Data Protection Summary
Overview
At Liveforce, we are committed to the privacy and security of our customers’ and users’ data. Our privacy policy outlines our practices for collecting and processing personal data, which includes personal identifiers, contact details, employment details, financial details, and technical data.
We use this data to provide and improve our services, communicate with our users, and comply with our legal obligations.
- Nature of Data: We process sensitive personal data, which, if not handled appropriately, could potentially result in high risk to the rights and freedoms of individuals.
- Scale of Processing: Our operations often involve processing personal data on a large scale.
- Risk Assessment: We assess the level of risk associated with our data processing activities, taking into account both the likelihood and the severity of any impact on individuals.
- Compliance Measures: We evaluate the necessity, proportionality, and compliance measures of our data processing activities, ensuring alignment with data protection principles.
- Mitigation of Risks: We identify high risk issues and identify additional measures to mitigate those risks.
- Legal Requirement: We are both a controller and processor under UK GDPR and as such, take both responsibilities seriously.
In summary, we systematically and comprehensively analyse our data processing activities, identify and minimise data protection risks, demonstrate compliance with data protection laws, and build trust with our customers. We are committed to maintaining the highest standards of data protection and privacy for our users.
Nature of Data Collected
Liveforce, in its role as a data controller, collects personal data including:
- Title
- Gender
- Name
- Email address
- Date of birth
- Registration date
- Login times and attempts
- Verification status
- Platform activity
As a processor, Liveforce processes additional personal information such as:
- Address
- Telephone number
- Social security number
- Bank details
- Employment details
- Identification documents
- Invoices
- Other relevant information for job scheduling and management
Please note that Liveforce does not collect special category or criminal offence data. However, customers may collect this data as they are the controller.
Data Collection Frequency and Retention
Data collection is an integral part of the recruitment, scheduling, booking, invoicing, and payments cycle of a temporary workforce.
Liveforce retains personal data throughout the entire contract period with the customer.
In the event of a dispute, data is retained as long as necessary to defend, establish, or exercise any claims.
Workforce users have the option to delete their account data at any time.
Nature of Relationship with Individuals
Liveforce maintains a business relationship with its customers, who are businesses managing their workers using the service.
Customers have control over their data and can opt-in or opt-out of communications.
They can also request access to their data or request deletion from the system.
Expectations and Concerns
Liveforce’s data usage aligns with its privacy policy, ensuring that nothing unexpected is stored or shared.
The platform does not permit individuals under 16 to sign up.
Standard best practices for data collection and storage are applied, and current technology, including cookies and geofencing, is used to protect data integrity and security.
There are no current public concerns regarding data collection.
Lawful Basis for Processing and Mitigating Risks
Liveforce processes personal data based on legitimate interest, consent, and fulfilment of legal obligations.
The company systematically analyses data processing activities, identifies and minimises data protection risks, and demonstrates compliance with data protection laws.
Measures implemented include advanced security measures, privacy settings, data vetting, encryption, access controls, two-factor authentication, and regular training to mitigate risks.
Safeguarding International Transfers
Customer data is stored in the EU with AWS, adhering to the CISPE Code. All customer data stored in AWS is encrypted at rest and can only be accessed through strict controls. Processors outside the EU comply with the Privacy Shield Framework or other approved frameworks.
Current Activity and Remediation of Outstanding Risks
We are in the process of integrating our platform with Auth0, a move aimed at mitigating risks such as unauthorised access and account takeover. This risk reduction is achieved through the implementation of two-factor authentication and bot detection measures for platform access, both of which are key features of Auth0’s robust security suite. Additionally, Auth0’s incident response procedures will further enhance our platform’s security.
We acknowledge that there is a gap in our customers’ understanding of GDPR and data protection, and we also recognise that some of our policies need updating. In response to these issues, we are developing new features to help with compliance, reviewing existing features with a legal expert, updating our terms and policies, and launching a training program for our customers. This program will enhance their understanding of GDPR and data protection, and inform them of their rights and responsibilities as well as providing day-to-day practical guidance.
Information to Help With a DPIA
| Question | Answer |
| What is the nature of the data liveforce collects? | As a controller, we collect title, gender, name, email-address, D.O.B., registration date, login times, login attempts, verification status and platform activity. As a processor, the data we process includes personal information such as address, telephone number, social security number, bank details, employment details, identification documents, invoices and other relevant information for job scheduling and management. |
| Does it include special category or criminal offence data? | We do not collect this data, but our customers can if they choose to as they are the controller of this data. |
| How much data will you be collecting and using? | Liveforce collects and uses data that is required to fulfil its intended purposes as an on-demand workforce management system. All personally identifiable data is used solely for the purpose of our customers managing their staff; and staff managing their employment with our customers. |
| How often? | We collect data as part of the normal cycle of recruitment, scheduling, booking, invoicing and payments of a temporary workforce. |
| How long will you keep it? | Liveforce retains personal data during the entire contract period between them and their customer. In case of a dispute, data is retained as long as necessary to defend, establish or exercise any claims. For workforce, where we are controllers of their account data, they are able to delete this at any time. |
| What geographical area does it cover? | This is across multiple countries. |
| Question | Answer |
| Nature of relationship with individuals | Liveforce has a business relationship with its users, who are typically workers seeking work or customers managing their workers using the service. |
| Control individuals have | Users have control over their data and can opt-in or opt-out of communications. They can also request access to their data or request full deletion of their data from the system. |
| Expectation of data usage | To support our services and business operations, there is nothing that we store or share that is unexpected and is not covered in our privacy policy. |
| Inclusion of children or other vulnerable groups | We do not allow under 16s to sign-up to our platform and as a Data Controller do not engage with customers that would abuse vulnerable groups, this is against our T&Cs. As a data-processer, we do not have control over what data is collected and stored. |
| Prior concerns over this type of processing or security flaws | As our role is one of both controller, with basic account data and processor with personal data including identity documents and bank details, we apply standard best-practice with regard to their collection and storage. |
| Novelty of the processing | We don’t process data in any novel ways. |
| Current state of technology in this area | We uses current technology for data processing, including cookies and other technologies for collecting data, and geofencing for location services. Our business is not data, it is in supplying services to our customers and as such the technology we use is not to track or monetise our users, it is to protect their data’s integrity and security. |
| Current issues of public concern | We don’t have any issues of public concern as the data we collect as a data controller is the minimum we require to conduct our business operations. |
| Approved code of conduct or certification scheme | We have no approved code of conduct or certification scheme, but we apply with the General Data Protection Regulation (GDPR) and Data Protection Laws and maintain SOC-2 readiness with a full suite of controls, procedures and narratives. |
| Question | Answer |
| What is our lawful basis for processing? | We process personal data based on legitimate interest, consent, and fulfilment of legal obligations. |
| Does the processing actually achieve our purpose? | Yes, the processing of personal data allows us to deliver our services, communicate about our service, develop our service, conduct marketing, ensure information security, comply with the law, and safeguard our legal interests. We collect the minimum amount of data we require to conduct our everyday business. |
| Is there another way to achieve the same outcome? | The processing of personal data is essential for us to deliver our services and meet our obligations. Without processing personal data, it would be difficult for us to achieve the same outcomes. |
| How will we prevent function creep? | We only process personal data that is necessary for our services and operations. We apply the principles of “Privacy by Design” and “Privacy by Default”, ensuring that we only process enough data to serve our customers and users. |
| How will we ensure data quality and data minimisation? | We ensure data quality by processing personal data lawfully, fairly, and in a transparent manner. We practise data minimisation by processing only the necessary data for our services and operations. |
| What information will we give individuals? | We provide individuals with information about the types of personal data we collect, the purposes for which we process personal data, the lawful basis for processing, and the duration for which we retain personal data. We have a legal section on our site that has a comprehensive breakdown of all aspects of how we use data. |
| How will we help to support their rights? | We allow individuals to opt-in and opt-out of receiving information from us. We also provide individuals with the right to access and delete their personal data from our system. |
| What measures do we take to ensure processors comply? | We share personal data with processors that help us deliver our services and run our business, subject to Data Processing Agreements (DPA). All processors are required to meet appropriate security requirements and comply with all applicable legislation. |
| How do we safeguard any international transfers? | We store all of our customer’s data in the EU with AWS that adhere to the CISPE Code. They commit to not using customer data for their own purposes, including for data mining, profiling or direct marketing. All customer data that we store in AWS is encrypted at rest and can only be accessed through strict controls. The CISPE Code assures organisations that their cloud infrastructure service provider meets the requirements applicable to a data processor under the GDPR. This gives cloud customers additional confidence that they can choose services that have been independently verified for their compliance with the GDPR. All processors outside of the EU comply with the Privacy Shield Framework or any other such framework approved by the EU. |
Summary of Risks
| Data Collected | Source of Risk | Potential Impact on Individuals | Likelihood of Harm | Severity of Harm | Overall Risk | Compliance and Corporate Risks |
| Contact information (name, phone number, email address) | Unauthorised access, data breaches | Identity theft, privacy invasion | Low | High | Medium | Legal penalties, reputational damage |
| Payment information | Unauthorised access, data breaches | Financial fraud, identity theft | Low | High | Medium | Legal penalties, reputational damage, financial loss |
| Technical, usage and location information | Unauthorised access, data breaches | Privacy invasion, unauthorised tracking | Low | Medium | Low | Legal penalties, reputational damage |
| Information from third-party platforms | Data sharing policies of third parties, data breaches | Privacy invasion, identity theft | Medium | High | Medium | Legal penalties, reputational damage, dependency on third parties |
| Customer Data | Unauthorised access, data breaches | Privacy invasion, identity theft | Low | High | Medium | Legal penalties, reputational damage |
| Workforce Data | Unauthorised access, data breaches | Privacy invasion, identity theft, unauthorised tracking | Low | High | Medium | Legal penalties, reputational damage |
Measures Implemented to Date
| Risk | Options to Reduce or Eliminate Risk | Effect on Risk | Residual Risk | Measure Implemented |
| Unauthorised access, data breaches (Contact Information, Payment Information, Customer Data, Workforce Data) | Implement advanced security measures such as encryption, two-factor authentication, and regular security audits. Conduct regular staff training on data security. | Decreases the likelihood of unauthorised access or data breaches. | Low | Yes |
| Privacy invasion, unauthorised tracking (Technical, usage and location information) | Provide clear and easily accessible privacy settings for users. Allow users to opt-out of location tracking. | Decreases the likelihood of privacy invasion or unauthorised tracking. | Low | Yes |
| Data sharing policies of third parties, data breaches (Information from third-party platforms) | Carefully vet third-party platforms for their data security measures. Limit the amount of data shared with third parties. | Decreases the likelihood of data breaches from third-party platforms. | Low to medium | Yes |
| Identity theft (Contact Information, Payment Information, Customer Data, Workforce Data) | Implement advanced security measures such as encryption, two-factor authentication, and regular security audits. Conduct regular staff training on data security. | Decreases the likelihood of identity theft. | Low | Yes |
| Unauthorised access to personal data | Implement multi-factor authentication, regular security audits, and continuous monitoring of systems | Reduced | Low | Yes |
| Data breaches | Use encryption for data at rest and in transit, maintain up-to-date security systems, and conduct regular vulnerability assessments | Reduced | Low | Yes |
| Non-compliance with data protection laws | Regularly review and update privacy policies, provide clear and transparent information to users about their data, and ensure adherence to GDPR and other relevant laws | Reduced | Low | Yes |
| Loss of data | Regularly backup data and implement disaster recovery plans | Reduced | Low | Yes |
| Misuse of personal data | Limit data collection to what is necessary, obtain clear consent from users, and provide users with control over their data | Reduced | Low | Yes |
| Unauthorised access to servers | Implement strict access controls, use of bastion hosts, and VPNs for accessing production servers | Reduced | Low | Yes |
| Misconfiguration of AWS resources | Use of AWS Config to monitor and record configuration changes of AWS resources | Reduced | Low | Yes |
| Unauthorised access to databases | Implement strict access controls, use of VPNs, and encryption for data at rest and in transit | Reduced | Low | Yes |
| Unauthorised access to API | API Gateway and Auth0 for OAuth 2.0 authentication and identity management | Reduced | Low | Yes |
| Data breaches in EC2 and Beanstalk | Implement strict access controls, use of IAM policies and roles, and monitoring through CloudTrail | Reduced | Low | Yes |
| Unauthorised access to Digital Ocean servers | Implement strict access controls and use of SSH keys for accessing servers | Reduced | Low | Yes |
| Unauthorised access to internal infrastructure | Implement strict access controls and use of MFA for accessing cloud services | Reduced | Low | Yes |
| Security vulnerabilities in employee devices | Implement security measures such as antivirus software, firewalls, and full-disk encryption on employee devices | Reduced | Low | Yes |
| Non-compliance with data protection laws | Regularly review and update privacy policies, provide clear and transparent information to users about their data, and ensure adherence to GDPR and other relevant laws | Reduced | Low | Yes |
| Data loss due to database failure | Nightly backups, high-availability setup with a read-replica in another location, and automatic failover | Reduced | Low | Yes |
| Inability to restore data after loss | Use of point in time restoration with a 5-minute window for any time within 35 days, and ability to restore from a DB snapshot to a new DB instance | Reduced | Low | Yes |
| Data loss due to application failure | Retention of the 10 most recently deployed versions of the production application for quick roll-outs in case of critical issues | Reduced | Low | Yes |
| Unauthorised access to source code | Use of Bitbucket for source control with strict access controls & 2FA | Reduced | Low | Yes |
| Misalignment of objectives across departments | Regular communication of objectives by executive management and aligning compensation with objectives | Reduced | Low | Yes |
| Fraud risk | Conducting regular financial audits, adhering to financial control principles, investigating suspicious transactions, and maximising the use of information technology in fraud detection | Reduced | Low | Yes |
| Ineffective management oversight | Board Director oversees the Managing Director, and a non-executive Director will be appointed for additional oversight | Reduced | Low | Yes |
| Risk of unethical behaviour | Directors demonstrate standards of ethics and integrity, commitment to honesty in interactions among all stakeholders | Reduced | Low | Yes |
| Unauthorised access to confidential data | Mandatory data encryption at rest and in motion, multi-factor authentication for access to cloud infrastructure, limited access to production data | Reduced | Low | Yes |
| Inadequate monitoring of production systems | Activity and anomaly monitoring on production systems, scheduled security and audit procedures | Reduced | Low | Yes |
| Vulnerability exploitation | Vulnerability management program, scheduled security and audit procedures, penetration test | Reduced | Low | Yes |
| Non-compliance with policies | Policy controls including Access Control Policy, Encryption Policy, Password Policy, etc., policy exception process, policy training | Reduced | Low | Yes |
| Inadequate response to security-related events | Event-driven security and audit procedures, incidence response training | Reduced | Low | Yes |
| Inadequate communication of control outcomes | Internal communication channels such as Jira, Slack, Email, and external communication according to contractual and regulatory/statutory obligation | Reduced | Low | Yes |
| Unexpected or unplanned downtime of information systems | Implement system redundancy, introduce failover mechanisms, implement monitoring, capacity management and load balancing techniques | Reduced | Low | Yes |
| Unauthorised access to backups | Backups are stored off-site with multiple points of redundancy and protected using encryption and key management | Reduced | Low | Yes |
| Inadequate data backup plan | Regular full and incremental backups of critical resources, tests of backup data and configurations | Reduced | Low | Yes |
| Inadequate redundancy and failover plan | Network infrastructure and servers supporting critical resources must have system-level redundancy, servers classified as high availability must use disk mirroring | Reduced | Low | Yes |
| Inadequate business continuity plan | Define recovery time and data loss limits, identify critical resources, personnel, and necessary corrective actions, assign specific responsibilities and tasks for responding to emergencies and resuming business operations | Reduced | Low | Yes |
| Non-compliance with legal and regulatory requirements | Ensure all applicable legal and regulatory requirements are satisfied in the business continuity plan | Reduced | Low | Yes |
| Unauthorised access to confidential information | Implement strict access controls, require employees to sign non-disclosure/non-compete agreements, encrypt electronic information, secure physical documents | Reduced | Low | Yes |
| Improper disposal of confidential information | Implement procedures for safely disposing of documents when no longer needed | Reduced | Low | Yes |
| Unauthorised disclosure of confidential information | Implement strict procedures for disclosing information, require prior written authorisation for any exceptions | Reduced | Low | Yes |
| Confidential information used for personal gain | Implement strict procedures and disciplinary actions for unauthorised use of confidential information | Reduced | Low | Yes |
| Confidential information stored in unsecured manners | Implement strict procedures for storing confidential information, use encryption and other technical measures to safeguard databases | Reduced | Low | Yes |
| Confidential information removed from company’s premises | Implement strict procedures for handling confidential information, limit removal of confidential documents from company’s premises | Reduced | Low | Yes |
| Inadequate offboarding measures | Implement comprehensive offboarding procedures, confirm completion of offboarding procedure by final date of employment | Reduced | Low | Yes |
| Non-compliance with legal and regulatory requirements | Ensure all applicable legal and regulatory requirements are satisfied, disclose information to regulatory agencies as part of an audit or investigation when necessary | Reduced | Low | Yes |
| Non-compliance with information security policy | Ensure all employees, contractors, and other individuals read and acknowledge all information security policies | Reduced | Low | Yes |
| Unauthorised access to information systems | Implement Data Center Security Policy, Remote Access Policy, and other relevant policies | Reduced | Low | Yes |
| Inadequate security in software development life cycle | Implement Software Development Lifecycle Policy | Reduced | Low | Yes |
| Inadequate handling of information security incidents | Implement Security Incident Response Policy | Reduced | Low | Yes |
| Inadequate disaster recovery and business continuity management | Implement Disaster Recovery Policy | Reduced | Low | Yes |
| Inadequate information system availability and redundancy | Implement System Availability Policy | Reduced | Low | Yes |
| Non-compliance with legal, regulatory, and contractual requirements | Ensure information security program is compliant with all relevant requirements | Reduced | Low | Yes |
| Inadequate management of information security | Set and review objectives for information security, measure fulfilment of objectives | Reduced | Low | Ye |
| Non-compliance with data processor agreement | Ensure all parties involved understand and adhere to the terms of the agreement | Reduced | Low | Yes |
| Unauthorised access to personal data | Implement strict access controls and ensure all data is processed within the EU/EES | Reduced | Low | Yes |
| Inadequate security measures | Implement appropriate technical and organisational measures to protect personal data | Reduced | Low | Yes |
| Data breach | Implement a robust data breach notification system and assist the Data Controller in fulfilling its data breach notification requirements | Reduced | Low | Yes |
| Non-compliance with audit rights | Allow the Data Controller to verify compliance with the data processor agreement and assist in audits | Reduced | Low | Yes |
| Inadequate measures upon completion of processing of personal data | Erase personal data processed under the agreement after a specified period unless instructed otherwise | Reduced | Low | Yes |
| Non-compliance with compensation terms | Ensure all parties understand and adhere to the compensation terms of the agreement | Reduced | Low | Yes |
| Non-compliance with data processing instructions | Ensure all data processing activities are carried out in accordance with the instructions provided in Appendix 1 | Reduced | Low | Yes |
| Unauthorised sub-processors | Only engage pre-approved sub-processors and update the list of sub-processors as necessary | Reduced | Low | Yes |