Information Security

Introduction

The EU General Data Protection Regulation (GDPR) is law in all European member states. 

Even though the UK has exited the EU, the EU Commission has adopted adequacy decisions in favour of the UK. This means that data can continue to flow freely from the EEA to the UK in most cases. 

The EU GDPR has also been retained in domestic law as the UK General Data Protection Regulation, and the UK government has confirmed that data transfers from the UK to the EEA are permitted.

For the purposes of this document, ‘GDPR’ refers to both the UK and EU GDPR.

In this document, we will take you through some of the key points of the GDPR and how we implement them as a Processor of your Data. Please note that this document only details how 2sms handles your data as a Processor. For the avoidance of doubt, this is the data you transfer to us for the purpose of transmitting business communications. This data will be referred to in this document as “end-user data”, it is the data that you control and that you contract with Us to process on your behalf. If you would like information on how we process your data as a Controller, you can view our Privacy Policy on our website.

Consent

Under the GDPR, the requirements for using consent as your lawful basis have been set higher than ever before. Consent needs to be gained, recorded and managed by the Controller. Guidance on the changes around consent requirements under the GDPR has been produced by the ICO, which is published on their website.

The service that we provide to you means that 2sms is the Processor of the information that you share with us for the purpose of transmitting business communications and you are the Controller.

2sms acts solely on your instructions and processes your data to send communications to your end users. 2sms does not obtain, record or manage consent from data subjects on your behalf. It is your responsibility as the Controller to ensure that you have and can demonstrate where necessary, records of consent from data subjects needed for us to transmit communications using the information you provide. We do not directly interact with your end users as 2sms, all communications are sent on your instructions as if they come from you directly and we are “transparent” in the communications delivery process.

Data Retention

2sms understands that excessive data retention is not compliant with Data Protection rules. Accordingly, 2sms retains your messaging data for no longer than two years from the date that you sent the communication Messaging data is limited to the telephone number or email address, and the content of the message.

Storage of end-user data is in secure, access controlled environments, segregated from all other 2sms networks. 

Data Protection Measures

2sms is certified and operates to the ISO 27001 Information Security standard. A copy of our certificate can be found here.

This standard is applied to all areas of the business; both our office and production environments are certified on an annual basis by an accredited external auditor.

As an illustrative, high level overview, 2sms has taken the following measures, among others:

Access Control
Firewalls
Antivirus
Secure Equipment Including Laptops and Mobile Phones
Data in Transit / Encryption
Backup, Disaster Recovery and Business Continuity

We schedule and conduct regular backups to ensure that all data is stored safely, securely and remains available for the purpose of restoration in a disaster recovery situation.

Monitoring
Employee Training and Education

All employees:

Policies and Procedures

In addition to the above, we maintain, enforce and support policies to ISO27001 standard for:

All of these measures and the entire ISO systems are audited internally by the compliance team and externally by our third party accreditation body on an annual basis, the compliance team also conduct security sweeps on an ad-hoc basis to ensure that certain policies are being adhered to by all staff.

Risks

2sms continuously assesses all risks. Risk assessments detail treatment plans that act as recommendations to help the business reduce the impact and/or probability of the identified risk. Risks and treatment plans are regularly reviewed, we assess risks related to our systems, staff, assets and operational activities. 2sms has identified this as an area that, whilst compliant with requirements such as ISO 27001, we adhere to the principle of continual improvement.

We use enterprise risk management software to support and enhance our approach to risk management. We identify dependencies as risks to our business and security objectives through risk registers, with activities arising to treat those risks effectively.

Breach Notifications

2sms takes all of the above measures to secure your data as part of our Data Processing activities. In the event of a data breach, we will inform you without undue delay of any security issue that has led to a data breach including your customer data.

We have also:

Data Protection Officers

2sms has a dedicated compliance team that are responsible for all Data Protection questions, requests, issues and queries across the organisation. 2sms have also appointed an external DPO; Evalian Ltd, to provide expert advice on a consultancy basis.

Any questions that you have in relation to Data Protection can be raised with your account manager, subject access requests are detailed in the section below.

The Rights of Data Subjects

As a Processor, 2sms will not respond directly to any request raised by one of your customers whose data we have processed. We will contact you to make you aware of the request and assist you in meeting your obligations under the GDPR. Examples of where we may need to assist to meet the rights of a data subject include:

Subject Access Requests

Data that you transferred to 2sms can be made available for this purpose, providing it is still stored by Us. Subject access requests can be raised with 2sms by email to support@2sms.com.. There may be a charge associated with requests of this nature – please contact your account manager for details. Subject Access Requests will be fulfilled within 30 days of us receiving the request from you.

Right to be Forgotten and Erasure

Data subjects have the right to ask for their information to be deleted if they object to processing, or withdraw their consent. In the UK, this right has been used to amend inaccurate information about data subjects, for example, in Google search results. Whilst the GDPR does not provide an absolute right to be forgotten, they have  resulted in more deletion requests being received by Controllers.

Requests for specific data to be deleted can be raised with your account manager.

Records of Processing Activity

2sms is a Processor for all customer information. As such we only process your data on your instructions and for the purpose of providing the communications service that is part of the performance of the contract between You and Us. The sole purposes of our processing activities is the transmission and delivery of communications to your end users.

We keep a record of all the messages that we send on your behalf in line with our data retention policy. As detailed in the Data Retention section, this is for no longer than two years from the date that the communication is sent.

Third Party Transfers

2sms passes your information to network operators for the purpose of delivering your communication to the End Users handset or Network Termination Equipment. This type of transfer is intrinsic to the provision of our products and services.

For SMS communication in the UK we only use our direct connections to the UK Mobile Networks to ensure that we can trace your data from our systems to the end user handset.

For all third party networks that we use, we have conducted a due diligence audit to ensure that each supplier has taken adequate technical and organisational measures required to offer security standards that are materially similar to those described in this document for our own infrastructure.

We have also entered into contracts with all third parties that solidify the data protection obligations of all parties and extend the minimum requirements detailed in any Data Processing Agreement between You and Us to our suppliers.

Data Processing Agreements

2sms has produced a Data Processing Agreement (DPA) that forms part of our Terms and Conditions of Service. This helps our customers to ensure that you are meeting your obligations as a controller under the GDPR. 

Data Maps

As part of our privacy framework, 2sms has conducted comprehensive data mapping of our systems to provide “Data Life Cycles” for all of the end-user data that we process and control. Customer facing versions of our data maps are available upon request to help you meet your obligations under the accountability principle of the GDPR. Requests can be raised with your account manager, who will be able to share data maps specific to Our products and services that You use.

Data Protection Impact Assessments (DPIA)

We understand that certain types of processing may require our customers to complete a DPIA to demonstrate that they have considered the rights and freedoms of data subjects before engaging in their proposed processing activities. 2sms is a service provider for business communications and does not have visibility of the content you are sending through our platform. If your processing activities are considered high risk, or you are processing special categories of data, you may require our input into your DPIA. Please raise any requests of this nature with your account manager.