Octopus Privacy Policy

Who Octopus are

Octopus Enterprises Ltd (Company No. 09884006) trading as Octopus or Octopus Computers (Octopus), are a private limited company offering primarily digital and technical services to a variety sectors. Our website address is: https://www.octopus-computers.com

 

What personal data we collect and why we collect it

Octopus Computers may hold information on any of the following, henceforth referred to as subjects.

  • Customers (Current, Past and Potential)
    • Individuals
    • Businesses
    • Organisations
    • Public Bodies
  • Suppliers (Current, Past and Potential)
  • Staff (Current, Past and Potential)

Octopus Computers will hold some, if not all, of the following information for any given subject:

  • Name
  • Email address
  • Phone numbers
  • Addresses
  • Staff lists
  • Login details (usernames and passwords)
  • IP addresses
  • Personal machine identifiers
  • Remote access
  • Payment and billing information
  • Descriptive information
  • Business cards
  • Backups

The reasons Octopus collects data are numerous but are all important to enable us to effectively provide our services. We collect data for the following reasons:

  • To identify our data subjects.
  • To enable us to maintain a channel of communication with our data subjects.
  • To contact data subjects in relation to the function of their technology, such as but not limited to:
    • anti virus protection
    • website functionality
    • service renewals
    • service drop-outs
    • any other faults detected
  • To enable us to assist and support quickly and effectively when faults occur or when assistance is otherwise requested.
  • To enable us to setup and manage technological services including but not limited to:
    • email
    • websites
    • servers
    • online storage
  • To enable us to provide access assistance in the event that our data subjects encounter difficulties with logging into their authorised accounts and devices.
  • To enable us to invoice and seek payment for our services in a timely manner.
  • To enable us to market our services to our data subjects if they agree to such communications.

 

How information is stored

Primary customer information (data which is used and accessed on a regular basis) is stored between Google Cloud and Xero. For a list of additional data locations please request document OC-DP006 – Data locations. All of the information Octopus Computers has stored is encrypted and protected to the best of our ability.

Primary Data Locations

Customer data is stored between the company’s Google Cloud storage facility and Xero accounting software, both only accessible through secure browser or mobile applications. Customer data pertaining to online hosting, such as that relating to websites, is stored within our secure, encrypted, HIPPA compliant, password-protected, company reseller console online.

How we protect our data

We employ various methods of security to protect the data of our data subjects. The method used depends on the most secure, available option for that given data location. These methods include the following.

  • Local machine encryption
  • 2-step authentication
  • Fingerprint
  • Face-ID
  • Secure passwords
  • Fido Secure Keys
  • Automatic lockouts
  • Physical security

The Octopus Computers Google Cloud storage facility is protected by 2-step verification, authorised only by company employee secure keys, and individual secure passwords. Where mobile devices are used to access the Google Drive, devices are protected by fingerprint or face recognition, individual secure passcodes, and can be remotely-wiped if necessary. Xero is password protected with access on an encrypted device requiring password and secure key access. All local company machines are encrypted by a 256-bit key specific to each machine and are protected by secure user passwords. User passwords are at least 10 characters, and include at least one of each of the following:

  • Uppercase letter
  • Lowercase letter
  • Numeral
  • Special character or punctuation

This level of security is applied to both employee machine administrator accounts, and company Google account access. Mobile device passcodes (where used) are at least 6 characters long. All machines auto-lock after being unattended for a maximum of 10 minutes. Only machines kept on company premises or kept on an employee’s person, where authorised, (for example one’s mobile device) are permitted to be logged into company accounts such as Google or Xero, as these devices can be monitored and remotely managed if needed.  Any additional machines or devices must be logged out of authorised accounts when left unattended. Authorised machines are monitored and logged in our policy documents. External hard drives used to backup customer data are kept in a locked safe.  These are usually fully erased 2 weeks after data subjects have submitted written confirmation they have no further need of the data. Customer machines that are on the premises for repair or support are kept in the support office.  The door to the support office is further secured with a night latch lock. Information pertaining to customer machines is stored on a “work in” log stored within the security of the company Google Drive.  No passwords or personal information are left written down. Information taken down in hard copy are transferred to the log and then shredded. The office building is secured with two 5-lever mortice locks. Interior doors are further secured with night latch locks. Any information taken from meetings or consultations is scanned and uploaded into the Google Cloud storage facility and paper copies are then shredded. All paper notes and documents detailing personal data are scanned, uploaded into the Google Cloud storage facility and then shredded.  Where this is not appropriate, they are kept in locked filing cabinets.

How is this managed

To enforce and monitor compliance, all users, devices and machines are audited every 3 months.  Audit and Monitoring processes are outlined in our policy documents. In addition, connection of mobile devices to the company Google account will be checked to ensure there are no unnecessary, unmonitored sign-ins. Password compliance is monitored alongside Data Protection auditing by observing employees use of appropriately secure passwords to access their machines and accounts. These passwords are not stored. A log of these checks is kept in our policy documents.

How information is shared

Information may be shared with 3rd parties who are able to extend our support services.  These can include our data subjects’ web hosting companies, our own subcontracted web developers, and other subcontractors involved in setting up and maintaining various elements of IT infrastructure. Efforts are made to ensure that these 3rd parties also comply with our Data Protection policies. Each of our partner organisations sign a binding corporate agreement agreeing to comply with our own Data Protection policies. Alternatively, a record of their data compliance policies are obtained and verified. A separate record of these organisations and their agreement to comply is kept within our policy documents.  

Where has personal data originated?

Data subject data stored by Octopus comes from a variety of sources. Data subjects provide data relating to themselves directly to us verbally, electronically via email, and by verbally consenting for us to record information while on site at their home or business. Data is also been collected by Octopus technical staff during remote sessions and on site visits. Consent is obtained for collection and storage of our data subjects’ data using signed consent forms (reference document OC-DP004a) which is then stored in their corresponding folder on the company Google Drive.

How consent is obtained for storing and using personal data

Data subjects are asked to read and sign consent document (reference OC-DP004).  This is then scanned and kept digitally alongside their customer file. Data subjects are asked to consent to our storage and processing of their data. Data subjects are asked to consent to our having remote access to their machines to enable our technicians to view any issues raised. Data subjects may be asked to consent to receive marketing.  In order to do so, the customer can opt-in by ticking the box on our consent form that gives us permission to use their information to send marketing material. A log of data subjects consent is kept within our policy documents.

How we deal with requests for data provision or erasure

Before requests for data provision are acted upon, the identity of the data subject is verified using one of the following methods:

  • Verify the request with a secondary person within the same organisation.
  • Two pieces of information we can verify are requested to prove the identity of the data subject, such as (but not limited to) their email address and postcode.
  • Electronic requests are verified verbally and vice-versa.
  • The requested information is delivered to a known, secure email address or phone number.

Data is then provided directly to the data subject either electronically (for large files) or verbally, whichever is most appropriate, within 40 days of the request being initiated. Data subjects wishing to have their data erased must provide a written request, either in hard or digital format, which is then kept on file.   Their data is then removed in the following ways:

  • If stored on a hard drive, the customer’s data is erased and subsequently “zeroed” – a process which involves overwriting the binary code with only 0s – completely eradicating the data.
  • If stored within our company Google Drive, the customer’s data is found by entering both their name and email address.  All relevant entries found are then deleted and any further information stored on collaborative database files is removed from activity.
  • Data stored within other systems, such as Xero, is also removed. A full list of data locations can be found in document reference OC-DP006 – for more information or to request a copy of our policy documents, please contact us.

How we detect, report, and investigate data breaches

One of the many benefits of using the Google system is that each employee receives sign in notifications when their account is used to sign in on an unauthorised machine.  This immediately alerts us to a potential breach, enabling the company to revoke access from the unauthorised machine and prompting the employee to reset their security credentials. We also regularly check internal email addresses against online published lists of compromised email accounts.  If an Octopus Computers address is listed, steps are taken to investigate the extent and relevance of the breach, and security credentials are changed. We record these checks in our policy documents. We check Google sign in audits on a quarterly basis as part of our audit process to ensure there have been no unexpected logins or attempts. Physical inspection of company premises and computer hardware are carried out on a weekly basis to ensure no attempts at break-in or theft have occured. A thorough physical security inspection is conducted quarterly. We record these quarterly checks in our policy documents. If a data breach is detected, it is first reported to the DPO and the Managing Director.  If a breach is detected an assessment is immediately carried out and recorded within our policy document reference OC-DP Breach Log. Once the breach has been assessed, it is reported to the ICO, within 24 hours of detection, using their online form (which can be found at https://report.ico.org.uk/security-breach/). If the breach adversely affects the data privacy of our data subjects, we also notify them of the time and nature of the breach, as well as any measures we have taken to minimise the severity of the breach.  We also provide advice on how they can mitigate the impact of a breach to their data privacy. In the event of a data breach, the company launches an investigation into how our security was compromised and takes action to repair any damage done.  Relevant authorities are then involved as necessary. For example in the case of a physical data breach (break-in or theft), the police are notified, and in the case of a digital breach (unauthorised login or hack), the relevant internet body is contacted (such as Google). Details of any data breaches is recorded in our own breach log.

How we deal with personal information relating to children

Where the company finds itself in the position of requiring personal data relating to children (persons under the age of 16), the same consents apply but is obtained directly from the parent or guardian. Where this situation arises in relation to an educational setting, where the educational institution is the client, the school or college is supplied with the necessary consent form (document reference OC-DP004b) to distribute to students and parents.  The responsibility to collect these consent forms back rests with the children’s families and the institution. Where consent is not obtained, we are unable to provide services to those families.

How we record processing activity

Data is processed both manually and automatically.   Automatic data processing is handled by 3rd parties, such as Google (refer to document OC-DP006). In those instances the 3rd parties operate as data processors in their own right and, as such, their own policies come into effect.   With regards to manual processing activity, the data could be used by employees of Octopus to analyse data trends and demographics. Alternatively, data is processed manually in order to complete tasks we have been instructed on by you, the client. This processing activity is recorded in various documentation throughout our systems. However, all activities linked to a specific client is recorded in a unique sheet for each customer. This is avaialble for you to view at request.

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

If you send us an enquiry your any of the contact forms on our website then this data is stored in 2 locations. Firstly, it is stored on the database in the back-end of our website. Secondly, the contact form details are sent via email to our email server and distributed the the relevant parties internally.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service. The data is then routed to either our servers or those of our 3rd party providers to process as above.

Your contact information

 Your contact details will only be stored if consent has been given for one of 2 purposes; marketing and/or to provide our service. You can withdraw this consent at any time. Similarly, all email marketing communications will include the ability to unsubscribe.