The term ‘CMS SupaTrak or CMS or ‘us’ or ‘we’ refers to the owner of the website whose registered office is Delta 1200. Welton Road. Swindon. Wiltshire. SN5 7XZ. Our company registration number is 02836006 The term ‘you’ refers to the user or viewer of our website.
- The content of the pages of this website is for your general information and use only. It is subject to change without notice.
- Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose. You acknowledge that such information and materials may contain inaccuracies or errors and we expressly exclude liability for any such inaccuracies or errors to the fullest extent permitted by law.
- Your use of any information or materials on this website is entirely at your own risk, for which we shall not be liable. It shall be your own responsibility to ensure that any products, services or information available through this website meet your specific requirements.
- This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.
- All trade marks reproduced in this website which are not the property of, or licensed to, the operator are acknowledged on the website.
- Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence.
- From time to time this website may also include links to other websites. These links are provided for your convenience to provide further information. They do not signify that we endorse the website(s). We have no responsibility for the content of the linked website(s).
- Your use of this website and any dispute arising out of such use of the website is subject to the laws of England, Northern Ireland, Scotland and Wales.
2. Data Control Responsibility
The Data Controller for CMS SupaTrak Ltd is John M. Lancaster, BEM. Should you have any issues with this site or our policies, he can be contacted at firstname.lastname@example.org or by phoning +44-(0)-7792-565796. Our sub-contractor Data Controller is Claranet Limited.
Claranet are accredited for ISO9001, ISO27001 and ISO22301 and operate an advanced integrated management system to manage these standards. Additionally all Claranet Data Centres are accredited for PCI-DDS, physical security. Claranet was and remains compliant with previous and existing data privacy legislation and requirements. The company has undertaken a full review of our internal security controls and data protection mechanisms at the request of CMS to ensure that they meet or exceed GDPR requirements. This project was substantial and extensive. The person in Claranet responsible for GDPR is Sobia Nadeen – Sobia.Nadeem@uk.clara.net
The key elements included:
- A review of where data resides, how it is secured and who can access or change this data
- Refreshing the Data Privacy Awareness Training that we provide to our staff
- Updates to our internal security processes to meet GDPR requirements including processes associated with incident response, secure development and third-party compliance
- Updates to internal policies to address changes in legislation
- A review of the contractual terms that govern the relationship between Claranet and its customers and suppliers
3. What information do we collect?
We collect information from you when you enter our site, submit a purchase order or subscribe to one of our newsletters.
When accessing or registering on one of our sites, as appropriate, you may be asked to enter your: name, e-mail address, mailing address, phone. You may, however, visit our site anonymously and decline from providing information unles it is required for your business use.
When using a CMS portal to manage Driver Behaviour or obtain positional information, you as the customer have the option to include Driver or vehicle details. This may be necessary in the event of tachograph compliance or driving license checks. This data is held on the Claranet secure servers and is managed by you the customer. CMS has visibility of this data only for system management and would not make the information visible or available to a third party.
4. Secure Handling of customer Data
CMS’s role is to provide, connectivity, managed services and hosting facilities for the safe storage and transportation of customer’s data. CMS is not in itself an information controller of customer data and therefore does not access the informational content of any traffic passing across its networks or services (other than for virus and malware scanning, or for the detection of intrusion, abuse or criminal activity). Therefore, customer data is not likely to be disclosed to employees through the routine management and administration of the customer’s service, except where CMS has accepted specific responsibility for database management in the form of a managed service.
Employees and contractors are expected to treat all customer data as confidential and handle it accordingly. This includes but is not limited to customer names, contact details and account details.
As a condition of their employment all new employees at CMS are required to sign a non-disclosure agreement and a contract of employment which includes acceptance of company policy.
5. What do we use your information for?
Any personal information we collect from you may be used in one of the following ways:
To improve customer service
(your information helps us to more effectively respond to your customer service requests and support needs)
To process transactions
Your information, whether public or private, will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the services that you have requested.
To send periodic emails
If you choose to join our mailing list, we will send you a monthly or bi-monthly newsletter,
Note: If at any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email. We never sell transfer exchange or give your email address to any third party.
6. Security Awareness and Training
CMS maintains a high-level of security awareness within the organisation by ensuring that all new employees attend security training. CMS conducts regular internal auditing of employee adherence to security policies.
Employees are made aware that information security is an integral part of the day-to-day operation of company business; understand their individual responsibilities, and are aware that business and information security is as important to the company as it is to customers.
Training is enhanced throughout employment on an ‘as needed’ basis through periodic briefings, on-the-job training, security bulletins and advisory e-mails on specific security issues. Training is reviewed annually as part of everyone’s appraisal and personal development plans.
7. Physical security features
A variety of features are in place to maintain physical security at CMS Offices and the Claranet Data Centre facilities. The location of each site determines the external security features. Where a Claranet data centre is located off-street, palisade fencing is used with access control gates.
All sites have external and internal CCTV monitoring, intruder alarms and security guards. All doors have swipe card access in place. Claranet operate an ISO27001 complaint access control process which staff, customers and suppliers must adhere to gain entry to each data centre. A copy of the customer facing process can be requested from the Claranet Service Desk.
8. Environmental security features
CMS Offices and the Claranet data centres have been designed with a high degree of resilience to reduce or mitigate vulnerabilities to major threats. CMS offices and Claranet Data centres have the following in place:
- Uninterruptible Power Supply (UPS) protection from power failure, including stand-by diesel generators.
- Mains filtering and stabilisation;
- Fire detection and suppression;
- Water/leak detection;
- Air conditioning and other environmental
Essential elements of our infrastructure have been designed with a high degree of technical resilience and are monitored 24×7 by our network and hosting operations centres using IBM Tivoli monitoring.
9. Operational procedures and responsibilities
CMS strives to continually improve the effectiveness and security of its internal operations, and in the way it delivers service to our customers. To support this goal CMS are an ISO9001 (pending) accredited company. Operating procedures are documented and maintained throughout the business and regularly reviewed by the internal and external auditors to ensure they remain fit for purpose. This service is also managed by the Data Control Officer.
10. Change Management
CMS operate strict change control procedures. Before any significant change is made to processes or systems, the employee responsible is required to properly plan the change and seek appropriate levels of quality review and approval. Change planning takes consideration of:
- Need and justification for the change, including assessment of cost and benefit,
- Assessment of risk and potential business impact,
- Scheduling of the change to reflect urgency, whilst avoiding conflict with other activities or incompatibility with existing systems and processes,
- Contingency plans in the unlikely event that the change results in unforeseen adverse consequences,
- Quality checks by line management or peer review.
Where ever possible and practical, new systems, processes and changes to existing systems and processes are verified in a separate development and test environment before being launched into production.
Changes are scheduled through the Change Management and Development Team who meet every week to consider any new change requests and review the effectiveness of recently implemented changes.
The Development and Change Management Team ensure that each proposed change has been properly planned and includes test and back out plans. Where a change influences service availability, this is communicated promptly and effectively to customers.
11. Third Party Service Delivery Management
The CMS Development team are responsible for ensuring that services provided to CMS and our customers are delivered in line with service level agreements, and maintain appropriate levels of information security. CMS conducts regular service review meetings with suppliers and customers to monitor quality of service delivery. Root cause and corrective action is sought for any periods of service loss or impairment, particularly those that impact or threaten adherence to agreed service levels. Where appropriate, the explanation and remedies for such service impairments are explained to our customers in our Major Incident reports.
Service issues caused by 3rd. party providers are monitored as a part of CMS incident management process to identify trends in service degradation or underperformance so that prompt corrective action can be taken. Vendors are required to provide ‘Reason for Outage’ (RFO) reports in the event of a service impacting major incident.
12. Protection against Malicious and Mobile Code
CMS in conjunction with Claranet uses a variety of incident detection and prevention tools as well as web scanning protection as a core element of our security controls. This is designed to protect us from a wide range of threats to confidential information, unauthorised re-direction to inappropriate web locations, and loss of service performance. It employs multiple world leading signature scanning engines to deliver protection from the most sophisticated and targeted web based threats, including spyware, Trojans or other malware. It ensures that web requests (including web pages, images and larger files such as PDFs, or media) are free from malicious code before they reach our employees. The service also includes the latest URL filtering and DDOS protection and blocking functionality.
CMS has installed anti-virus software on all corporate PCs, laptops, tablets and mobile phones. Mobile device and portable equipment disks are encrypted. Virus signatures are kept up to date by an automated process which pushes updates to end-user devices as these become available.
In addition to this, Claranet on behalf of CMS also scans its internal networks on a weekly basis to ensure that viruses and malware have not been able to enter by any other means. Regular vulnerability scanning is used to detect weaknesses in externally facing IP addresses.
13. System Back-up
Claranet on behalf of CMS, performs daily backups of essential business information and services. A two-week cycle of backups is maintained, allowing data to be recovered to any point during that period. Additionally, up to 14 versions of changed files are retained, irrespective of whether these changes occurred within the last 14 days or not. CMS retains business transaction records indefinitely in a database management system. CMS does provide a full archive retrieval service to customers as standard. Additionally, CMS are able to offer a bespoke backup service to customers who specifically request it. This is agreed between CMS and the customer during implementation planning, and is set up accordingly by our operations team. Under normal conditions and unless otherwise declined by the customer, data is maintained for 10 years.
14. Security Incident Management
CMS has procedures in place for reporting, investigating and managing security and operational events and incidents. These are supported by a register to record events and track them to successful resolution.
There are 3 types of security incident;
- Breach in Physical security (or attempted breach)
- Breach in Network security (or attempted breach)
- Disclosure of sensitive or confidential data (accidental or deliberate)
The response to security incidents involves;
- Immediate Response
- Preservation of Physical Evidence
- Inform & escalate
Escalated security incidents are recorded in the security register and owned by the Security Team. The nature and severity of incidents is recorded. Each incident is assigned an owner who is responsible for managing the incident through to resolution. This includes communication with, and engaging the efforts of all relevant parties, including customers and suppliers where necessary.
An internal report is produced which includes lessons learnt, improvement opportunities and a review of controls. Where the incident influences CMS’s customer base, a report is made available to the customer on request through our service desk.
An analysis of incidents is performed every 6 months to identify underlying trends and to ensure that improvement opportunities identified have been acted on.
15. CMS Approach to Business Continuity Planning
In the delivery of product and service to customers, CMS has ensured that all reasonable and practical measures are in place to provide resilience and incident management to minimise the effects of major events. Our partners, Claranet, achieved ISO22301 compliance to ensure that our Business Continuity Plan is kept up to date and regularly tested by an external party. We have a number of supporting processes that ensure the business runs efficiency during any kind of business or service interrupting event;
- Major Service Incident Process – to manage incidents where the availability of services provided via CMS to customers are
- Security Incident Process – to manage incidents where the security of CMS infrastructure or data has been compromised
- Business Continuity Process – to manage incidents which effect CMS ability to carry out day to day operations.
CMS regularly tests its business continuity plans. Performance is monitored during these sessions and used to drive refinements to processes, tools and resilience measures.
16. Customer Responsibilities
Having Driver and vehicle solutions managed by CMS takes away a great deal of day-to-day hassle from our customer’s business’s. However, customers remain responsible for their own business continuity planning. Using additional products and services from our standard service offering, CMS through our partner Claranet, are able to provide higher degrees of resilience and redundancy to those customers whose services are absolutely business critical.
17. Data Protection Act
CMS complies with the DPA and is registered with the Information Commissioners Office as a telematics and communications provider. Training is given to all staff at the start of their employment to ensure that its implications are understood and implemented throughout the business. To comply with the principals of the act CMS never stores hosted data outside of the EU economic area.
CMS are committed to complying with the requirements of section 9 and 12 of the PCIDSS standard. This means that our partners data centres meet the physical security requirements for sites storing card data and have annual reassessments conducted by a QSA to ensure those requirements are maintained.
19. ICO Recognition.
A copy of the ICO Guide to the General Data Protection Regulation (GDPR) is available by clicking here.