Are your servers located in the UK?
Yes, we can confirm that all of our servers are located in the UK. Our call and data storage servers we manage ourselves in high-security data centres in Manchester and London. Our web servers are located in London and managed by a secure cloud-based third-party supplier.
How secure are your servers (cyber-security arrangements)?
Physical and remote access control to our servers and the data centres in which they are located is heavily restricted. Any remote communication to and from the servers is encrypted and remote access is controlled via key exchange.
Do you have a backup strategy?
Yes, WHYPAY? employs a significant backup schedule for our systems ranging from 3-hourly, daily, weekly and monthly backups across our estate of databases, data storage, web-servers and call systems. These are a combination of on-site and off-site scheduled backups to ensure that multiple instances of data are available in the extremely unlikely event that our systems require restoration.
How secure is my data?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Do you subscribe to any standard security frameworks?
The data-centres in which we have our servers are certified to a variety of security frameworks, including, but not limited to, ISO 22301, PCI DSS, ISO 14001, ISO 9001, ISO 27001 and ISO 50001. Whilst WHYPAY? at this time does not subscribe, nor has any accreditations, to any of the aforementioned security frameworks, we have developed our internal data security policies in line with the practices stipulated in the aforementioned frameworks and best practices in the Information Systems Industry.However, we have plans in progress to become accredited to ISO 27001.
Are you regulated by any official body (e.g. Ofcom)?
WHYPAY? operates with its own Ofcom number allocations, and hence is bound by the Ofcom General Conditions of Entitlement as a UK communications provider and by the Information Commissioners Office (ICO) with respect to data protection.
How can I communicate with you if I have sensitive information to share with you?
If you have some particularly sensitive data to send us, or wish to report something that would adversely affect the platform if it were publicly disclosed (Responsible Disclosure), please encrypt your communications with us. You can encrypt and verify emails to WHYPAY? using a PGP key. If you have any questions, or encounter any issues, please let us know. Further information can be found here: https://whypay.net/data-security-enquiries/.
What data do we collect from you?
Currently we collect the following information:
- Name, Email, Telephone number (in order to create an account).
- (Optional) Additional organisation information such as annual turnover should you choose to complete your account profile.
- The email addresses of participants if invited via our scheduling tool. Communication to participants is strictly for conference call scheduling only.
- As is required, Call Detail Records (CDRs) are stored by our telephone network service provider, which include telephone numbers, call start and end times, etc. These are accessible to specific WHYPAY? staff for customer support purposes. These may also be used from time to time for aggregated data analysis. Full telephone numbers of conference participants are never shared with WHYPAY? account holders or anyone else.
Account-holder telephone number and email address use:
Telephone numbers are not used for direct marketing purposes unless we receive your consent to do so. They may be used for internal aggregated data analysis to improve the platform and understand user behaviour. Account-holder email addresses are used for marketing and promotional purposes only where consent has been given.
After a conference has been held:
- Participant email addresses remain stored in the room data, since the room is permanent, so that organisers can arrange further conference calls in that room with the same people should they wish to.
- As above, telephone numbers are contained in CDR reports as required by all network providers for regulatory and legal purposes.
Are calls recorded?
Calls are recorded if call recording is turned on for that room by the organiser, in which case any participant joining a conference is notified that the call is being recorded before they join. The organiser retains control over who has access to recorded calls.
Is there an option to turn off recording?
Recording is turned off by default. Account-holders must upgrade to a paid plan in order to record conference calls.
If a call has been recorded what do we do with the recording after the call has finished?
Recorded conference calls are stored for 14 days on our storage servers, after which they are permanently and irreversibly deleted. Organisers can securely download recordings via their account whilst logged in, and can specify which participants should also have access to the recordings for any given room.
Are call recordings stored securely?
WHYPAY? stores your conference recordings on servers in high-security data centres in the UK that only our technical staff have access to. Customer access to recordings is only allowed via browser download using HTTPS, and recordings are automatically and permanently deleted after 14 days.
Will the data we have collected from you be disclosed to any other organisations?
WHYPAY? uses third party service providers in order for the business to operate. Other than for the provision of system services, such as call routing, customer support software, subscription management software and other such parts of the WHYPAY? ecosystem, account-holder data is not sold or shared with other organisations for marketing purposes. Express opt-in consent from the account-holder would be required for any other organisation to contact them. We are, however, required to comply with any legal or regulatory request for information in support of a crime or to support investigations into fraud or misuse of the service.
What are your standard terms and conditions?
Our standard terms and conditions can be found on our website here: https://whypay.net/tscs/.