Table of Contents
You are trusting us with your data and information when you use our cloud services. This is a big responsibility, and we work hard to protect the information and data we collect. This policy should answer any questions you may have around how we process and handle your information and data.
Records365 Data Protection and Collection Policy
Information that RecordPoint collects
The Records365 cloud service that RecordPoint operates offers records management capabilities across a variety of content repositories such as SharePoint Online, OneDrive for Business, Box and others.
Through Records365, RecordPoint collects two types of data:
- Metadata; and
- Binary content.
What is metadata?
Metadata is information about information. It is the additional information that is captured in addition to the actual documents and files that reside in the content repositories that we manage. Examples of metadata are things like the title, author, created and the content’s last modification date/times. Often content repositories allow users and administrators to define additional pieces of metadata (or ‘properties’) that should be captured with different types of content. Examples of this are capturing the monetary value of a contract document or capturing the date that an HR file is closed. This enriches the content repository and typically allows users to search and browse using the additional pieces of metadata.
What is binary content?
Binary content is the actual documents and files that live in the content repositories that we manage. Examples of this are Word documents, Excel spreadsheets, images and any other content that are stored in your content repositories.
You may choose not to capture binary content in Records365 although this may have implications for the functions available within the service.
As a result, RecordPoint collects a broad spectrum of data depending on what is kept in the metadata of your content and the actual content itself. Some examples are:
- Financial documents.
- Policy and procedure documents.
- Client and employee contracts.
- Human resource documents and files.
- Client information.
In addition, RecordPoint collects summary information about how you are using our cloud service. This summary information may include:
- Storage consumed on our backend systems.
- The number of records under management.
- The number of items configured in your file plan.
- The number of rules configured in our rules engine.
- Login frequency of end-users accessing our portal.
Personal Information and Sensitive Information
The metadata and binary content captured by Records365 may include Personal and Sensitive Information depending upon what you store in your content repositories that are managed by Records365.
- Personal Information is information that identifies an individual. Examples of Personal Information that may be captured in the Records365 service include names, addresses, email addresses, phone or other contact details.
- Sensitive Information is a subset of Personal Information which needs to be managed with particular care which may relate to a person’s race, ethnic origin, politics, religion, trade union membership, genetics, health, sex life or sexual orientation.
All data stored within Records365 is encrypted.
Why RecordPoint collects data
RecordPoint collects data within Records365 solely for the purposes of providing our records management service to our customers. This means that the metadata and binary content collected (including any Personal or Sensitive Information) is stored for the sole purpose of ensuring that you are compliant with records keeping standards and regulations that apply to you. As an example, a user deletes content, such as a Word document, out of a content repository that is being managed by Records365. The metadata of that document and the document itself is retained within Records365 according to the retention schedules and policies that apply to your business.
It is important to note that you have total control over the content you choose to manage using Records365 and therefore what data we collect as part of providing the service.
Summary information, such as storage consumption and record counts, are collected for operating and continually improving the service we provide to you. These metrics help us in the following ways:
- Maintain and improve our services to ensure that our cloud service is ready to grow with your business.
- Measure the performance of our service to ensure you are getting the best experience possible.
- Develop new services to improve your everyday experience and interactions with our cloud service.
Sharing your information
We do not share your data and information with companies, organizations or individuals outside of RecordPoint, except for the following cases:
- For service improvements – we may provide access to your data to our trusted business partners, based on our instructions and in compliance with our internal security policies and procedures. It is important to note that your data never leaves our production environments in this case.
- To comply with regulatory or law enforcement requirements – if we receive a legitimate legal order from a regulatory body or law enforcement to share your information we will comply with that order. In all cases, we will notify you unless legally prevented from doing so.
GDPR and Records365
There are three classifications that an organization can fall into under GDPR:
- Data Controller – means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed
- Data Processor – means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
- Both (Data Controller & Data Processor)
RecordPoint is classed as a ‘data processor’ under the GDPR legal framework for any data that you store in Records365. We process data and information from your content repositories managed by Records365. However, we have limited knowledge of the data being processed from the content repositories that Records365 manages. Also, RecordPoint only processes data per our customer’s instructions. Therefore, RecordPoint is a processor of customer data ingested by Records365 and the customer is the ‘controller’.
Keeping your information secure
RecordPoint’s Records365 cloud service is built and operated with security in mind. RecordPoint has several technical and organizational controls and measures in place to protect and secure the information and data that we collect. We work hard to protect you and RecordPoint from unauthorized access, alteration, disclosure or destruction of information we hold.
Microsoft Azure provides the cloud compute platform on which Records365 operates. It is compliant with several widely accepted security and privacy standards, such as ISO27001 and SOC 2. As a result, Azure provides a secure foundation which RecordPoint leverages to deliver Records365. You can find out more about Microsoft Azure security certifications and compliance by visiting the Azure Trust Center.
RecordPoint also holds a SOC 2 Type 2 attestation report. We are committed to renewing this attestation regularly with an independent auditor. SOC 2 provides a standard set of criteria and trust principles that govern how cloud service providers like RecordPoint should handle your information and data. Specifically, our attestation report covers the following three trust principles:
- Security: The system is protected against unauthorized access.
- Availability: The system is available for operation and use as committed or agreed.
- Confidentiality: Information designated as confidential is protected as committed and agreed.
Here are some of the key things that we do at an organizational and technical level.
- Our employees are subject to background and reference checks
- All our personnel undergo security awareness training as part of the onboarding process and annually thereafter.
- We have developed and adhere to formal security policies and procedures that are distributed to our employees when they join RecordPoint. We also ask our employees to reaffirm their understanding of these policies and procedures on an annual basis.
- We have developed and adhere to formal incident response policies which cover the management of security and data breaches.
- Changes made to production environments are reviewed by a change control board which assesses and approves changes. This ensures that all changes we make are sound from a risk, quality and security perspective.
- We only grant access to production environments to a small subset of authorized personnel that operate and maintain our cloud service.
- Data moving to and from our production systems is encrypted whilst in transit.
- Data at rest is encrypted.
- We perform regular external and internal vulnerability scans to ensure that we are not susceptible to malicious attacks or exploits.
- We perform penetration testing (through a 3rd party auditor) on an annual basis to ensure that the services we provide are secure.
- We review perimeter security, such as firewalls, on a regular basis to ensure that our environments remain locked down.
- We employ intrusion detection and prevention systems that alert us if there is unusual activity in our production environments.
- When accessing production environments, our employees are required to authenticate via encrypted logical access points using multi-factor authentication.
- We review production environments on a regular basis to ensure only authorized RecordPoint personnel have access to operate and maintain our services.
All the above controls are audited by a 3rd party as part of our annual SOC 2 Type 2 audit. The results of this audit can be made available upon request by contacting email@example.com.
Exporting & deleting your information
RecordPoint offers limited capability when it comes to exporting and deleting the metadata and binary content that we have collected from the content repositories that we manage. The following options are available to export and delete metadata and associated binary content.
You can purge binary content in your Records365 service by performing a disposal of records. This purges all binary content associated with the records being disposed. We only allow you to dispose records once they are due for disposal based on the disposition rules that have been applied.
For example, if an end-user creates a document in a content repository that Records365 manages, then the following occurs:
- Records365 captures a record of the document containing things like author and title.
- Optionally, Records365 captures the actual document itself – the “binary content”.
- A category and retention schedule will be applied to the record. For example, the document could be categorized as a “Major Contract” and must, therefore, be retained for 7 years.
Once the 7 years have elapsed the record can be disposed, purging any associated binary content from our service.
Please note, the metadata cannot be deleted as it represents the certificate of destruction that RecordPoint keeps for your compliance purposes.
You can export and transfer data that Records365 has collected from your content repositories. This allows you to copy the metadata and binary content captured to a storage location that you control.
If you have any questions or queries regarding exporting and deleting data by Records365, then please contact firstname.lastname@example.org.
Last Updated: February 27, 2022