Investors in People Data Security / Protection FAQs
Yes, registration number: ZA286529
Yes – please see the Data Protection Policy on our website:
No, IIP has a controller to controller relationship with our clients and Practitioners who deliver the IIP service. A data controller is an organisation that determines what data is needed, what can be done with it, and how to handle that data – we therefore need to process the data according to our processes, in particular the data used within our online assessment system.
Please see the Subject Access Request section on our website:
IIP Assessment Survey
No, all data is aggregated and anonymised removing any Personal Identifiable Information (PII) before being shared with your organisation and any third parties such as Practitioners, delivery partners (see Appendix 1) and other administrators. For the protection of small groups where data trends could be interpreted and linked back to individual submissions, aggregated group data is not shown until there are at least seven responses in the group in question.
Survey data, including personal data, is stored securely within Amazon Web Services. The entire data application (instances, databases, snapshots, backups) is stored within the EU‐West‐1 (Dublin) data centres, and so adheres to EU controls limiting storage within the EEA. Direct access to the data (databases, snapshots) is limited to senior database architects using asymmetric key‐based authentication, and further secured with strict ACLs requiring access through secure Cisco VPNs. Our architects are all security cleared with an Enhanced DBS, and have all been involved in the IIP projects for more than three years.
Access to servers is restricted with ACLs, Security Groups, and iptables for instance‐specific controls. Backups are run nightly and replicated to a S3 bucket in an AWS region (eu‐west‐1 ‐ Dublin).
For further information on AWS security, including physical access control, auto‐replication (redundancy), hypervisor security, and power/infrastructure redundancy, please see: https://aws.amazon.com/compliance/.
Application passwords are managed using Drupal ‐ passwords are salted and re‐hashed multiple times. Plain‐text passwords are never stored in the database. Brute‐force attacks are mitigated by auto‐blocking login attempts after five failed attempts. Once logged‐in, the system supports full RBAC, with minimum‐granted permissions (user permissions are granted only when needed for a user account, rather than granting system‐wide access).
All communications with the site are via HTTPS, using HSTS and modern cipher suites (TLS1.0+). Ciphers are reviewed regularly to ensure security compliance. The system scores the top mark (A+) with independent access check from SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=www.investorsinpeople.co
Data is transferred between IIP web systems, including CRM, website and survey platform, using custom built APIs (e.g. between Roden & Gene); these APIs are not publicly documented which provides a layer of security through associated obscurity.
Data is encrypted during transit (both between servers and between web server and client) using industry‐leading HTTPS configurations.
We select our third‐party service providers with care. We provide these third parties with the information that is necessary to enable them to provide the services for which they are engaged. We take steps to ensure that they comply with their obligations under GDPR and Data Protection Legislation.
In certain geographical locations we may also allow third party delivery partners to deliver services to your organisation using our brand and methodologies. These partners are listed in Appendix 1, and we call them our Delivery Partners.
- IIP Head Office staff (only those required to administer the survey)
- Where applicable ‐ administrators from the specific Delivery Partner that works with you in order to administer the survey.
Our Delivery Partners
- IIP Scotland: This is Remarkable Limited
- IIP Philippines: Inspiring Partners Inc