SynergySuite's Data Protection Policy and Commitment to GDPR 

Introduction

The European Union has taken steps in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed.
This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organisation that works with EU residents' personal data in any manner, irrespective of location, has obligations to protect the data.

SynergySuite’s Commitment

SynergySuite Software provides Software as a Service (SaaS) to the hospitality industry. SynergySuite follows the GDPR steps to ensure full compliance with the Data Protection Regulation.
SynergySuite provides a processing platform for data to be entered by a user. No data is held for reasons beyond the scope of client’s own use. The client owns full responsibility for the accuracy of the data entered. The data is entered by the client or by SynergySuite at the request of the client, however ownership and management lies with the client. In this view SynergySuite is deemed a Data Processor and not a Data Controller, as such tools are provided to ensure the client is capable of completing any request deemed appropriate under GDPR.
As according to Article 17 section 2 and 3, SynergySuite shall only act on the client's instructions and that personal data we process is stored securely. In the event SynergySuite believes the clients instructions conflict with the requirements of the GDPR or other EU or Member State laws, under Article 28 section 3 the data protection office will inform the client immediately.
SynergySuite will contact your assigned DPO contact, in the event SynergySuite requires to publish any updates, or changes in relation to GDPR or data production. In the event of a data breach SynergySuite has specific steps in relation to notification, or communication. This is detailed further in this document.

Datacenter Security

To underline our commitment to security best practice, our data centers have achieved the ISO 27001:2005 Security Management standard, which ensures the proper selection of adequate and proportionate security controls to protect all information assets in our data centres.

The security of your business-critical data and systems is our primary concern. To this end, we have a permanent manned security presence at all of our data centres and use multi-layered physical security including a secure perimeter, biometrics and video surveillance.
Entry to each facility is tightly controlled – with strict procedures in place to monitor and control visitor access both into and within the data centre. Extensive CCTV video camera surveillance is in place across each facility, along with security breach alarms, biometric checks and controlled physical barriers.

Access to the buildings, data floors and individual areas is via individually programmed access cards – using biometrics and visual identification – ensuring secure, single-person entry.

All SynergySuite data centers employ multi level firewall solutions.
All servers run local firewalls exposing only required ports to the public internet. Other critical services are available only over encrypted VPN (Virtual Private Network)
Border firewalls control access to the data center network in general and scan traffic for attack signatures, blacklisting and blocking any IP addresses suspected of infiltration attempts.

Only top level SynergySuite staff have database access and are limited to data required for development and support purposes. General Support staff do not have source database access.

Our data centres offer direct and unrivalled access to the key European Internet Exchange Points (IXPs), including LINX, DE-CIX, AMS-IX, NETNOD and France – IX.
All SynergySuite servers connect to the Equinix multi-homed service – this allows us to distribute traffic through multiple tier 1 carriers and IXPs.Failure of any carrier or IXP does not affect SynergySuite service as other links take up the additional capacity. US Data centers have similar redundant multi-homed service provided by Equinix.

All SynergySuite data is stored in databases hosted on machines physically connected to a 'Storage Area Network' (SAN). This storage area network consists of multiple high end Hitachi Storage Area Network devices, each with multiple storage devices (hard drives).
Any failure of individual storage devices is handled by the storage area network and does not result in any data loss. All data stored on the SAN is continually backed up across multiple hard drives to ensure data redundancy.

Data Access and Ownership

All data within SynergySuite is owned and managed by the client and their administrators. Client administrators are responsible for management login access, and permissions to sensitive data. SynergySuite provides the tools required to prevent access to sensitive data, in the way of hierarchy and an access permission model.
In the event access to the client data is lost, permission must be granted by the client contract holders for SynergySuite to issue new administrator login credentials.

Login access is granted by client administrators and are provided with login credentials. Passwords are required to meet a strong password policy including a min password length and an alpha-numeric format. Creating new accounts are done via an email activation process. Temporary passwords are provided, and prompt users to create unique passwords meeting our password policy. Passwords are not accessible after they have been set but can be reset upon request.
Upon logging in, SynergySuite provides an encrypted login token that is valid for 7 days or invalidated upon logging out of SynergySuite. SynergySuite also has systems in place to automatically invalidate login sessions after an inactivity period, setup by the client on request. These login tokens are encrypted into an alpha-numeric sequence and do not relate to any login credentials. After the token has been inactivated the login token can never be used again. Upon logging back in to SynergySuite a new login token is provided.
Data stored by SynergySuite is accessible by the client through the SynergySuite portal. The client administrator has full access to amend and update all data. Upon request an audit log can be provided detailing logged in users and access times of logins, this is stored for two weeks at a time after which the data is removed.

SynergySuite staff are required to access clients data via an approved login or via the database through VPN access and whitelisted IP addresses. Access is recorded via an audit trail and is logged for security reasons. SynergySuite staff are not permitted to access or amend clients data, without the consent of the client administrators, this as according to the Article 29. Access to data is only available to approved developers and approved support staff once consent is received. General employees of SynergySuite do not have access to clients data. All SynergySuite persons authorised to access or amend clients data have undergone appropriate training and are under obligation to ensure that data is strictly confidential this is in accordance of Article 28 section 3.

SynergySuite does not use any client data for marketing or research purposes. Client data is also not shared with third parties or services without the consent of the client, as according to Article 28 section 2 and 4. In the event data is shared for purposes such as Payroll interface, EDI ordering, HR system’s clients would be required to provide written consent, if not already agreed upon executing of a service agreement. The third party will be deemed a sub-processor and must be appointed on the same terms as set out between the client and SynergySuite within accordance of Article 28 section 1 and 2.

SynergySuite processes some personal data, this data is only accessible from valid logins with allowed permissions. Users without the required permissions have no way of accessing sensitive data.SynergySuite also provides biometric clocking, we do not store user fingerprints but do store an encrypted, one-way, alpha-numberic encoding of its identifying features that is calculated by the Biometric Device. This is then used again to confirm clocking processes. Below is the steps completed relating to scanning of user fingerprints.

When the user places his/her finger(s) on the fingerprint sensor during the enrolment process, the biometric takes a picture of that user’s finger’s key minutiae points. Then the biometric uses its proprietary mathematical algorithm and converts that picture into a unique mathematical template which is comparable to a 60-digit password. This unique template is then encrypted and stored in the biometric database
IMPORTANT NOTE Privacy issues should never be a concern when using the biometric device because NO REAL IMAGE OF A USER’S FINGERPRINT IS STORED. ONLY the minutiae-based templates are stored. Each time a user’s fingerprint is scanned, the device searches its database for a matching template. There is no way to obtain a persons fingerprint from the minutiae-based templates which is stored. The minutiae-based templates can only be used to confirm a fingerprint scan matches a previously saved template

GDPR Specifics

SynergySuite understands it is your right to delete any or all data from the SynergySuite system. The client can exercise their rights under GDPR by simply logging in SynergySuite to locate the data in question and delete it. If a larger amount is required for deletion, this can be done so upon request by Synergysuite.

SynergySuite understands it is your right of access to personal data through subject access requests. SynergySuite has provided tools that allows users with the required permission to retrieve a Personal Report, detailing all the stored personal data from SynergySuite. It is the client's responsibility to manage access to this data. As in according to Article 15 section 3 of the GDPR it is the controller who shall provide a copy of the personal data undergoing processing.

In the event a data breach on personal data has occurred, in accordance with Article 33 SynergySuite will inform the relevant Data Protection Officers, without any undue delay. Notifications will contain the below:

- An outline of the breach;
- A contact point for obtaining more information; and
- Recommended measures to mitigate any possible adverse effects from the breach

SynergySuite’s primary communication is via email. Any product updates, changes or anything that may impact the end user will be communicated to the key contact. This is usually the user who completed the sign up process. All other emails from SynergySuite are via email subscriptions that can be controlled by each users mail settings. Any group wide communications are managed by your system administrator.

SynergySuite will require access to data provided by some third parties. These include POS providers, vendors/suppliers, payroll systems and accounts systems. Upon integration to any of these a consent form must be signed by the client allowing SynergySuite to process any required data from the third party. SynergySuite will not share, or use these data for any reason without consent of the client.

From time to time SynergySuite might require remote access to clients environments. This will be completed by LogMeIn or Teamviewer. Access is only permitted on the basis the client has approved a stored login process or provides a one time login, where the token in use is valid for the one session. Were access is not provided, SynergySuite will not be able to provide support in any remote instances.

SynergySuite will retain any processed data for the length of the agreement. Upon termination of the agreement the data can be exported or deleted upon request. If a client has not requested either option upon termination, the data will be removed after 3 months of the termination date. After such time the data is unrecoverable.

As in accordance with Article 37 SynergySuite will appoint a Data Protection Officer. There role will include:

- Inform and notification of any changes or obligations under GDPR
- Ensure SynergySuite is compliant and meets all requirements set under the GDPR
- Address any requests directed to SynergySuite regarding any Data Protection issues or requests

The Data Protection Officer can be contacted by email or mail under the below details:
Email: dpa@synergysuite.com

Address:
Data Protection Officer - SynergySuite
19 William Street South,
Dublin 2 Ireland