InfoSec Statement

Introduction

Esendex is certified and operates to the ISO 27001 Information Security standard. A copy of our certificate can be found here.

This standard is applied to all areas of the business; both our office and production environments are certified on an annual basis by an accredited external auditor.

A customer facing version of our Information Security Management System (ISMS) Manual detailing these measures is also available to customers on request. The manual provides statements on how we implement the ISO 27001 controls at Esendex.

As an illustrative, high level overview, Esendex has taken the following measures, among others:

Access Control
Firewalls
Antivirus
Secure Equipment Including Laptops and Mobile Phones
Data in Transit / Encryption
Backup, Disaster Recovery and Business Continuity

We schedule and conduct regular backups to ensure that all data is stored safely, securely and remains available for the purpose of restoration in a disaster recovery situation.

Monitoring
Employee Training and Education

All employees:

Policies and Procedures

In addition to the above, we maintain, enforce and support policies to ISO27001 standard for:

All of these measures and the entire ISO systems are audited internally by the compliance team and externally by our third party accreditation body on an annual basis, the compliance team also conduct security sweeps on an ad-hoc basis to ensure that certain policies are being adhered to by all staff.

Risks

Esendex continuously assesses all risks. Risk assessments detail treatment plans that act as recommendations to help the business reduce the impact and/or probability of the identified risk. Risks and treatment plans are regularly reviewed, we assess risks related to our systems, staff, assets and operational activities. Esendex has identified this as an area that, whilst compliant with requirements such as ISO 27001, we adhere to the principle of continual improvement.

We use enterprise risk management software to support and enhance our approach to risk management. We identify dependencies as risks to our business and security objectives through risk registers, with activities arising to treat those risks effectively.

Breach Notifications

Esendex takes all of the above measures to secure your data as part of our Data Processing activities. In the event of a data breach, we will inform you within 24 hours of us becoming aware of any security issue that has led to a data breach including any customer data.

We have also:

Data Protection Officers

Esendex has a dedicated compliance team that is responsible for all Data Protection questions, requests, issues and queries across the organisation. Any questions that you have in relation to Data Protection can be raised with your account manager, subject access requests are detailed in the section below.

The Rights of Data Subjects

Esendex will not respond directly to any request raised by one of your customers whose data we have processed. We will contact you to make you aware of the request and assist you in meeting your obligations under the Privacy Act. Examples of where we may need to assist to meet the rights of a data subject include:

Right to Access

Data that you transferred to Esendex can be made available for this purpose, providing it is still stored by Us. Such requests can be raised with Esendex by contacting our Support Team. There may be a charge associated with requests of this nature – please contact your account manager for details. Requests will be fulfilled within 30 days of us receiving the request from you.

Records of Processing Activity

Esendex only processes your data on your instructions and for the purpose of providing the communications service that is part of the performance of the contract between You and Us. The sole purposes of our processing activities is the transmission and delivery of communications to your end users.

We keep a record of all the messages that we send on your behalf in line with our data retention policy. This is for no longer than two years from the date that the communication is sent.

Third Party Transfers

Esendex passes your information to network operators for the purpose of delivering your communication to the End Users handset or Network Termination Equipment. This type of transfer is intrinsic to the provision of our products and services.

A feature of our service – Sent Items Download – is hosted within Microsoft Azure.

Messaging Studio and Rich Content/Communications Service (RCS) data is hosted in Microsoft Azure for operational purposes.

For all third party networks that we use, we have conducted a due diligence audit to ensure that each supplier has taken adequate technical and organisational measures required to offer security standards that are materially similar to those described in this document for our own infrastructure.

We have also entered into contracts with all third parties that solidify the data protection obligations of all parties and extend the minimum requirements detailed in any Data Processing Agreement between You and Us to our suppliers.

Data Maps

As part of our privacy framework, Esendex has conducted comprehensive data mapping of our systems to provide “Data Life Cycles” for all of the PID that we process and control. Customer facing versions of our data maps are available upon request to help you meet your obligations under the accountability principle of the GDPR. Requests can be raised with your account manager, who will be able to share data maps specific to Our products and services that You use.

Privacy Impact Assessments (PIA)

We understand that certain types of processing may require our customers to complete a PIA to ensure they take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APP Guideline Provisions and enable them to deal with enquiries or complaints about privacy compliance. Esendex is a service provider for business communications and does not have visibility of the content you are sending through our platform. If you require our input into your PIA, please raise any requests of this nature with your account manager.