Privacy
Statement
PRIVACY STATEMENT & SECURITY DETAILS
Computer Clinic takes our security and our customer’s security very seriously. We review everything continuously and actively as part of our official IT policy. Our appointed Privacy Officer for the company is Patrick Moran.
ABBREVIATIONS USED
GDPR = European General Data Protection Regulation
HIPAA = Health Insurance Portability and Accountability Act
CCPA = California Consumer Privacy Act
CRM = Customer Relationship Management
ERP = Enterprise Resource Planning
2FA = Two Factor Authentication
MFA = Multi Factor Authentication
DATA ON PHYSICAL DEVICES
We do not store or hold any customer data or information physically on our computers or store customer documents physically on our computers.
When copying data from one computer to another we temporarily store data on the external drive used at the time, however this is then securely wiped after use using a recognised system.
WHAT DATA IS STORED?
We do store some essential information relating to our commercial customers in order to communicate with them and the data that is stored is up to GDPR & CCPA via our CRM/ERP system. This information includes but is not limited to:-
Business Name
Director/Business Owner Name(s)
Business Address(es)
Business Phone Number(s)
Business EMail Address(es)
Our customer’s employees and contractors (that work within business that we deal with), including key people; will also have their contact details stored online in our CRM/ERP system for communication purposes. The details stored are the name and contact details.
ACCESSING OUR CUSTOMER’S SYSTEMS & SERVICES
As an IT provider, we do have a need to login to our customers' IT systems to provide maintenance on them.
Below is our statement of what we do, how we do it and how it is protected.
REMOTE ASSISTANCE TOOL - TEAMVIEWER SOFTWARE
This is used for remote access to computers so we can work on them remotely.
We have an Enterprise Account with Teamviewer which cannot be accessed (even with the password). The login to this account is protected with:-
Geo location locks
Only trusted devices can login
If any devices attempt to login, or even login with a password, they are blocked and we receive alerts
3 x Factor Authentication is enforced on the login account as follows:-
The 1st factor is purely the username and password to login to our Teamviewer account.
The 2nd factor authentication is to a mobile app which blocks access unless approved. Once this is approved it then flows into the 3rd factor authentication...
The 3rd factor is then an email from Teamviewer stating that a device is attempting to login and this is a new and un-trusted device. From there we must go through a trusted device approval process to add it as a trusted device list to gain access to our Teamviewer account.
HOW DO WE ACCESS OUR CUSTOMER’S EMAIL SYSTEMS AND HOW DO WE PROTECT THESE LOGIN DETAILS?
For example we are often asked to login to a Microsoft 365 or Google Workspace administrator account to carry out maintenance on user accounts (add, delete, reset passwords, etc).
We have our own username and password to login to each account. This username and password to login to the email system is protected with 2 factor authentication with Microsoft or Google. The login details are all unique and we store these in:-
In our CRM/ERP System online which is completely locked down with complex multi-authentication and auto lockout policy.
In our secure passphrase management system which is completely locked down with complex multi-authentication and auto lockout policy.
Names of these systems can be supplied upon request if needed but as the information being supplied here is public, for security purposes we do not wish to state openly what they are. However, we can confirm that both systems used are recognised international and industry standard and maintained solutions which are fully protected by 2 factor authentication and an auto lockout policy.
Computer Clinic do not access any computers in person or remotely without being given prior permission to do so which may require the customer providing us with a password to do so.
Computer Clinic do not and cannot access any Microsoft or Google email accounts as these are protected via MFA which is tied to each user. The MFA method will be an app or text message on each person's mobile phone.
We access the admin centres of Microsoft and Google email systems via using our own username and password and MFA. This account does not have a licence and is designed for backend configuration changes. e.g. we login to purchase and create any required licences and user accounts as required as well as helping with the correct process of onboarding or off-boarding users accounts.
HOW DO WE SECURE ACCESS TO OUR CRM/ERP AND PASSPHRASE MANAGEMENT SYSTEM?
The CRM & ERP systems have 2FA enabled on all User Accounts & automatic logouts.
The password & passphrase managers master password is not written down anywhere digitally. This is all done by memory. The passphrases are extremely long and unique. There is an auto lockout policy on the systems too so all devices are automatically logged out on a regular basis.
Any details stored in our CRM/ERP system are encrypted and not stored in clear or plain text. Even when logged into our CRM/ERP system, it is not possible to see any details when viewing each user account due to this - They need to be revealed. For some super sensitive data we implement an additional password to be entered before revealing the details.
E-MAIL SYSTEM
Computer Clinic utilises the Microsoft 365 platform for its Email system. It is recognised internationally as a secure mainstream systems. The other being Microsoft 365 Exchange.
We are proficient with both systems and are qualified to set up, secure and maintain these systems. We are also official partners with both Microsoft and Google.
All E-Mail accounts have Two Factor enabled, trusted devices and have very secure and unique long passphrases on them.
DEVICES SECURITY
Access to all computers is via a username and password. We all login to our computers using a Microsoft Account which is protected with 2factor authentication.
All PC’s/Laptops/Android Phones that are in use by Computer Clinic have commercial grade Anti-Virus installed on them - ESET Antivirus.
The main user account on the PC’s / Laptops have no administrative rights so nothing can run on these devices without needing authorization from an administrator account.
The filesystems on these devices are encrypted.
MOBILE PHONES
We only use mainstream, recognised brands of mobile phones. These are Apple and Samsung. Our mobile phones are fully up to date and all are secured with a combination of Biometrics and password so no access is possible to these devices. We also use ESET antivirus on our mobile phones for additional security.
WORKING FROM HOME
When team members are working from home they only use Computer Clinic supplied equipment which is fully protected as listed above.
BACKUP SYSTEMS
Computer Clinic uses 3rd parties for all backup systems. These are internation companies with Data Centres in Melbourne and Sydney. All backup systems and data centres comply with all required regulatory bodies worldwide such as HIPAA along with many other high levels of security, auditing and expected international standards.
NDA - Non-Disclosure Agreements
Computer Clinic actively encourages the signing of Non-Disclosure Authority Forms and routinely does so. This is to give written and legal assurances that we would never disclose any information pertaining to any company that we are assisting. We are happy to sign NDA’s.
Computer Clinic does not share any data we have on file from our customers with any 3rd parties including social media companies.
ACCOUNTING SYSTEM
Computer Clinic uses Xero for their accountancy system. Xero is world renown, and has excellent security. Our accounts all have 2-factor enabled, and unique passphrases.
OUR PASSWORD / PASSPHRASE POLICY
All stored passphrases are securely encrypted by our Passphrase Manager (stated above).
Any passwords supplied to our customers are done so via an encrypted link / secure method. Note that encrypted links expire after 7 days.
CONCLUSION
If you have any questions or concerns with any of the above, please do not hesitate to contact us for further discussion and clarification.