References to ‘Data Controller’, ‘Data Processor’, ‘Personal Data’ have the meanings defined in the General Data Protection Regulation (GDPR).
The Subscriber, acting as Data Controller, shall comply with the GDPR.
LEAP, acting as Data Processor, shall comply with the GDPR. Consistent with the requirements of GDPR, LEAP shall:
(a) act only on instructions from the Subscriber or the Regulator in respect of any Personal Data processed by LEAP;
(b) have technical and organisational measures in place, having regard to the state of technological development and the cost of implementing any measures, against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by it, appropriate to the harm that might result from such unauthorised or unlawful processing or loss, destruction or damage to Personal Data and the nature of the Personal Data;
(c) take reasonable steps, having regard to the state of technological development and the cost of implementing any measures, to ensure the reliability of any of its staff who have access to Personal Data processed in connection with the Terms and Conditions; and
(d) not transfer the Personal Data provided by the Subscriber to a country or territory outside the European Economic Area without ensuring the Personal Data is afforded adequate protection within the meaning of the GDPR.
Subscriber acknowledges that, with certain exceptions, LEAP does not have access to Personal Data and will require permission from a User if asked to provide services related to the LEAP Software. The Subscriber shall provide access to the LEAP personnel only on an as-needed basis and to terminate such access promptly after the need for such access has expired. In the performance of Helpdesk support where file-sharing is used, it is the responsibility of Users to ensure that all sharing sessions are terminated.
The LEAP Software supports Article 5 of the GDPR in that it is possible for the Subscriber to delete Personal Data from the software permanently.
The data contained within LEAP remains the property of the Subscriber.
If a Subscriber ends their agreement, LEAP will retain the Subscribers data for a period of seven (7) years before having it destroyed.
During the seven (7) years following termination, a subscription can be reactivated to gain access to the data held.
The Subscriber can request that their data be deleted upon their termination, or at any time before the seven (7) year expiration date.
LEAP’s cloud infrastructure is maintained by the industry leading cloud platform provider, Amazon Web Services (AWS), in multiple unmarked facilities within the Dublin region.
The terms of agreement between LEAP & AWS, are here: aws.amazon.com/agreement.
AWS has achieved a substantial amount of certification and compliance in industry standards, which recognise best practices in Information Security.
For a full listing of AWS certification and compliance, visit aws.amazon.com/compliance.
LEAP utilises multiple layers of security controls (software, physical and process based) to protect data. This includes, but not limited to;
Each LEAP application is accessed via HTTPS using Transport Layer Security (TLS). TLS is a cryptographic protocol designed to protect information transmitted over the internet, against eavesdropping, tampering, and message forgery.
Once client data reaches LEAP's cloud infrastructure, all information is then encrypted at rest, using AES-256, military grade encryption. This is done to protect data in the event a LEAP server is compromised by an unauthorised party.
All LEAP staff who have direct access to the infrastructure must go through an extensive vetting process, including police background checks.
The LEAP Software has been designed to be a highly available, active-active solution. LEAP Services are split over multiple AWS datacentres within the Dublin region. In the event of one data centre going offline in a disaster scenario, the second data centre continues to serve data with minimal, if any, service interruption.
LEAP Services are designed to scale up as more clients use it at peak times, and then scale down at low times. This scaling allows LEAP to mitigate external attacks trying to flood system resources.
LEAP servers are backed up multiple times daily, weekly and monthly, and are monitored 24 hours a day, 7 days a week, 365 days a year.
LEAP has a duty of care of Subscribers data. If a data breach occurs, LEAP will notify affected Subscribers immediately.
If a vulnerability is identified or data is available publicly outside of the LEAP Software, please contact LEAP immediately via firstname.lastname@example.org.