RapidPay Security Policy
This RapidPay Security Policy (“RSP”) governs the processing of Personal Data provided by the Subscriber in connection with their use of the RapidPay Services and is incorporated into the Terms. In the event of any conflict between the Terms and the RSP, this RSP will prevail.
1. The Subscriber’s Compliance with GDPR
The Subscriber agrees that they are a Data Controller and that RapidPay is a Data Processor for the purposes of processing Personal Data. The Subscriber shall at all times comply with the GDPR in connection with the processing of Personal Data. The Subscriber shall ensure all instructions given by it to RapidPay in respect of Personal Data shall at all times be in accordance with the GDPR.
2. RapidPay’s Compliance with GDPR
2.1 RapidPay, acting as the Data Processor, shall process Personal Data in compliance with the obligations placed under it under the GDPR. RapidPay shall:
(a) have technical and organisational measures in place, having regard to the state of technological development and the cost of implementing any measures, against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by it, appropriate to the harm that might result from such unauthorised or unlawful processing or loss, destruction or damage to Personal Data and the nature of the Personal Data;
(b) take reasonable steps, having regard to the state of technological development and the cost of implementing any measures, to ensure the reliability of any of its staff who have access to Personal Data processed in connection with the Terms;
(c) not transfer the Personal Data provided by the Subscriber to a country or territory outside the EEA without ensuring the Personal Data is afforded adequate protection within the meaning of the GDPR;
(d) promptly inform the Subscriber, if in RapidPay’s opinion, any of the instructions regarding the processing of Personal Data provided by the Subscriber, breach any applicable data protection laws.
(e) use reasonable endeavours to assist Subscriber by implementing appropriate technical and organisational measures (insofar as this is possible taking into account the nature of the Processing), for the fulfilment of Subscriber’s obligation to respond to requests for exercising Data Subject rights laid down GDPR; and
(f) act only on instructions from the Subscriber or the Regulator in respect of any Personal Data processed by RapidPay. The parties acknowledge and agree that the Terms (subject to any changes to the RapidPay Services agreed between the parties) and this RSP shall be the Subscriber’s complete and final instructions to RapidPay in relation to the processing of Subscriber Personal Data;
2.2 The Subscriber acknowledges that, with certain exceptions, RapidPay does not have access to Personal Data and will require permission from a Subscriber if asked to provide services related to the RapidPay Services. The Subscriber shall provide access to the RapidPay personnel only on an as-needed basis and to terminate such access promptly after the need for such access has expired. In the performance of helpdesk support where file-sharing is used, it is the responsibility of the Subscriber to ensure that all sharing sessions are terminated.
3. Data Ownership, Deletion and Portability
3.1 If a Subscriber ends their agreement with RapidPay, RapidPay will retain the Subscribers Data for a period of seven (7) years before having it destroyed.
3.2 The Subscriber can request that their Data is deleted upon their termination, or at any time before the seven (7) year expiration date.
3.3 RapidPay will enable The Subscriber to delete Personal Data (email@example.com).
3.4 RapidPay will enable The Subscriber to extract Personal Data on request.
4. Data Sovereignty and Integrations
4.1 The Subscribers Data, including Personal Data, is housed in a highly available, active-active scalable solution situated in the ISO 27001 certified AWS data centres in Dublin.
4.2 RapidPay shall not engage any other Sub-Processor for carrying out any processing activities in respect of Personal Data without the Subscriber’s written authorisation and ensuring sufficient provision of compliance with GDPR including a contract.
5. Data Encryption
5.1 Each RapidPay application is accessed via HTTPS using Transport Layer Security (TLS). TLS is a cryptographic protocol designed to protect information transmitted over the internet, against eavesdropping, tampering, and message forgery.
5.2 All stored Data is encrypted at rest, using AES-256, military grade encryption. This is done to protect Data in the event a RapidPay server is compromised by an unauthorised party.
6. Technical and organisational measures
Taking into account the state of technical development and the nature of processing, RapidPay shall implement and maintain the technical and organisational measures set out in Appendix 3 in respect to Articles 32 to 36 to protect the Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
RapidPay shall, in accordance with GDPR, make available to the Subscriber such information that is in its possession or control as is necessary to demonstrate the RapidPay’s compliance with the obligations on each party imposed by Article 28 of the GDPR, and at the Subscriber’s expense, allow for and contribute to audits, including inspections, provided such audits or inspections are:
(a) limited in scope to matters specific to the Subscriber and agreed in advance;
(b) carried out during UK business hours and upon reasonable notice which shall be not less than 90-days’ notice unless an identifiable material issue has arisen; and
(c) conducted in a way which does not interfere with the RapidPay’s day-to-day business.
8. Information Security Personnel
RapidPay has a dedicated team of Information Security Specialists who continually monitor the AWS infrastructure and RapidPay Services. All employees, agents, officers and contractors involved in the handling of Personal Data:
(a) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential;
(b) have received appropriate training on their responsibilities as a Data processor; and
(c) comply with the terms of this RSP.
9. Backup Policy and System Monitoring
RapidPay servers are backed up multiple times daily, weekly and monthly, and are monitored 24 hours a day, 7 days a week, 365 days a year.
10. Data Breaches
RapidPay shall notify the Subscriber without undue delay and in writing on becoming aware of (and in any event within 72 hours of discovering) any Data Breach in respect of any Personal Data.
RapidPay will take all commercially reasonable measures to secure the Personal Data, to limit the effects of any Data Breach, and to assist Subscriber in meeting their obligations under the GDPR.
If a vulnerability is identified or Data is available publicly outside of the RapidPay Services, please contact RapidPay immediately via firstname.lastname@example.org
Appendix 1: Definitions
Unless otherwise defined in this policy, all terms in bold will have the meanings given them to them below:
Terms means the Terms agreed between RapidPay and the Subscriber for the provision of RapidPay Services
AWS means Amazon Web Services based in the Dublin Region, acting as an agreed sub-processer
Data Breach has the meaning defined in the GDPR
Data Controller has the meaning defined in the GDPR
Data means all data held with the RapidPay Services
Data Processor has the meaning defined in the GDPR
EEA means the European Economic Area
GDPR means the General Data Protection Regulation (EU) 2016/679
ISO 27001 certification means an ISO/IEC 27001:2013 certification or a comparable certification for the Audited Services
RapidPay means Rapid Financial Services Solutions of 10 John Street, London, WC1N 2EB
RapidPay Services means the services outlined with the Terms and all other future applications or services provided by RapidPay
Personal Data has the meaning defined in the GDPR
Regulator means the Solicitors Regulatory Authority, The Law Society of Scotland, The Law Society of Northern Ireland or The Law Society of Ireland
Subscriber means a person or organisation who pays monthly for access to the LEAP Services
Sub-Processor means another Data Processor engaged by RapidPay to carry out processing activities in respect of Personal Data on behalf of the Subscriber
Term means the period from the activation date until the suspension date and any post-termination period during which RapidPay may continue providing the RapidPay Services for transitional purposes
Term means the period from the activation date until Terms means the supply and support terms and conditions contained in the Terms
Appendix 2: Subject Matter and Details of the Data Processing
RapidPay’s provision of the RapidPay Services to The Subscriber.
Duration of the Processing
The Term plus the period from the expiry of the Term until
deletion of all Data by RapidPay in accordance with the Security Policy
Nature and Purpose of the Processing
RapidPay will process Personal Data for the purposes of providing the RapidPay Services to the Subscriber in accordance with this RSP
Categories of Data
Data relating to individuals provided to RapidPay via the RapidPay Services, by (or at the direction of) the Subscriber or by the Subscriber’s customer
Data subjects include the individuals about whom data is provided to RapidPay via the Services by (or at the direction of) the Subscriber or by the Subscriber’s customer
Appendix 3: Technical Measures
Data subjects include the individuals about whom Data is provided to RapidPay via the RapidPay Services by (or at the direction of) the Subscriber or by the Subscriber’s customer
Local & Network Firewalls
Web Application Firewalls
Intrusion Detection & Prevention Systems
Application White Listing
DDoS Throttling Services
Access Control Lists
Security Patch Management
ITIL Framework (release/incident/change)
Identity and Access Management
Centralised Log Management
Symmetric and Asymmetric Encryption systems
Two Factor Authentication
Secure Code reviews
Separation of Duties
Data Loss Prevention
Externally commissioned penetration testing
Externally commissioned audits
Remote Monitoring & Alerting