Further information about privacy and data protection issues, including the online Register of Data Controllers, can be found on the Information Commissioner’s website at http://www.informationcommissioner.gov.uk/.
2. Who we are
We are Green Text, a trading name of SRCL trading as TextAnywhere a company registered in England and Wales with company registration number 03226910.
Our head office and registered address is:
Green Text is part of the Stericycle Communication Solutions family. At Stericycle Communication Solutions we deliver a range of global communication-based services and technologies that improve the way organisations engage with their customers.
If you have any queries about the information we hold on you, please contact us by email at Welcome@GnText.com or by telephone on 44 (0) 845 873 3000.
We are entered in the Register of Data Controllers with registration number Z1250309.
3. How we collect information from you
3.1. By the use of “cookies”
3.1.1. A cookie is a small text file which is transferred from a website and stored on your computer, tablet, or smartphone. It enables a website to “remember” who you are.
3.1.2. Most browsers are automatically set to accept cookies but if you are using Microsoft’s Internet Explorer, Safari, Mozilla Firefox, and most other popular browsers, you should be able to configure your browser to restrict cookies or block all cookies if you wish.
3.1.5. The table below provides further details about the cookies which are currently in use on our static and application websites, and a description of the purpose of each of these cookies.
|Cookie||Purpose of the Cookie||Intrusiveness to Client||Expiry||Will areas of the Website fail if I disable Cookies?|
ASP.NET_Session Id cookie
|This cookie is necessary to provide essential services to the client as it maintains your page-by-page browsing, useful for your website experience as it remembers when you log in and maintains this logged in "session".
||End of session (when you have finished using the website)
Google Analytics Tracking
This cookie collects information in an anonymous form, data including the number of visitors to the Green Text websites, where visitors have come from and the pages they have visited during their session/time spent on the website.
These cookies are used to collect non-personal information about how visitors use the Green Text website. We use the information to compile reports on usability for internal company use only, and so we can improve the website for our clients.
||No – but it is required for monitoring and improvement to Green Text services
Remember My Email
|This is an optional cookie collected when a user selects the "Remember my email" tick box on the login page of the Green Text Application website. It is used as an optional time saving function for users.
Social Media Widgets
|These cookies are used to allow users to login and use the social sharing widgets on many of our webpages. These include Twitter, Facebook, Google+ and Linkedin. We also use a 3rd party plugin, AddThis, that further expands our social media sharing capabilities.
3.1.6 You can disable the cookies that we attach if your browser supports this. To check and update your cookie settings, you will need to know what browser you are using (Internet Explorer, Google Chrome, Firefox, Safari or any other) and what version of it you have. You can usually find this out by opening the browser, then clicking on 'Help' and then 'About'. This will give you information about the browser version you are using.
3.1.7 To find out how to manage cookies please refer to www.aboutcookies.org or your browser's help options for more information.
3.1.8 Please remember that if you amend your cookie settings your browsing experience may be negatively affected. You may be unable to use some of our online services.
3.2 By registration
3.2.1. We collect information about you that you provide when you register to use our services.
3.3 Through completion of online forms
We collect information about you if you complete any of the various forms on our site to contact us, make enquiries, order products and services, apply to open an account with us, and give us feedback.
3.3.2. We need you to give us certain information, which will be indicated on the form you are required to complete, in order to purchase items from us. It would help us if you give us any other information that you think will be relevant, but you are under no obligation to do so.
3.3.3. Through traffic data and site statistics. We do keep a record of traffic data which is logged automatically by our server, such as your IP address, the URL you visited before ours, the URL you visit after leaving our site, and which pages you visit.
3.3.4. We also collect some site statistics such as page hits and page views.
3.3.5. We are not readily able to identify any individual from traffic data or site statistics.
3.4 By you contacting us by other methods other than the website
3.4.1. The website provides our primary telephone number and email addresses for you to contact us. We will collect information from you that you provide through any of these methods.
3.4.2. We may also collect other information you supply to us after your initial contact with us.
4. Security and storage of information
4.1. We will keep your information secure by taking appropriate technical and organisational measures against its unauthorised or unlawful processing and against its accidental loss, destruction or damage.
4.2. Please remember that normal Internet email is unsecure. We do, however, use secure connections when you open an account with us and when you access your account.
4.3. We will store your information at least for the duration of any client relationship we have with you, or as otherwise required by law (normally up to a maximum of 7 years for legal and tax reasons).
4.4. Our approach, responsibilities, and commitment to information security are set out in our Information Security policy.
5. What your information is used for
5.1. If you buy software or services from us, we will use your information to fulfil your order and to provide you with the software or service you have requested.
5.2. If you agree by opt in when you register with us or buy from us, we will also use your information for marketing purposes. If you do not want the information we hold on you to be used in this manner, you can contact us by email at Welcome@GnText.com or telephone on +44 (0) 845 873 3000 and establish your preferences. All such communications will also include opt-out links,
5.3. If you do not object, we may use the information we hold on you to contact you for feedback on your use of our software and/or services and/or website.
5.4. We may use aggregated data about users of our site, sales patterns and other statistical data to improve our site, but it will not be possible to identify individuals from that aggregated data.
6. With whom we may share your information
6.1. We will not share your information with any other organisation except in the following circumstances.
6.1.1. We will share your information with another organisation to which we transfer, or are in discussions to transfer, our rights and obligations under our agreement with you.
6.1.2. We may share your information with another organisation that buys our company or our assets, or with another organisation from which we acquire a company or business, and in the course of any preceding negotiations with that organisation, which may or may not lead to a sale.
6.1.3. We may share your information with our funders or potential funders, such as our bank and with our professional advisers who have a reasonable need to see it.
6.1.4. We will disclose your information to enforcement authorities if asked to do so, or to a third party in the context of actual or threatened legal proceedings or if otherwise required to do so by law.
7. Your rights
7.1. You have a right to rectify any errors in information we hold about you, and to change or correct any details you have already given us. Please inform us about changes to your details so that we can keep our records accurate and up to date.
7.2. You also have a right to be removed from any mailing list we hold at any time, you can contact us by email at Welcome@GnText.com or telephone on +44 (0) 845 873 3000.
7.3. You have a right to see a copy of the information we hold about you on payment of a statutory fee, which is currently £10. Before we agree to this, you must provide us with sufficient evidence of your identity and sufficient details of the information you wish to see to enable us to locate it.
To ensure that this policy is properly implemented, Green Text regularly reviews its privacy progress by the senior management.
Data Processing Addendum
Data Processing Addendum to Green Text’s standard Terms and Conditions ("Agreement") between SRCL Limited trading as Green Text (“Processor”) and the client, (“Controller”) (each a “Party”, together the “Parties”).
- The Processor agreed to provide the Controller with services as further specified in the Agreement and Annex 1 to this DPA (the “Services”) and to implement the technical and organizational measures further specified in Annex 2 to this DPA; and
- In providing the Services, the Processor may from time to time be provided with, or have access to, information of the Controller which may qualify as personal data within the meaning of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and other applicable data protection laws and provisions.
In order to enable the Parties to carry out their relationship in a manner that is compliant with law, the Parties have entered into this DPA as follows:
For the purposes of this DPA, the terminology and definitions as used by the GDPR shall apply.
Further definitions are provided throughout this DPA.
- Responsibilities of the Controller
- The Controller confirms that, in respect of the processing to be carried out under this DPA, the technical and organisational measures of the Processor, as set out in Annex 2, are appropriate and sufficient to protect the rights of the data subject.
- The Controller confirms that the processing to be carried out under this DPA is lawful according to Art. 6 GDPR and that data subjects were informed sufficiently.
- The Controller warrants that all personal data provided to the Processor for its performance of the Services by the Controller has been and shall be processed (including its disclosure to Processor) by the Controller in accordance with GDPR and other applicable data protection laws at all times.
- The Processor shall process the personal data only on behalf of the Controller and in accordance with the documented instructions given by the Controller, unless prohibited by law applicable to the Processor; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless such notification is prohibited by applicable law.
- The Controller's instructions are provided in this DPA and the Agreement. Any further instructions that go beyond the instructions contained in this DPA or the Agreement shall not be effective unless recorded in an amendment to this DPA or the Agreement.
- The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection provisions. In such case, the Processor is not obliged to follow the instruction until the Controller has confirmed or changed it in a way addressing the infringement.
- Obligations and rights of the Processor
- The Processor shall ensure that persons authorised by the Processor to process the personal data on behalf of the Controller, in particular the Processor's employees as well as employees of any other processors engaged by the Processor, are subject to a binding obligation of confidentiality and that such persons process any personal data to which they have access in the context of performing the Services in compliance with the Controller's instructions.
- The Processor shall implement the technical and organisational measures as specified in Annex 2 before processing the personal data on behalf of the Controller. The Processor may amend the technical and organisational measures from time to time provided that the amended technical and organisational measures are not less protective than those set out in Annex 2.
- The Processor shall make available to the Controller the information necessary to demonstrate compliance with the obligations of the Processor relating to information security as required by applicable data protection law and by this DPA as applicable to the Services. The Processor shall in particular allow for and contribute to audits (e.g., providing audit reports and/or other relevant information or certificates to Controller upon Controller's request) or on-site inspections, conducted by the Controller or an auditor mandated by the Controller. The extent of the Processor’s obligation to assist with such audits shall be proportionate to the nature and purpose of the processing and subject to reasonable prior notice by the Controller.
- The Processor shall notify the Controller without undue delay of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed under this DPA ("Personal Data Breach"). The Processor will assist the Controller with the Controller's obligation under applicable data protection law to inform the data subjects and the supervisory authorities, as applicable, by providing the necessary information taking into account the nature of the processing and the information available to the Processor.
- The Processor shall provide reasonable assistance to the Controller with its obligation to carry out a data protection impact assessment and prior consultation with the supervisory authorities that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Controller.
- The Processor shall, at the option of the Controller, delete or return to the Controller all personal data which are processed by the Processor on behalf of the Controller under this DPA after the end of the provision of the Services, and delete any existing copies unless applicable law requires the Processor to retain such personal data. For the avoidance of doubt, this obligation shall not be infringed by the destruction of personal data in the proper performance of the Services.
- The Processor shall designate a data protection officer and/or a representative, to the extent required by applicable data protection law. The Processor shall provide contact details of the data protection officer and/or representative, if any, to the Controller.
- Data subject rights
- Taking into account the nature of the processing, the Processor shall provide reasonable assistance to the Controller, including through appropriate technical and organisational measures, with the fulfilment of the Controller's obligation to comply with the rights of the data subjects and respond to data subjects' requests relating to their rights of (i) access, (ii) rectification, (iii) erasure, (iv) restriction of processing, (v) data portability, and (vi) objection to the processing.
- The Controller shall determine whether or not a data subject has a right to exercise any such data subject rights and give instructions to the Processor to what extent the assistance is required.
- The Processor shall not engage another processor without prior authorisation of the Controller.
- The Processor shall enter into a written contract with another processor (“Subprocessing Agreement”) and such Subprocessing Agreement shall (i) impose upon the other processor the same obligations as imposed by this DPA upon the Processor, to the extent applicable to the subcontracted part of the Services, (ii) describe the subcontracted part of the Services, and (iii) describe the technical and organizational measures the other processor has to implement pursuant to Annex 2, as applicable to the subcontracted part of the Services.
- Where the other processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the other processor's obligations.
- In case any other processor is located outside the EU/EEA in a country that is not recognized as providing an adequate level of data protection, the Processor will (i) take reasonable measures to enable the Controller and the other processor to enter into a direct data processing agreement based on EU Model Clauses (Controller to Processor), or (ii) provide the Controller with information on the other processor's certification under the Privacy Shield program and regularly, at least annually, re-confirm that the other processor's certification under the Privacy Shield program is still valid, or (iii) provide the Controller with other information and relevant documentation on the mechanism for international data transfers pursuant to Art. 46 GDPR that is used to lawfully disclose the Controller's personal data to the other processor.
- Term and termination
The term of this DPA is identical to the term of the Agreement (inclusive of any renewals or extensions). Save as otherwise specified herein, termination rights and requirements shall be the same as those set out in the Agreement.
- Liability and indemnification
- Each Party’s liability for government/authority fines and penalties and any other loss or expense whatsoever (whether direct or indirect) incurred by the other Party for failure to comply with the requirements of any laws or regulations that affect the other Party, to the extent such failure was caused by the Party’s breach of the terms of this DPA, shall be subject to and limited by the limitations of liability contained in the Agreement.
- The limitation of liability set out in clause 8 (a) above shall not apply in case of a Party’s liability for intentional or wilful default and any mandatory statutory liability imposed on that Party.
- Subject to clause 8 (a) and clause 8 (b) above, each Party shall indemnify and hold the other Party harmless from and against all losses due to claims from third parties including government/authority fines and penalties resulting from, arising out of or relating to any material breach of this DPA by the indemnifying Party.
- Each Party shall comply with its obligations under the GDPR and under any other applicable data protection laws.
- This DPA shall be governed by the same law as the Agreement except as otherwise stipulated by applicable data protection law. The place of jurisdiction for all disputes regarding this DPA shall be as determined by the Agreement except as otherwise stipulated by applicable data protection law.
- In the event of conflict between the provisions of this DPA and any other agreements between the Parties, the provisions of this DPA shall prevail with regard to the Parties' data protection obligations. In case of doubt as to whether clauses in such other agreements relate to the Parties' data protection obligations, the relevant provisions of this DPA shall prevail.
- Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or – should this not be possible – (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this DPA contains any omission.
- Each Party has the right to request changes to this DPA to the extent required to satisfy any applicable and mandatory findings, guidance or orders issued by competent European Union or EU Member State authorities, national implementation provisions, or other legal developments concerning the GDPR requirements for the commissioning of data processors under the national laws applicable and binding to the Controller. The Party receiving such a request shall not unreasonably delay or withhold its agreement.
Annex 1 to the DPA – Description of the processing activities
- Categories of data subjects
The personal data processed concern the following categories of data subjects:
- Green Text customers
- Green Text prospective customers
- Employees/contacts of the above
- Any person identifiable from the content of a text message, e.g. the recipient
- Subject-matter of the processing
The subject-matter of the processing is described in the Agreement. The services that process data are set out in Annex 2.
- Nature and purpose of the processing
The nature and purpose of the processing is described in the Agreement. Essentially the processing enables customers to send messages using Green Text products.
- Type of personal data
The personal data processed by the Processor on behalf of the Controller is determined by the customer who creates the content of the message and chooses its recipient(s). All categories of personal data may therefore be contained in a message.
- 5. Special categories of data (if appropriate)
The personal data processed by the Processor on behalf of the Controller is determined by the customer who creates the content of the message and chooses its recipient(s). Special categories of personal data may therefore be contained in a message.
A summary of the processing pathway is set out in the diagram overleaf.
Green Text Data Processing Pathway
Client = data controller
Client can send and receive data by:-
Email to SMS/SMS to email
Client = data controller
Green Text processes and holds data on servers at Rackspace UK. Including:-
Receiving/sending mobile number
SMS message content
If used, Green Text holds client online address book data (First/Last Name, mobile number).
SMSCs (SMS aggregators). Green Text engages with SMSCs who provide connections to the mobile Networks.
Annex 2 to the DPA – Description of the technical and organizational measures implemented by Processor in accordance with applicable data protection law:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement the following technical and organizational measures to ensure a level of security appropriate to the risks for the rights and freedoms of natural persons. In assessing the appropriate level of security the Controller and the Processor took account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Purpose and scope of Document
To detail the technical and organisational measures undertaken by Green Text (as a Stericycle Group company) to ensure a level of security is provided in its service delivery that is appropriate to the risks represented by the processing and the nature of the personal data being processed, as required by Article 32(1) of the General Data Protection Regulation (GDPR).
Security is a set of preventive measures taken to guard against risk and this document describes those measures.
Failure to comply with the requirements of this procedure may result in investigation and subsequent formal action in line with the Company’s Capability and Disciplinary procedures.
This Document should be read in conjunction with Stericycle policies on data protection which can be found on Stericycle’s website.
- Policy Statement
Stericycle protects the company’s assets from all threats, whether internal or external, deliberate or accidental.
Stericycle will meet all applicable legal, regulatory and contractual requirements and duties of care.
Stericycle is committed to the key principles of GDPR, namely that personal data are:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected and processed for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary for the processing;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing (subject to limited exceptions); and
- processed in a manner that ensures the security of the personal data, using appropriate technical or organisational measures.
In particular, it is the policy of Stericycle and Green Text to ensure that:
- Company and client data are protected against unauthorised access
- Confidentiality of information is assured
- Integrity of information is maintained
- Regulatory, legislative and contractual requirements are met
- All staff are familiar with security measures, procedures and standards i.e. aware and conscious of security, potential risks to security, and the value of information.
- Security standards and procedures are used, including the use of passwords and virus control.
- All parties cooperate with each other to prevent or respond quickly to breaches of security i.e. all breaches of security, actual or suspected are reported, investigated and recorded.
- There is general agreement about what is appropriate in terms of security and who is responsible for their implementation.
- Technical and organisational security measures are clear and explained to all employees.
- Company Overview
Green Text was founded in 2003 with the aim of providing first class, secure text messaging systems; in 2013 Green Text was acquired by Stericycle and currently forms part of the Stericycle Communications Solutions Group.
- Description of services / products provided / How we work with you
Green Text provides software and services that deliver 2-Way Electronic Communications to Customers.
Green Text offers the following suite of products enabling the transmission and receipt of SMS messaging:-
- SMSContact – send and receive messages online
- SMSBroadcast – send bulk messages on line
- EmailSMS – send and receive SMS by email
- Developer – build or integrate an SMS function using an API
- Accreditations and Memberships
Green Text has been awarded the following BSI ISO accreditations:-
- ISO 9001: 2015 – This Quality Management certification enables Green Text to demonstrate our commitment to service quality and customer satisfaction. Customers can be assured that we are continually improving our quality management system.
- ISO 14001:2015 – The environmental management certification demonstrates Green Text’s commitment to the environment. The standard provides guidelines on how manage the environmental aspects of our business activities more effectively.
- ISO 27001:2013 –The information Security certification enables Green Text’s commitment to managing information safely and securely.
- ICO Registered – We are registered with the ICO (Registration number: Z1250309) and follow the guidelines provided by the ICO on what our obligations are and how to comply with these including protecting personal information and providing access to official information.
- Certificates can be viewed at http://www.gntext.com/about-green-text/accreditations.aspx
Managing Director / VP International
The Managing Director / VP International endorses and actively supports this Document and e security policy. The Managing Director / VP International ensures that appropriate systems security measures are implemented and adhered to and those individual responsibilities are taken seriously at every level of the organisation.
The IT Director has direct responsibility for maintaining the Data Security Policy. This includes:
- Developing, implementing and periodically reviewing security policies and procedures
- Providing technical advice and guidance on all aspects of Data Security Policy, including legislation, standards, practice and contractual obligations affecting data security
- Ensuring the administration of security access controls
- Reviewing Data Security at regular intervals to ensure compliance with the data security policy, procedures and best practice
- Assessing new security risks as technology and systems change
- Taking reasonable steps to ensure the reliability of staff members e.g. obtaining references from previous employers
- Ensuring that only authorised individuals have access to services and information
- Approving access to secure or sensitive data
- Requiring third party data processors to contractually comply with the obligations imposed on Stericycle Green Text by the Data Protection Act
Quality and Compliance Director
As part of Stericycle Green Text investment in Data Security and Data protection, we have recently introduced the Quality and Compliance Director role, which amongst others, has the responsibility to ensure:
- Compliance to ISO 9001:2015
- Reviewing additional certifications required for the business.
- Providing a framework to conduct Corrective and Preventative action investigations.
- Providing guidance and supporting corporate with the implementation of the GDPR framework and other compliance initiatives.
- The implementation of the Data Security Policy within their areas of business and for the adherence to the Policy, standards and procedures by their staff
- Ensuring that their staff are familiar with the Data Security policy, and their individual responsibilities
- Ensuring that user access is restricted to what is necessary
- Ensuring that individual userids are suspended when staff members leave
- Ensuring that all staff are broadly familiar with the relevant sections of legislation
- Ensuring that adequate and reliable service restoration plans are available to deal with emergencies, disasters and other incidents to ensure continued availability of IT resources
- Be knowledgeable and informed about security practices and procedures.
- Be aware of their responsibilities and accountability with regard to security and understand the consequences of abusing their access privileges.
- Use data and IT equipment in a manner that ensures security of the same.
- Comply with all legal and contractual requirements that apply to the data that they have access to.
- Not disclose their passwords to anyone.
- Not use another individual’s userid and password.
- Ensure that IT equipment and company premises are protected against physical damage, loss, theft or abuse.
- Ensure that contractual requirements relating to security are complied with.
- Call to the attention of a line manager, or the IT director those whom they feel are violating the Data Security Policy. Every effort will be made to ensure anonymity.
- Report to the systems department, flaws observed in the system or technology.
- Refrain from exploiting any lapses in security.
- Be aware that users with access to electronic mail and the Internet can put a strain on data links by downloading large files or attachments.
Green Text maintains a legal register and, amongst others, recognises and complies with the following legislation:-
- Data Protection Act (1998) to be superseded with the General Data Protection requirement.
- Data Protection (Processing of Sensitive Personal Data) Order 2000
- Copyright, Designs and Patents Act (1988)
- Computer Misuse Act (1990)
- Health and Safety at Work Act (1974)
- Human Rights Act (1998)
- Regulation of Investigatory Powers Act 2000
- Freedom of Information Act 2000
- Security Awareness / Training
All Green Text staff receive security training on induction and are contracted to adhere to Stericycle information security policies.
Security refresher training is performed at least annually.
- Risk & Opportunities
Green Text maintains a risk register which is regularly reviewed by the management team. Any identified risks are mitigated and opportunities for improvement are effected.
- Sub-Processors / Third Parties
Green Text does not directly sub-contract data processing.
In order to send text messages, Green Text engages with aggregator partners for final delivery and receipt of the text messages. An aggregator acts as an intermediary between companies that want to interact with end users (through their mobile phones) and mobile operators. They provide a ‘gateway’ through which the text message is forwarded to the correct network. Green Text uses multiple aggregators which may vary over time. Further details of the aggregators used by Green Text can be obtained on request by contacting us at firstname.lastname@example.org.
Where a third party carries out data processing of personal data for Stericycle Green Text, we will ensure that:
- There is a data processing agreement in place between Stericycle and the relevant 3rd party which details the nature and purpose of processing and meets the requirements for data processing as set out in GDPR.
- That appropriate technical and organisational measures are in place to protect the data.
- That the third party is contractually obliged to process data only under instructions from Stericycle Green Text.
- That the third party is obliged to comply with Stericycle Green Text obligations under GDPR.
Any third parties that Green Text engages with in the performance of our services are subject to due diligence and annual audits including:-
- Restrictions on copying and disclosing data
- Ownership of software and data
- Return or destruction of data
- Measures to protect against viruses /other malicious software
Green Text does not transfer data outside of the EEA. Note however that a customer may choose to send a text message outside the EEA in which case it will be subject to third party aggregation and transmission via the normal telephony network.
- Information Security
Back Ups and Retention Periods
Green Text takes daily back-ups all client data held on a rolling five day basis. Backups are stored securely at Rackspace UK.
Sent and received SMS data (mobile numbers and message content is deleted after 365 days. Online address book data (first/last name and mobile numbers) is held indefinitely until/unless the client deletes this or requests Green Text to do so.
Business Continuity Plan
Green Text maintains a Business Continuity Plan in accordance our ISO 27001 accreditation requirements. The BCP is reviewed at least annually.
Viruses and other Malicious Software
Green Text runs and keeps up to date anti-virus software.
Green Text runs a monthly patching program in line with industry standards.
Green Text runs internal monitoring systems to ensure system availability.
Green Text works on multiple mirrored systems and partners to ensure system continuity.
Green Text ensures that all system changes are subject to test and review before being made available in the live customer environment.
- Access Control
System access is controlled by VPN.
Staff access to data is on a need-to-know basis, all staff have unique Userids and passwords, access is controlled by an audited rights system.
Green Text data and systems are hosted at Rackspace UK. Physical Security is strictly controlled in line with Rackspace policies.
Data is processed only in accordance with Green Text’s contractual obligations for the purpose of transmitting and receiving text messages. Green Text does not share this data with any third parties for any reason beyond processing messages unless required to by law.
Green Text does not allow the storage of data on any removable devices.
Personal data processed by Green Text for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Message data is available for client download through the online account for up to 60 days before secure segregation.
Message data outbound and inbound, including the mobile number and message body, is retained in total for 365 days before permanent electronic deletion.
Address book data, if used, including First Name, Last Name and mobile number is retained indefinitely until deleted by the client through the online tools or requests Green Text to do so.
- Data Security Incidents
Green Text has a fully documented data security incident which includes:-
- Reporting procedures
- Incident reporting portal
- Defined escalation procedures
- Procedures audited in line with ISO 27001 requirements.
Green Text undertakes not to use, nor disclose to any unauthorised person, any confidential information relating to or received from our Clients for any reason unless expressly authorised by the Client, or required by law.
We understand that the use and disclosure of all information about living, identifiable individuals is governed by the Data Protection Act and we will not use or disclose any personal data acquired for any purpose that beyond the purposes of processing text messages in accordance with the Client’s requirements.
We understand that we are required to keep all confidential and personal data securely, and undertake to follow all relevant procedures in doing so.
Legal requirements are reviewed as part of our quality management systems and ISO 9001, ISO 27001 accreditation.