, so will this policy. 

Why This Policy Exists 

This data protection policy ensures Adyton: 

• Complies with data protection law and good practices 

• Protects the rights of staff, including contractors, customers, and partners

• Is open about how it stores and processes data 

• Protects itself and its staff, including contractors, customers, and partners from data breaches 

Data Protection Law 

Various laws describe how organizations including Adyton, must collect, handle, and store information. These rules apply regardless of whether data is stored electronically, on paper, or on other materials. 

To comply with the law, personal information must be collected and used fairly, stored safely, and not disclosed unlawfully. Our legal responsibility to data protection is underpinned by eight important principles. These say that personal data must:

• Be processed fairly and lawfully 

• Be obtained only for specific, lawful purposes 

• Be adequate, relevant, and not excessive 

• Be accurate and kept up to date 

• Not be held any longer than necessary 

• Processed in accordance with the rights of data subjects 

• Be appropriately protected 

• Not transferred outside the system from which it was collected without sufficient permission and protection 

People, Risks, and Responsibilities 

Policy Scope 

This policy applies to: 

• Adyton's head office and all branches 

• All Adyton's staff and volunteers 

• All contractors, suppliers, business partners, and other people working on behalf of or in coordination with Adyton 

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of prevailing laws. This can include but is not limited to: 

• Names of organizations and individuals 

• Email addresses 

• Business addresses

• Telephone numbers 

• Processes (sequence of 2 or more work instruction steps) 

• All data entered into and captured by Adyton's systems 

Data Protection Risks 

This policy helps to protect Adyton from some very real data security risks, including:

• Breaches of confidentiality. For instance, inappropriately shared information 

• Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them 

• Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data

Responsibilities 

Everyone who works for or with Adyton, including clients and users, has some responsibility for ensuring data is collected, stored, and handled appropriately.

Each entity that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. 

However, these people have key areas of accountability and/or responsibility: 

The CEO, Bill Crose is accountable for: 

• Reviewing all data protection procedures and related policies, in line with an agreed schedule. 

  • Random penetration testing is delegated to a world class, former US CIA and NSA information security professional 

  • Arranging data protection training and advice for the people covered by this policy 

• Handling data protection questions from staff and anyone else covered by this policy. 

  • Ensuring all systems, services, and equipment used for storing data meet acceptable security standards 

  • Dealing with requests from individuals to see the data Adyton holds about them (also called ‘subject access requests’) 

  • Performing regular checks and scans to ensure security hardware and software is functioning properly

  • Evaluating any third-party services the company is considering using to store or process data including cloud computing services

  • Approving any data protection statements attached to communications such as emails and letters

  • Addressing any data protection queries from journalists or media outlets

  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles

  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data 

General Staff Guidelines 

• All data must be treated as if it is confidential

• Data access is always limited to people who need the data for their work

• Data must never be shared informally. When data access is required, employees must deliver a delimited request, in writing, to their line manager

• Adyton will provide training to all employees to help them understand their data-handling responsibilities

• Employees must keep all data secure, by taking sensible precautions and following the guidelines below

  1. In particular, strong passwords must be used and they should never be shared

  2. Personal data should not be disclosed to unauthorized people, either externally or within the company 

  3. Data must be regularly reviewed and updated if it is found to be out of date. If no longer required, it must be deleted and disposed of.

  4. Employees must request help from their line manager or the data protection officer if they are unsure about any aspect of data protection

Data Storage 

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller. 

When data is printed, it must be kept in a secure place where unauthorized people cannot see it. 

These guidelines also apply to data that is usually stored electronically but has been printed for any reason: 

• When not under review, the paper or files must be kept in a locked drawer or filing cabinet

• Employees must make sure paper and printouts are not left where unauthorized people can see them, like on a printer

• Data printouts must be shredded and securely disposed of when no longer required

When data is stored electronically, it must be protected from unauthorized access, accidental deletion, and malicious hacking attempts:

• Data should be protected by strong passwords that are changed regularly and never shared between employees 

• If data including client process documentation is stored on removable media, these devices must be kept locked away securely when not being used 

• Data should only be stored on designated drives and servers, and must only be uploaded to an approved cloud computing service

• Servers containing personal data must be sited in a secure location, away from general office space

• Data must be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures

• Data must never be saved directly to laptops or other mobile devices like tablets or smartphones

• All servers and computers containing data must be protected by approved security software and a firewall

Data Use 

Personal data is useless unless a client business or Adyton can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption, or theft. Therefore:

• When working with personal data, employees must ensure their computer screens are always locked when left unattended

• Personal data must not be shared informally. In particular, it must never be sent by email, as this form of communication is not secure

• All personal data must be encrypted before being transferred electronically. An IT manager can explain how to send data to authorized external contacts.

• Employees must not save copies of personal data to their own computers. Always access and update data on the system of record

• As often as possible, data must be compiled into groups and users anonymized via avatars before reporting

• Cross-organizational performance data grouped and anonymized to prevent organization and individual identification may be shared with Adyton partners and their clients

• All process records (SOPs) stored in the Pythia database are considered confidential, proprietary information owned exclusively by the Adyton client(s) that produced or had the records produced for their internal use only, and will never be shared by Adyton or its partners without the owner's written permission

• All process records (SOPs) stored in the Pythia database for the purpose of being shared with Adyton’s Curriculum Subscribers are the property of the developer(s), will not be shared with non-subscribers in any format, and will be removed from the Pythia database within 60 days of the owner/developer’s written request 

Data Accuracy 

Adyton will take reasonable steps to ensure data is kept accurate and up to date. The more important it is that the personal data is accurate, the greater the effort Adyton will put into ensuring its accuracy. 

It is the responsibility of all who work with data to take reasonable steps to ensure it is kept as accurate and up-to-date as possible. 

• Data will be held in as few places as necessary 

• Staff must not create any unnecessary additional data sets

• Staff must take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.

• Adyton will make it easy for data subjects to update the information Adyton holds about them

• Data must be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.

• The marketing databases must be checked against industry suppression files every six months

Subject Access Requests 

All individuals who are the subject of personal data held by Adyton are entitled to, with the approval of their employer: 

• Ask what information the company holds about them and why 

• Ask how to gain access to it 

• Be informed on how to keep it up-to-date

• Be informed on how the company is meeting its data protection obligations

If an individual contacts Adyton requesting this information, it is called a subject access request. Individuals requesting data access will be directed to their system administrator. On behalf of individuals, system administrators must email requests to Adyton's data controller at admin@adytonusa.com. Upon request,

• The data controller will provide a standard request form 

• The individual's employer will be charged $10 per subject access request 

• The data controller will aim to provide the relevant data within 14 days 

The data controller will always verify the identity of anyone making a subject access request before sharing any information. 

Disclosing Data for Other Reasons 

In certain circumstances, personal data must be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, Adyton will disclose the requested data. However, Adyton will ensure the request is legitimate on advice from legal advisers. 

Google Services 

Adyton’s Pythia system uses Google services including Google Cloud, Google Speech, Google SQL, Google Storage, and Google Translate. Google Cloud is 1 of only 4 data security vendors falling within Forrester Research’s “Leader Wave” in 2023. For more information on Google Cloud’s security infrastructure and Forrester Research’s report, follow this link: https://cloud.google.com/security 

Providing Information 

Adyton aims to ensure that individuals are aware that their data is being processed, and that they understand: 

• How the data is being used 

• How to exercise their rights 

To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company. 

This is available on the company’s website: www.adytonusa.com/data-safety