Data Protection Summary


At Liveforce, we are committed to the privacy and security of our customers’ and users’ data. Our privacy policy outlines our practices for collecting and processing personal data, which includes personal identifiers, contact details, employment details, financial details, and technical data.

We use this data to provide and improve our services, communicate with our users, and comply with our legal obligations.

  1. Nature of Data: We process sensitive personal data, which, if not handled appropriately, could potentially result in high risk to the rights and freedoms of individuals.
  2. Scale of Processing: Our operations often involve processing personal data on a large scale.
  3. Risk Assessment: We assess the level of risk associated with our data processing activities, taking into account both the likelihood and the severity of any impact on individuals.
  4. Compliance Measures: We evaluate the necessity, proportionality, and compliance measures of our data processing activities, ensuring alignment with data protection principles.
  5. Mitigation of Risks: We identify high risk issues and identify additional measures to mitigate those risks.
  6. Legal Requirement: We are both a controller and processor under UK GDPR and as such, take both responsibilities seriously.

In summary, we systematically and comprehensively analyse our data processing activities, identify and minimise data protection risks, demonstrate compliance with data protection laws, and build trust with our customers. We are committed to maintaining the highest standards of data protection and privacy for our users.

Nature of Data Collected

Liveforce, in its role as a data controller, collects personal data including:

  • Title
  • Gender
  • Name
  • Email address
  • Date of birth
  • Registration date
  • Login times and attempts
  • Verification status
  • Platform activity


As a processor, Liveforce processes additional personal information such as:

  • Address
  • Telephone number
  • Social security number
  • Bank details
  • Employment details
  • Identification documents
  • Invoices
  • Other relevant information for job scheduling and management


Please note that Liveforce does not collect special category or criminal offence data. However, customers may collect this data as they are the controller.

Data Collection Frequency and Retention

Data collection is an integral part of the recruitment, scheduling, booking, invoicing, and payments cycle of a temporary workforce.

Liveforce retains personal data throughout the entire contract period with the customer.

In the event of a dispute, data is retained as long as necessary to defend, establish, or exercise any claims.

Workforce users have the option to delete their account data at any time.

Nature of Relationship with Individuals

Liveforce maintains a business relationship with its customers, who are businesses managing their workers using the service.

Customers have control over their data and can opt-in or opt-out of communications.

They can also request access to their data or request deletion from the system.

Expectations and Concerns

Liveforce’s data usage aligns with its privacy policy, ensuring that nothing unexpected is stored or shared.

The platform does not permit individuals under 16 to sign up.

Standard best practices for data collection and storage are applied, and current technology, including cookies and geofencing, is used to protect data integrity and security.

There are no current public concerns regarding data collection.

Lawful Basis for Processing and Mitigating Risks

Liveforce processes personal data based on legitimate interest, consent, and fulfilment of legal obligations.

The company systematically analyses data processing activities, identifies and minimises data protection risks, and demonstrates compliance with data protection laws.

Measures implemented include advanced security measures, privacy settings, data vetting, encryption, access controls, two-factor authentication, and regular training to mitigate risks.

Safeguarding International Transfers

Customer data is stored in the EU with AWS, adhering to the CISPE Code. All customer data stored in AWS is encrypted at rest and can only be accessed through strict controls. Processors outside the EU comply with the Privacy Shield Framework or other approved frameworks.

Current Activity and Remediation of Outstanding Risks

We are in the process of integrating our platform with Auth0, a move aimed at mitigating risks such as unauthorised access and account takeover. This risk reduction is achieved through the implementation of two-factor authentication and bot detection measures for platform access, both of which are key features of Auth0’s robust security suite. Additionally, Auth0’s incident response procedures will further enhance our platform’s security.

We acknowledge that there is a gap in our customers’ understanding of GDPR and data protection, and we also recognise that some of our policies need updating. In response to these issues, we are developing new features to help with compliance, reviewing existing features with a legal expert, updating our terms and policies, and launching a training program for our customers. This program will enhance their understanding of GDPR and data protection, and inform them of their rights and responsibilities as well as providing day-to-day practical guidance.

Information to Help With a DPIA

What is the nature of the data liveforce collects?

As a controller, we collect title, gender, name, email-address, D.O.B., registration date, login times, login attempts, verification status and platform activity.

As a processor, the data we process includes personal information such as address, telephone number, social security number, bank details, employment details, identification documents, invoices and other relevant information for job scheduling and management.

Does it include special category or criminal offence data?We do not collect this data, but our customers can if they choose to as they are the controller of this data.
How much data will you be collecting and using?Liveforce collects and uses data that is required to fulfil its intended purposes as an on-demand workforce management system. All personally identifiable data is used solely for the purpose of our customers managing their staff; and staff managing their employment with our customers.
How often?We collect data as part of the normal cycle of recruitment, scheduling, booking, invoicing and payments of a temporary workforce.
How long will you keep it?Liveforce retains personal data during the entire contract period between them and their customer. In case of a dispute, data is retained as long as necessary to defend, establish or exercise any claims. For workforce, where we are controllers of their account data, they are able to delete this at any time.
What geographical area does it cover?This is across multiple countries.


Nature of relationship with individualsLiveforce has a business relationship with its users, who are typically workers seeking work or customers managing their workers using the service.
Control individuals haveUsers have control over their data and can opt-in or opt-out of communications. They can also request access to their data or request full deletion of their data from the system.
Expectation of data usageTo support our services and business operations, there is nothing that we store or share that is unexpected and is not covered in our privacy policy.
Inclusion of children or other vulnerable groupsWe do not allow under 16s to sign-up to our platform and as a Data Controller do not engage with customers that would abuse vulnerable groups, this is against our T&Cs. As a data-processer, we do not have control over what data is collected and stored.
Prior concerns over this type of processing or security flawsAs our role is one of both controller, with basic account data and processor with personal data including identity documents and bank details, we apply standard best-practice with regard to their collection and storage.
Novelty of the processingWe don’t process data in any novel ways.
Current state of technology in this area

We uses current technology for data processing, including cookies and other technologies for collecting data, and geofencing for location services.

Our business is not data, it is in supplying services to our customers and as such the technology we use is not to track or monetise our users, it is to protect their data’s integrity and security.

Current issues of public concernWe don’t have any issues of public concern as the data we collect as a data controller is the minimum we require to conduct our business operations.
Approved code of conduct or certification schemeWe have no approved code of conduct or certification scheme, but we apply with the General Data Protection Regulation (GDPR) and Data Protection Laws and maintain SOC-2 readiness with a full suite of controls, procedures and narratives.


What is our lawful basis for processing?We process personal data based on legitimate interest, consent, and fulfilment of legal obligations.
Does the processing actually achieve our purpose?Yes, the processing of personal data allows us to deliver our services, communicate about our service, develop our service, conduct marketing, ensure information security, comply with the law, and safeguard our legal interests. We collect the minimum amount of data we require to conduct our everyday business.
Is there another way to achieve the same outcome?The processing of personal data is essential for us to deliver our services and meet our obligations. Without processing personal data, it would be difficult for us to achieve the same outcomes.
How will we prevent function creep?We only process personal data that is necessary for our services and operations. We apply the principles of “Privacy by Design” and “Privacy by Default”, ensuring that we only process enough data to serve our customers and users.
How will we ensure data quality and data minimisation?We ensure data quality by processing personal data lawfully, fairly, and in a transparent manner. We practise data minimisation by processing only the necessary data for our services and operations.
What information will we give individuals?

We provide individuals with information about the types of personal data we collect, the purposes for which we process personal data, the lawful basis for processing, and the duration for which we retain personal data.

We have a legal section on our site that has a comprehensive breakdown of all aspects of how we use data.

How will we help to support their rights?

We allow individuals to opt-in and opt-out of receiving information from us.

We also provide individuals with the right to access and delete their personal data from our system.

What measures do we take to ensure processors comply?We share personal data with processors that help us deliver our services and run our business, subject to Data Processing Agreements (DPA). All processors are required to meet appropriate security requirements and comply with all applicable legislation.
How do we safeguard any international transfers?

We store all of our customer’s data in the EU with AWS that adhere to the CISPE Code. They commit to not using customer data for their own purposes, including for data mining, profiling or direct marketing.

All customer data that we store in AWS is encrypted at rest and can only be accessed through strict controls.

The CISPE Code assures organisations that their cloud infrastructure service provider meets the requirements applicable to a data processor under the GDPR. This gives cloud customers additional confidence that they can choose services that have been independently verified for their compliance with the GDPR.

All processors outside of the EU comply with the Privacy Shield Framework or any other such framework approved by the EU.

Summary of Risks

Data CollectedSource of RiskPotential Impact on IndividualsLikelihood of HarmSeverity of HarmOverall RiskCompliance and Corporate Risks
Contact information (name, phone number, email address)Unauthorised access, data breachesIdentity theft, privacy invasionLowHighMediumLegal penalties, reputational damage
Payment informationUnauthorised access, data breachesFinancial fraud, identity theftLowHighMediumLegal penalties, reputational damage, financial loss
Technical, usage and location informationUnauthorised access, data breachesPrivacy invasion, unauthorised trackingLowMediumLowLegal penalties, reputational damage
Information from third-party platformsData sharing policies of third parties, data breachesPrivacy invasion, identity theftMediumHighMediumLegal penalties, reputational damage, dependency on third parties
Customer DataUnauthorised access, data breachesPrivacy invasion, identity theftLowHighMediumLegal penalties, reputational damage
Workforce DataUnauthorised access, data breachesPrivacy invasion, identity theft, unauthorised trackingLowHighMediumLegal penalties, reputational damage

Measures Implemented to Date

RiskOptions to Reduce or Eliminate RiskEffect on RiskResidual RiskMeasure Implemented
Unauthorised access, data breaches (Contact Information, Payment Information, Customer Data, Workforce Data)Implement advanced security measures such as encryption, two-factor authentication, and regular security audits. Conduct regular staff training on data security.Decreases the likelihood of unauthorised access or data breaches.LowYes
Privacy invasion, unauthorised tracking (Technical, usage and location information)Provide clear and easily accessible privacy settings for users. Allow users to opt-out of location tracking.Decreases the likelihood of privacy invasion or unauthorised tracking.LowYes
Data sharing policies of third parties, data breaches (Information from third-party platforms)Carefully vet third-party platforms for their data security measures. Limit the amount of data shared with third parties.Decreases the likelihood of data breaches from third-party platforms.Low to mediumYes
Identity theft (Contact Information, Payment Information, Customer Data, Workforce Data)Implement advanced security measures such as encryption, two-factor authentication, and regular security audits. Conduct regular staff training on data security.Decreases the likelihood of identity theft.LowYes
Unauthorised access to personal dataImplement multi-factor authentication, regular security audits, and continuous monitoring of systemsReducedLowYes
Data breachesUse encryption for data at rest and in transit, maintain up-to-date security systems, and conduct regular vulnerability assessmentsReducedLowYes
Non-compliance with data protection lawsRegularly review and update privacy policies, provide clear and transparent information to users about their data, and ensure adherence to GDPR and other relevant lawsReducedLowYes
Loss of dataRegularly backup data and implement disaster recovery plansReducedLowYes
Misuse of personal dataLimit data collection to what is necessary, obtain clear consent from users, and provide users with control over their dataReducedLowYes
Unauthorised access to serversImplement strict access controls, use of bastion hosts, and VPNs for accessing production serversReducedLowYes
Misconfiguration of AWS resourcesUse of AWS Config to monitor and record configuration changes of AWS resourcesReducedLowYes
Unauthorised access to databasesImplement strict access controls, use of VPNs, and encryption for data at rest and in transitReducedLowYes
Unauthorised access to APIAPI Gateway and Auth0 for OAuth 2.0 authentication and identity managementReducedLowYes
Data breaches in EC2 and BeanstalkImplement strict access controls, use of IAM policies and roles, and monitoring through CloudTrailReducedLowYes
Unauthorised access to Digital Ocean serversImplement strict access controls and use of SSH keys for accessing serversReducedLowYes
Unauthorised access to internal infrastructureImplement strict access controls and use of MFA for accessing cloud servicesReducedLowYes
Security vulnerabilities in employee devicesImplement security measures such as antivirus software, firewalls, and full-disk encryption on employee devicesReducedLowYes
Non-compliance with data protection lawsRegularly review and update privacy policies, provide clear and transparent information to users about their data, and ensure adherence to GDPR and other relevant lawsReducedLowYes
Data loss due to database failureNightly backups, high-availability setup with a read-replica in another location, and automatic failoverReducedLowYes
Inability to restore data after lossUse of point in time restoration with a 5-minute window for any time within 35 days, and ability to restore from a DB snapshot to a new DB instanceReducedLowYes
Data loss due to application failureRetention of the 10 most recently deployed versions of the production application for quick roll-outs in case of critical issuesReducedLowYes
Unauthorised access to source codeUse of Bitbucket for source control with strict access controls & 2FAReducedLowYes
Misalignment of objectives across departmentsRegular communication of objectives by executive management and aligning compensation with objectivesReducedLowYes
Fraud riskConducting regular financial audits, adhering to financial control principles, investigating suspicious transactions, and maximising the use of information technology in fraud detectionReducedLowYes
Ineffective management oversightBoard Director oversees the Managing Director, and a non-executive Director will be appointed for additional oversightReducedLowYes
Risk of unethical behaviourDirectors demonstrate standards of ethics and integrity, commitment to honesty in interactions among all stakeholdersReducedLowYes
Unauthorised access to confidential dataMandatory data encryption at rest and in motion, multi-factor authentication for access to cloud infrastructure, limited access to production dataReducedLowYes
Inadequate monitoring of production systemsActivity and anomaly monitoring on production systems, scheduled security and audit proceduresReducedLowYes
Vulnerability exploitationVulnerability management program, scheduled security and audit procedures, penetration testReducedLowYes
Non-compliance with policiesPolicy controls including Access Control Policy, Encryption Policy, Password Policy, etc., policy exception process, policy trainingReducedLowYes
Inadequate response to security-related eventsEvent-driven security and audit procedures, incidence response trainingReducedLowYes
Inadequate communication of control outcomesInternal communication channels such as Jira, Slack, Email, and external communication according to contractual and regulatory/statutory obligationReducedLowYes
Unexpected or unplanned downtime of information systemsImplement system redundancy, introduce failover mechanisms, implement monitoring, capacity management and load balancing techniquesReducedLowYes
Unauthorised access to backupsBackups are stored off-site with multiple points of redundancy and protected using encryption and key managementReducedLowYes
Inadequate data backup planRegular full and incremental backups of critical resources, tests of backup data and configurationsReducedLowYes
Inadequate redundancy and failover planNetwork infrastructure and servers supporting critical resources must have system-level redundancy, servers classified as high availability must use disk mirroringReducedLowYes
Inadequate business continuity planDefine recovery time and data loss limits, identify critical resources, personnel, and necessary corrective actions, assign specific responsibilities and tasks for responding to emergencies and resuming business operationsReducedLowYes
Non-compliance with legal and regulatory requirementsEnsure all applicable legal and regulatory requirements are satisfied in the business continuity planReducedLowYes
Unauthorised access to confidential informationImplement strict access controls, require employees to sign non-disclosure/non-compete agreements, encrypt electronic information, secure physical documentsReducedLowYes
Improper disposal of confidential informationImplement procedures for safely disposing of documents when no longer neededReducedLowYes
Unauthorised disclosure of confidential informationImplement strict procedures for disclosing information, require prior written authorisation for any exceptionsReducedLowYes
Confidential information used for personal gainImplement strict procedures and disciplinary actions for unauthorised use of confidential informationReducedLowYes
Confidential information stored in unsecured mannersImplement strict procedures for storing confidential information, use encryption and other technical measures to safeguard databasesReducedLowYes
Confidential information removed from company’s premisesImplement strict procedures for handling confidential information, limit removal of confidential documents from company’s premisesReducedLowYes
Inadequate offboarding measuresImplement comprehensive offboarding procedures, confirm completion of offboarding procedure by final date of employmentReducedLowYes
Non-compliance with legal and regulatory requirementsEnsure all applicable legal and regulatory requirements are satisfied, disclose information to regulatory agencies as part of an audit or investigation when necessaryReducedLowYes
Non-compliance with information security policyEnsure all employees, contractors, and other individuals read and acknowledge all information security policiesReducedLowYes
Unauthorised access to information systemsImplement Data Center Security Policy, Remote Access Policy, and other relevant policiesReducedLowYes
Inadequate security in software development life cycleImplement Software Development Lifecycle PolicyReducedLowYes
Inadequate handling of information security incidentsImplement Security Incident Response PolicyReducedLowYes
Inadequate disaster recovery and business continuity managementImplement Disaster Recovery PolicyReducedLowYes
Inadequate information system availability and redundancyImplement System Availability PolicyReducedLowYes
Non-compliance with legal, regulatory, and contractual requirementsEnsure information security program is compliant with all relevant requirementsReducedLowYes
Inadequate management of information securitySet and review objectives for information security, measure fulfilment of objectivesReducedLowYe
Non-compliance with data processor agreementEnsure all parties involved understand and adhere to the terms of the agreementReducedLowYes
Unauthorised access to personal dataImplement strict access controls and ensure all data is processed within the EU/EESReducedLowYes
Inadequate security measuresImplement appropriate technical and organisational measures to protect personal dataReducedLowYes
Data breachImplement a robust data breach notification system and assist the Data Controller in fulfilling its data breach notification requirementsReducedLowYes
Non-compliance with audit rightsAllow the Data Controller to verify compliance with the data processor agreement and assist in auditsReducedLowYes
Inadequate measures upon completion of processing of personal dataErase personal data processed under the agreement after a specified period unless instructed otherwiseReducedLowYes
Non-compliance with compensation termsEnsure all parties understand and adhere to the compensation terms of the agreementReducedLowYes
Non-compliance with data processing instructionsEnsure all data processing activities are carried out in accordance with the instructions provided in Appendix 1ReducedLowYes
Unauthorised sub-processorsOnly engage pre-approved sub-processors and update the list of sub-processors as necessaryReducedLowYes