Security & Trust

Product and Functionality

The Services - What is Akkroo?

Akkroo is an Event Lead Capture Software-as-a-Service (SaaS) solution for collecting and processing data from people, primarily at events. It comprises the following:

  • A mobile application for data collection activity, available via the Apple iOS App Store or as a web-app for selected Android devices
  • A cloud based dashboard for authorised users to setup and configure the mobile application and to access and export collected data

Our Approach to Data Security

Handling your data is our primary business, and we take personal data protection, privacy and security very seriously. The documents here explain how we handle data collected when a client uses Akkroo software.

We have always been committed to invest in a continuous and growing security program since we first established Akkroo, and strive to go beyond the expectations of our customers wherever possible.

Here are a few practical examples of security controls within our product:

  • Data is stored for as short time as possible on a device, and is removed from the device as soon as can be whilst retaining full app functionality
  • When synchronising devices with our secure online application, communication is over HTTPS and encrypted using TLS
  • User access to the Akkroo Dashboard is secured with strong, complex passwords, and features such as two-factor authentication and complexity controls are enforcable
  • We invest in scheduled, three-level penetration tests

We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of data.

We also make use of external security experts from time to time to appraise our work and our data protection procedures.

Glossary

For clarity, here are some terms we use in our security documents, and what they mean:

The Processor
Us, Akkroo
The Controller
You, Your Business
The Application
The Akkroo Dashboard Software, Forms & Mobile Applications

Data ownership, Acceptable Use & Access to Collected Data

Unambiguously, the data you collect is your data and reserved solely for your own use.

Data and Personally Identifiable Information collected via our software is stored for the sole use of the Controller.

We facilitate the reliable collection and storage of data on our customers behalf, and our intentions will always be framed by this.

Some members of the Akkroo technical staff from time to time will have restricted access to the data we store on your behalf in order that we can carry out absolutely necessary service tasks such as the monitoring and improving the quality and performance of our own services, however under no circumstances are we or any third-party able to access your data for any other purpose, such as marketing or communication purposes.

Data will never be disclosed to any third-party except in accordance with our Privacy Policy. The exceptions are:

  • To provide a core feature or functionality which you request through the dashboard that depends on a third-party service.
  • If we, or substantially all of our assets, are acquired or are in the process of being acquired by a third-party, in which case Personally Identifiable Information held by us, about our customers, will be one of the transferred assets.
  • If we have been legitimately asked to provide information for legal or regulatory purposes or as part of legal proceedings or prospective legal proceedings.

Compliance & Accreditations

Working with UK & European organisations

We fully comply and operate within the jurisdiction of UK and EU data law.

In light of the UK's potential withdrawal from the European Union in the coming years, we will continue to appraise the situation and adopt the most customer-favourable position on data security that we can achieve.

Working with US, UAE & other international organisations

As a company registered in the UK and storing data within the EEA, we are regulated by European laws which are widely considered more strict than many outside of the region.

Much of our compliance covers the core requirements of data law abroad, however we believe that European laws and the protection of rights of the individual and ownership of data currently provide the best protection of data anywhere worldwide.

If you are unsure about how this impacts your use of Akkroo, we suggest you seek additional legal advice. We generally find compliance teams find parity even where we do not comply to a specific foreign law.

Data Processing Addendum (DPA)

We have developed a Data Processing Addendum/Agreement (DPA) that we will enter into with anyone that uses our service and requires one. This service is free of charge. The DPA forms part of a contract of service with Akkroo (who are the Data Processor) and you as our customer (as the Data Controller). The DPA reflects the parties' agreement with regard to the processing of personal data performed using the Akkroo service. You may find this document useful in meeting your own GDPR (General Data Protection Regulation) commitments.

You can download a copy of the Akkroo DPA here. Please complete and return to legal@akkroo.com.

Accreditations & Certifications

We continually and successfully work with data providers and organisations that already work within standardised frameworks such as ISO 27001, and we understand you may need to see accreditations as part of your assessment. We have gathered all the relevant documents for review.

Akkroo is working towards meeting its own first international standards, so our current approach is to provide our own body of documents and policies that meet the requirements of organisations that do maintain these standards.

Our data is stored within certified facilities and our infrastructure built upon certified services.

Registration with the UK Information Commissioner (ICO)

We are members of the United Kingdom's Information Commissioner's Office (ICO) Data Protection Register in the United Kingdom, and our registration number is ZA033795.

The Relationship Between You & Us
What the ICO says
In plain English
The Controller collects and processes Personal Data in connection with its business activities.
You use Akkroo to collect data from your customers.
The Processor processes Personal Data on behalf of other businesses and organisations.
We manage that data for you.
Article 17(2) of the Data Protection Directive 95/46/EC provides that, where processing of Personal Data is carried out by a processor on behalf of a Controller, the Controller must choose a Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with those measures;
It is your responsibility to ensure our standards are good enough to meet your legal obligations and organisation’s own standards.

We are always willing to try to help you meet whatever data obligations are required in order to use our software.
Article 17(3) and 17(4) of the Data Protection Directive require that where processing is carried out by a Processor on behalf of a Controller such processing shall be governed by a contract or legal act binding the Processor to the Controller, stipulating, in particular, that the Processor shall act only on instructions from the Controller and shall comply with the technical and organisational security measures required under the appropriate national law to protection Personal Data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access and against all other unlawful forms of processing;

We will manage the data in accordance with agreements we will make with you. These are outlined in our policies and terms and conditions when you sign up or start using our products.It is our responsibility to put measures in place to secure personal data you store with us.
The Processor takes all measures to protect Personal Data processed by the Processor on behalf of the Controller against a Security Incident and against all other unlawful forms of processing, as required under applicable national law. Such Technical and Organisational Security Measures shall include, as a minimum standard of protection, the following types of security measures: organisational controls, information security management systems; physical security; physical access controls; entry controls, virtual access controls, transmission controls, assignment of responsibility controls, availability and separation of responsibility controls, security and privacy enhancing technologies; awareness, training and security checks in relation to the Processor’s Personnel; incident response management/business continuity; and audit controls/due diligence.

We are required to put in place measures to protect the data we store on your behalf at organisational, server and application levels.

Data Handling & Encryption

Icon of double tap hand

This section is restricted and only available on request. Please contact support@akkroo.com for full access.

Data Life & Disposal

Data Life, Retention & Protection

Data associated with your Akkroo account (including personal information and collected record data) is retained for as long as you have a Akkroo account and for a longer period as may be required by law.

We don’t cancel a licence or account for inactivity. If you cancel your licence, or it terminates for any reason, your data will be retained for a period of 90 days then permanently erased.

You may delete your data from your dashboard and apps at any time.

  • Data deleted in these ways will be made inaccessible immediately - 'soft deleted' -, but only permanently deleted after 30 days.
  • We only retain your data to allow us to recover it should you accidentally delete it.
  • We cannot guarantee that we will be able to restore any data you have deleted.
  • We do not use soft-deleted data for any purpose other than to permit you an opportunity to restore it. Sometimes we may retain deleted data to comply with our legal obligations, resolve disputes, or enforce our agreements. In these cases, we ensure that access to such data is blocked except for the purposes for which we have been required to retain the information.
  • It is the client’s responsibility to export, archive and delete data they collect, as well as to handle personal data stored inside Akkroo in a manner that complies with any local laws or restrictions. For example, you may want to consider the length of time in which you hold personal data on file.

We will notify the Account Owner or Key Contact via email when an account is being prepared for deletion. We send a series of emails which confirm the deletion timeline (we provide a 90 day grace period after the account is expired to stop the process), including a confirmation email once the erasure has occurred. Erasure is permanent, and it is not possible to re-activate a username associated with an erased account.

Permanent Deletion

You can delete collected records data or event data from inside your Akkroo dashboard which will 'soft-delete' it. Once deleted from your account, you can contact us to request a permanent deletion of the soft-deleted data. We automatically purge soft-deleted data within 30 days.

Data on Devices

Collected data is stored on devices, and we use username and passcode based user authentication to prevent access to viewing and managing the data.

Records can be viewed or edited individually by authenticated users, however there is no way to extract or download bulk record data from inside the app.

When collecting data offline, all this data is stored inside the application until a connection can be established. At this point, all collected data is transferred automatically to the server.

Uninstalling the app erases all data from the device permanently.

Backup Copies

We maintain regular secure encrypted backups. It may take up to 12 months from the point you start record deletion to erase all traces of the data stored in our backup systems. We describe this as 'residual data', and this data is not accessible via the Akkroo dashboard.

Hardware Management & Disposal

Computer equipment and storage media are securely reformatted and repurposed or destroyed beyond repair at their end of life. Our hosting provider shreds end-of-life hardware (although we are unable to provide certification for individual pieces of hardware), and we use secure erasure or destroy any storage media we use within the organisation.

All computer hardware and devices are issued centrally, and are logged in our central asset management system.

Servers & Physical Location

Data Centre Location

Our UK based Data Centre is located in Powergate Business Park in the Thames Valley (we refer to this as our London data centre in this document) and is operated by Equinix Telecity. Equinix Telecity hold the following security related accreditations.

  • ISO/IEC 27001 - Security Management
  • ISO 22301 - Business Continuity Management
  • ISO 9001 - Quality Management

We store backup data and some auxiliary data in Amazon's AWS S3 & Glacier facilities in Ireland (EU). Accreditation and certification details of both these services/facilities can be viewed below:

Physical Security

Our Data Centre implements the following access controls at its premises and facilities:

  • Secure monitored single-person entry
  • All data is hosted in an off-site London data centre on four servers
  • Independent client-card and biometric identification access system
  • All of our equipment is in locked cages
  • 24/7/365 manned security
  • Firewalls and ACLs are in place to separate the trusted network from outside untrusted networks
  • Administrative access is limited to only employees that need that level of access and physical and logical separation is in place to prevent access to trusted/internal networks
  • Third parties i.e. contractors or suppliers not wholly controlled by the host have no operating system level or physical access to the infrastructure
  • IDS, IPS, and logging are in-place and monitored 24x7 for alerts
Server Software Updates

Our Software Update Policy is here.

How Personal Data Enters Our Software

Personal data enters the Akkroo System when an individual willingly enters their details via our software (on any device), or if data is loaded into the Application via the Akkroo Dashboard or the documented Akkroo API.

How Personal Data Leaves Our Software

Personal data leaves the Akkroo System when you export it as a downloadable file from the Akkroo Dashboard or establish an integration or webhook which sends the data to a location of your choice.

Third-party Services

Some of our optional premium or custom product features require the use of third-party services outside of the EEA. Where we must work with third-party contractors or data services located in other jurisdictions, we prefer to work with companies that operate within government-backed schemes such as the EU-US Privacy Shield (previously Safe Harbor) scheme where possible.

Where possible we also always aim to anonymise data (decoupling it from the source) when transferring data to third parties.

Business Card Scanning (BCS) & Transcription Feature

In order to transcribe cards quickly but reliably we use a highly effective human element in the processing. Our service uses third-party contractors to carry out an accurate validation and transcription of the images taken using the feature in the app.

The cards are provided to the third-party digitally and anonymously on secure, time-limited URLs, supplied to them without context. For instance they are unable to identify the origin of the card, who supplied the card or on whose behalf they are transcribing the data.

They are aware that Akkroo is the origin of the card, however we never provide any specific identifying information unless you provide it within the scanned image. Once transcribed and the data has returned to the Akkroo servers, the images are 'expired' automatically and no longer retrievable.

The image of the business card may be viewed and transcribed outside the EU during the transcription process as our transcribers are not always on-site, however the images are stored in the EU on our own servers, as with all of our data.

System Architecture

Icon of double tap hand
This section is restricted and only available on request. Please contact support@akkroo.com for full access.

Service Failure, Backups & Disaster Recovery

Servers
  • Servers have UPS with backup diesel generators
  • Trained engineers on-site 24/7/365 who can perform:
    - Part swapping
    - Fault diagnostics
    - Software issue resolution - for servers, switches, firewalls and routers
    - Server installation and racking
Backup Schedule
  • We conduct hourly data backups which are archived for one week
  • We conduct daily data backups which are archived for one year
  • We conduct weekly data backups which are archived for one week
  • Hourly, daily and weekly backups are redundantly stored on our own servers and on Amazon AWS EU Region facilities (Ireland)
  • We run continual real-time database replication within the same virtual private network
  • Older, expiring backups are cyclically overwritten by newer backups

Please note, our business is not to act as a dedicated backup and archival service, so we always encourage our customers to use common sense and take sensible actions to make their own backup provisions in addition to the measures we take.

Disaster Recovery & Resiliance

Our comprehensive backup schedule and redundant, versioned, distributed backup means that in the event of a major disruption, we are in a strong position to recover very recent data and return servers to an operational state.

Our mobile and tablet apps work in offline mode when there is no good connection to our server, so if the main server hosted applications are offline, it will not affect any unsynchronised data on the apps.

Policies

Privacy Policy

Our privacy policy is available here.

We carry out an annual scheduled review of all privacy practices and policy at Akkroo to ensure up-to-date and appropriate practices

We will notify account owners by email if we make material changes to our privacy policy.

Privacy Compliance Violation & Remediation Policy

Any incident of privacy violation surrounding collected data is logged centrally and reviewed quarterly. Remediations will be proposed and timescales for implementation agreed and recorded in the log.

Staff Roles & Privilege Auditing
  • We carry out an annual schedule of recorded, signed scheduled certification of user privileges to check correct permissions, and remediate any inconsistency
  • We carry out a quarterly schedule of recorded investigation of user privileges for people with administrator rights to check correct permissions, and remediate any inconsistency
Emergency Staff Privilege Escalation Policy

Should we ever need to grant emergency privileges to internal or external personnel for any reason, this action is logged in our Emergency Access Log with full reasoning. We also log when those privileges are revoked.

Data Access Joiners, Movers & Leavers (JML) Policy

Staff privileges are assigned appropriate to their specific roles by senior staff members, and reviewed when employment ceases or when they change roles.

When a staff member leaves employment at Akkroo, we deactivate access to staff accounts as soon as we physically can, which is usually immediately. This deactivation always occurs within 48 hours of the end of their employment. Accounts are deleted within 30 days. All role changes are logged.

System Architecture
Icon of double tap hand
This section is restricted and only available on request. Please contact support@akkroo.com for full access.
Staff & Administrative Password Policy
Icon of double tap hand
This section is restricted and only available on request. Please contact support@akkroo.com for full access.
Embedded Passwords Policy
Icon of double tap hand
This section is restricted and only available on request. Please contact support@akkroo.com for full access.
Mobile, Desktop & Remote Access (Working Out of Office/From Home) Policy

We permit Akkroo team members to work from home and away from our dedicated office spaces. We require all team members to take care with their Akkroo-issued devices when they are working outside of a dedicated Akkroo office space, and we also apply a number of additional user verification controls to Akkroo online services and administration features.

Access to Akkroo online services are only available over a secure, encrypted connection.

Our staff have access to our software service on mobile, desktop and when working remotely because our service is offered as Software as a Service (SaaS). Access to Akkroo online services are only available over a secure (HTTPS) internet connection.

In addition, for technical users with escalated access privileges, we manage access through key based role and permissions management.

Data retention & protection policies

How we handle data life in our data retention and protection policies can be found here.

Network Security Policy

Any new system level components installed with vendor default settings in place are reset beforehand to remove risk of unsecure defaults.

Any redundant components, protocols, services and functions are shut down and removed as soon as technically feasible.

Any audit logs are established to be kept for a period of at least 1 year, with the last three months to remain immediately available.

Any new service, protocol and or additional grant of port access are subject to our Change Management & Change Control Policies.

Management & Change Control Policy

Change Control provides an orderly way to make changes to key process at Akkroo. It means notifying anyone affected by the change, and listening to the response should the change adversely affect team members or customers. It also means devising reasonable contingency plans for restoring the system if a change doesn't work.

By using a series of standardized and repeatable procedures and actions, we are able to introduce changes to the Akkroo infrastructure in such a way that any negative impact is minimized

This policy describes the process that is to be used for requesting and managing these changes. The following are the key roles specific to the Change Control process. One individual may be responsible for several roles as well as several individuals may be fulfilling a single role.

Role
The Change Control Manager manages the process for all requests and reviews each request for completeness. The Change Control Manager verifies that the stated objectives of the request can be met and are consistent with company best practices. The Change Control Manager has the discretion to deny requests that are not consistent with company policy or best practices.
Description
Change Control Manager
Change Requestor
Change Implementer
The Change Requestor originates the request by submitting a change to the Change Control Manager.
The Change Implementer makes the necessary changes as requested and notifies any other affected parties if corresponding changes need to be made. Changes are implemented into production by the Change Implementer.
Risk Assessment & Management policy

Our risk assessment & management programme is by our internal, cross-functional Risk Team.

  • We conduct risk assessments quarterly (as they contain sensitive information, we do not share these publicly)
  • Our risk assessment covers privacy, people, processes, data and technology (threats including malicious, natural, accidental, cyber, business changes (transaction volume)
  • Appropriate investigations are made into risks, and depending on the importance of the risk, then ownership of the risk challenge is assigned
  • We maintain a Vendor Management programme which tracks the list of vendors who handle personal data
Data & Information Classification Policy

All Akkroo team members share in the responsibility for ensuring the information assets we handle are given an appropriate level of protection by observing this Information Classification policy:

  • Managers or information ‘owners’ shall be responsible for choosing classifications for information assets according to the information classification system below.
  • Where possible, the information category shall be embedded in the information itself
  • All team members shall use the information categories in their handling of security-related company information

All company owned information and information entrusted to us from third parties falls into one of four classifications:

Category
Examples
Description
Information is not confidential and can be made public without any implications for Akkroo. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.
Unclassified Public
  • Product marketing information widely distributed
  • Information widely available in the public domain, including publicly available on the Akkroo web site
  • Trial software
  • Financial reports required by regulatory authorities
  • Newsletters for external marketing
Proprietary
Proprietary Information is restricted to management-approved internal access, and protected from external access. Unauthorized access could influence Akkroo's operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Information integrity is vital.
  • Passwords and information on corporate security procedures
  • Know-how used to process client information
  • Standard Operating Procedures used in all parts of Akkroo's business
  • All Company-developed software code, whether used internally or sold to clients
Client Confidential Data
Information received from customers in any form for processing in production by Akkroo. The original copy of such information must not be changed in any way. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
  • Data collected by customers
  • Electronic transmissions from customers
  • Product information generated for the customer by Akkroo production activities as specified by the customer
Company Confidential Data
Information collected and used by Akkroo in the conduct of its business to employ people, to log and fulfill customer requests, and to manage all aspects of company finance. Access to this information is restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
  • Accounting data and internal financial reports
  • Confidential customer business data and confidential contracts
  • Non disclosure agreements with customers & vendors
  • Salaries and other personnel data
  • Company business plan
Email, Removable Media & Customer Data Transfer Policy

It is our policy that Customer Confidential data must not be sent via email or any publicly accessible electronic communication service without first being encrypted with a secure password that complies with our internal password policies. Data should only be transitted this way when other internal facing methods are not available. Passwords must be transmitted by a unassociated medium other than the medium the files are transmitted, such as via phone call.

We also do not ordinarily permit the storage or transfer of Customer Confidential data on removable media such as USB keys and external hard drives. Should it be necessary or unavoidable, any such data transferred or stored on removable media must be encrypted with a secure password that complies with our internal password policies.

Company Owned Device & Operating System Policy

Our staff are issued with modern Apple devices for the conduct of their work, and we encourage them to run all updates in a timely manner, advise them on security. Critical OS updates are enforced by the manufacturer, or by us as necessary.

We deliver security training to all new team members and enforce disk encryption for all company issued devices.

Security Incident & Breach Reporting Policy

We maintain a centralised, fast, secure reporting system for the communication of all security and privacy issues. If a security or privacy issue is raised, a director of the business is immediately notified to co-ordinate the evaluation and necessary response, and the nature of the incident is logged alongside details, who is involved, actions taken and proposals for future action.

Should it be determined as necessarily significant during this evaluation, we will communicate the nature of the security incident or breach to affected parties including customers as soon as we are able within the context of the situation, and in a manner which we believe will not exacerbate the worsening of the issue.

We will also notify the relevant authorities as soon as feasibly possible.

Clean Desk Policy

We run a Clean Desk Policy at Akkroo. We do not permit the printing or creation of physical copies of customer data, and we do not provide printing facilities for our teams, so there is no need to issue printer controls (biometrics, card controls etc).

Should an extraordinary instance arise where we need to create physical record of customer data, permission must be sought from a member of the leadership team, a record made of its existence, and any such items will be stored in locked cabinets in the office overnight and securely destroyed on-site when no longer needed.

Application Software Update & Vulnerability Management Policy

Application Updates are managed with a formalised version control flow, and go through a process of development team testing, wider internal testing (both automated and human), and pre-release testing with the live database

The final deployment of an Application update is automated and migrating to a new version requires no humanly noticeable downtime.

We update our servers with new patches on a monthly schedule. We also monitor for zero-day critical vulnerabilities and implement fixes within 24 hours or sooner where a patch is available.

Customer Device Support Policy

We support the current and immediately prior major version of the iOS operating system. We offer limited support for specific Android devices. We provide an up to date list of supported devices and operating systems here.

Social Media Policy

Official social media accounts are managed and operated by a small number of authorised senior staff members. Access is granted and revoked on a case by case basis.

Help & Support Policy

We do not currently record phone calls made to our support team, however we may opt to update this policy in the future.

Policy Review Schedule

We review all of our internal policies on an as-needed basis, and also on a scheduled annual basis.

Penetration Testing & Summaries

We carry out a scheduled three-layer penetration test conducted by trusted third-party security company each year.

Our policy is that all reported issues are assessed within three business days, and remedied as fast as possible.

The scope of our penetration test consists of:

  • a network level scan
  • an un-authenticated application penetration test
  • a fully-authenticated application test, including privilege escalation

An abbreviated summary of our most recent penetration test (scope, results and remedial) are available for download. For reasons of infrastructure security, we will not be able to supply the unabridged report.

Download most recent penetration test results

Downloads & Resources

Icon of double tap hand

This section is restricted and only available on request. Please contact support@akkroo.com for full access.

General Data Protection Regulation (GDPR)

If you are collecting personal data from European citizens after May 2018, your activity will be subject to the European General Data Protection Regulation. This even applies to European citizen data shared or captured outside of European geographical boundaries.

You can find out more about Akkroo's commitment to meeting the requirements of the GDPR right here – GDPR & Akkroo.

For more information about the impact of GDPR on your own lead capture activity, view our comprehensive guides on GDPR for Events.

You can also find a copy of our Data Processing Addendum here.