Holly Social – a whitelabel social media scheduler

GDPR Procedures

Identifying a data breach

We take the following steps to identify data breaches:

  • All servers have an Intrusion Detection System (IDS) which sends daily notifications to system admins when an “intrusion” (aka a filesystem change, including any changes performed by authorised users/actions) occurs. Received notifications are immediately checked for anything out of the ordinary
  • Staff are required to immediately inform the Data Protection Officer when a breach or potential breach has been identified as part of their work
  • System bugs are captured and logged
  • Email notifications are sent to key staff members on the event of a bug
  • Bugs are checked for security implications

Preventing a data breach

We take the following measures to ensure all data we hold is secure:

  • Firewalls are implemented on all servers, blocking all ports apart from those required for systems to function
  • Only authorised, static server ips are allowed to communicate with each other
  • All data in transit is protected using SSL
  • Access to database servers is limited to database administrators
  • Access to all servers (including database servers) is performed via SSH
  • SSH keys are used for authentication and can only be managed by company founders
  • Database backups are encrypted at rest
  • Servers are kept regularly updated with the latest updates and patches
  • Database queries performed by applications are handled via routed authentications
  • 3rd party libraries and packages are kept regularly updated
  • All passwords are stored in encrypted “vaults” for 3rd party services
  • Rate limits are applied to API endpoints to prevent brute-force attacks
  • All Cookies generated by the system are encrypted
  • Security is part of the company culture
  • 2FA is used wherever available

Reporting a data breach

Under the GDPR, we must notify any data breach to the ICO within 72 hours of discovering the breach.

In the event of a breach we would provide the controller with:

  • A description of the nature of the breach
  • Contact details of the responsible person within the company
  • Likely consequences of the breach
  • Proposed and imposed measures that were taken to limit harmful effects

We would stress again that we have comprehensive technical and organisational security measures in place to mitigate against a data breach.

Data portability

Our system fully adheres to Article 20 of GDPR “Right to data portability”. Users can export all personal data as well as all data they have generated in the system (such as posts, connected social media accounts and so on).

Export is accessed via: https://app.chooseholly.com/settings#/data-export (replace the Holly Social URL with your own whitelabel URL).

Right to erasure (to be forgotten)

Our system fully adheres to Article 17 of GDPR “Right to erasure (‘right to be forgotten’)”. Users can delete their account and all associated data (as seen under “Data portability) will also be removed.

In the case where a user was invited to a team, any team content they have created (such as social media posts) will have its ownership transferred to the Team Owner and all data connections that linked to the User will be removed. If the User is also the Team Owner, then all Team Data will be removed.

Document created: Thursday May 10th 2018

Last updated: Thursday May 10th 2018