Organisational & technical measures for GDPR compliance

HTTPS is used to secure data in transit. Our database is encrypted at rest with the database encryption key stored separately from our PTA Events infrastructure in a key management store by our cloud hosting provider Hyve. Hyve are ISO27001, ISO9001 and ISO27017 certified, G-Cloud accredited and PCI-DSS compliant. PTA Events has in place appropriate security measures and continues to adapt best practice to ensure the security of it's platform and the data it processes including, but not limited to:

• Passwords must be a minimum of 8 characters and include at least one upper case character, one lower case character and one numeric. Special symbols are also allowed.
• Passwords are salted and hashed using any of 3 different hashing algorithms.
• Our database is encrypted at rest with a 256 bit encryption key which is itself encrypted and stored on a private network.
• Data is encrypted in transit over SSL with 256 bit encryption
• Access to the database and web servers is tightly controlled and is locked down by default so only accessible to white listed IP addresses and users with access for the purposes of developing and administering the platform.
• We use the CloudFlare Web Application Firewall to protect our platform. As well as protecting and accelerating the PTA Events platform, Web traffic to PTA Events is routed through CloudFlare’s intelligent global network which then automatically optimises the delivery of our web pages so visitors get the fastest page load times and best performance. They also block threats and limit abusive bots and crawlers from wasting our bandwidth and server resources. The result is that CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.
• Access to PTA Events websites is roles based so only users that have been assigned roles by the controllers have access to personal information
• Access to the PTA Events platform is restricted to the countries we serve and all traffic outside of these countries are blocked
• Data required to ensure the smooth running of events is encrypted using AES encryption by default with the 256 bit encryption key split and stored across both web and database servers
• Patch management plan ensures our servers operating systems and software are constantly up to date
• Secure cloud servers are hosted in the secure Global Switch 2 London data centre protected by VMware vShield Edge Firewalls
• Data centre implements secure access controls and superior levels of performance, scalability, security and redundancy.
• Ongoing testing of both the application and infrastructure

Our PTA Events support staff have access to each PTA Events website to provide 1st line support. In the relationship, the PTA is the sole controller of the data whilst PTA Events process the data. As all of the data belongs to the PTA we don't sell it on or provide it to any other organisation other than those listed in our Data Processing Agreement which your organisation must agree to.

Any specific event related data can be encrypted (enabled by default) with the encryption key split and stored in separate locations.

An important principle in the European Union’s General Data Protection Regulation (GDPR) is data minimisation. This means that organisations must limit personal collection, storage and usage to data that is relevant, adequate and absolutely necessary for the purpose for which the data is processed. There is usually no need for the organisation to keep event related data longer than the event itself. In the event settings the organisation can set a date when we will automatically purge answers to product questions and booking information from our database. If no date is set then this will default to 90 days after the event end date. 

Customer data is only retained for as long as required by the organisation with the default set to 2 years. However the organisation can change these data retention settings as they see fit as they are the controller of the personal data.

Customers can also request their right to erasure under the GDPR in "My Account" > "Preferences" and also request an export of all their personal data in JSON format.