Data Security Policy

1. Introduction

Talent Grid Limited (NZBN: 9429051450724) ("TalentGrid", "we", "us", or "our") is committed to protecting the security, confidentiality, and integrity of personal information and data processed through our platform. This Data Security Policy outlines the technical and organisational measures we implement to safeguard your data.

This policy complies with the New Zealand Privacy Act 2020, specifically Information Privacy Principle 5 (IPP 5), which requires agencies to protect personal information through appropriate security safeguards.

2. Scope

This policy applies to all:

• Personal information collected, stored, or processed by TalentGrid
• Systems, applications, and infrastructure used to operate the TalentGrid platform
• Third-party service providers who process data on our behalf
• TalentGrid employees, contractors, and authorised personnel with access to data

3. Data Classification

We classify data into the following categories to apply appropriate security controls:

3.1 Highly Sensitive Data

• Authentication credentials (passwords, API keys, tokens)
• Banking and payment information
• Police vetting results
• Health information
• IRD numbers and tax details

3.2 Sensitive Data

• Professional credentials and qualifications
• Contact details (email, phone, address)
• Employment history and references
• Shift records and timesheets
• Communication between users

3.3 General Data

• Public profile information (where user has chosen to share)
• Aggregated, anonymised analytics data
• Non-identifying usage statistics

4. Technical Security Measures

4.1 Encryption

• Data in Transit: All data transmitted between users and our servers is encrypted using TLS 1.2 or higher (HTTPS)
• Data at Rest: Sensitive data stored in databases is encrypted using AES-256 encryption
• Password Storage: User passwords are hashed using bcrypt with salt before storage; passwords are never stored in plain text
• API Communications: All API endpoints require encrypted connections

4.2 Access Controls

• Authentication: Multi-factor authentication (MFA) is required for administrative access
• Role-Based Access: Access to data is restricted based on job function and need-to-know basis
• Least Privilege Principle: Users and systems are granted the minimum permissions necessary
• Session Management: Automatic session timeout after periods of inactivity
• Audit Logging: All access to sensitive data is logged and monitored

4.3 Infrastructure Security

• Cloud Hosting: Platform hosted on secure, professionally managed cloud infrastructure with ISO 27001 certification
• Firewalls: Network firewalls protect against unauthorised access
• Intrusion Detection: Automated systems monitor for suspicious activity
• DDoS Protection: Distributed denial-of-service mitigation measures in place
• Regular Updates: Security patches and updates applied promptly to all systems

4.4 Application Security

• Secure Development: Code reviewed for security vulnerabilities before deployment
• Input Validation: All user inputs validated and sanitised to prevent injection attacks
• XSS Protection: Cross-site scripting protections implemented
• CSRF Protection: Cross-site request forgery tokens used for state-changing operations
• Dependency Management: Third-party libraries regularly updated and scanned for vulnerabilities

4.5 Data Backup and Recovery

• Regular Backups: Automated daily backups of all critical data
• Encrypted Backups: All backups encrypted using industry-standard methods
• Offsite Storage: Backups stored in geographically separate locations
• Disaster Recovery: Documented recovery procedures tested regularly
• Retention: Backups retained for 30 days with point-in-time recovery capability

5. Organisational Security Measures

5.1 Personnel Security

• Background Checks: Police vetting conducted for employees with access to sensitive data
• Confidentiality Agreements: All personnel sign confidentiality and data protection agreements
• Security Training: Regular training on data security best practices and privacy obligations
• Access Reviews: Periodic reviews of user access rights and permissions
• Offboarding: Immediate revocation of access when employees leave or change roles

5.2 Third-Party Security

• Vendor Assessment: Due diligence conducted on all third-party service providers
• Data Processing Agreements: Contracts require third parties to implement appropriate security measures
• Limited Access: Third parties granted only minimum necessary access to data
• Regular Reviews: Ongoing monitoring of third-party security practices

5.3 Security Policies and Procedures

• Documented Policies: Comprehensive information security policies and procedures
• Incident Response Plan: Defined procedures for detecting, responding to, and recovering from security incidents
• Change Management: Formal process for reviewing and approving system changes
• Risk Assessment: Regular assessment of security risks and vulnerabilities

6. Data Breach Management

6.1 Detection and Response

• 24/7 monitoring for security incidents and potential breaches
• Automated alerts for suspicious activity
• Immediate investigation and containment of suspected breaches
• Forensic analysis to determine scope and impact

6.2 Notification

In accordance with Part 6 of the Privacy Act 2020, we will:

• Notify the Office of the Privacy Commissioner as soon as practicable for breaches likely to cause serious harm
• Notify affected individuals directly where the breach poses serious risk
• Provide clear information about:
  • The nature of the breach
  • What information was involved
  • Steps being taken to address the breach
  • Recommended actions for affected individuals

6.3 Post-Incident Review

• Comprehensive review of all security incidents
• Root cause analysis to prevent recurrence
• Updates to security measures and procedures as needed
• Documentation and reporting to management

7. User Responsibilities

Users play a critical role in maintaining security. You are responsible for:

• Strong Passwords: Creating and maintaining strong, unique passwords
• Account Security: Keeping login credentials confidential and not sharing accounts
• Suspicious Activity: Reporting any suspected security incidents or unauthorised access
• Device Security: Ensuring devices used to access the platform are secure and up-to-date
• Secure Networks: Avoiding use of public or unsecured Wi-Fi networks for sensitive transactions
• Logout: Logging out when finished, especially on shared devices

8. Monitoring and Testing

• Security Audits: Annual third-party security audits and assessments
• Penetration Testing: Regular penetration testing to identify vulnerabilities
• Vulnerability Scanning: Automated scanning of infrastructure and applications
• Compliance Reviews: Regular reviews to ensure compliance with privacy and security regulations
• Performance Metrics: Tracking and reporting on security performance indicators

9. Data Retention and Disposal

• Data retained only as long as necessary for legal and business purposes
• Retention periods detailed in our Privacy Policy
• Secure deletion methods used to destroy data when no longer required
• Database records securely wiped and overwritten
• Physical media destroyed using certified destruction methods

10. Compliance and Certification

TalentGrid is committed to maintaining compliance with:

• New Zealand Privacy Act 2020
• Health Information Privacy Code 2020 (where applicable)
• Payment Card Industry Data Security Standard (PCI DSS) where applicable
• Industry best practices for information security

11. Continuous Improvement

Security is an ongoing process. We continuously review and update our security measures to address:

• Emerging threats and vulnerabilities
• New technologies and attack vectors
• Changes to regulatory requirements
• Lessons learned from security incidents
• Industry best practices and standards

12. Reporting Security Concerns

If you identify a security vulnerability or have concerns about data security:

We appreciate responsible disclosure and will investigate all reports promptly and confidentially.

13. Changes to This Policy

This Data Security Policy may be updated periodically to reflect changes in our security practices or regulatory requirements. Material changes will be communicated via email and platform notifications.

Related Documents

• Privacy Policy
• Cookie Policy
• Terms of Service
• Acceptable Use Policy