TextAnywhere

Our Background, our Policies and our Foundation

Take a free trial today

No commitment, simple sign up, includes free test credits

TextAnywhere Privacy and Data Processing Policy

Last Modified: Version 20 - 23rd May 2018

Section A – Privacy Policy

1. Introduction

This is the privacy and data processing of TextAnywhere (“TextAnywhere”). It applies only to personal data as defined in Section 1 of the 1998 Data Protection Act (“personal information” or “information”) the GDPR definitions from May the 25th 2018 and and not other types of business or general information. The policy tells you who we are, how we collect personal information about you through this website, what we intend to use that information for, with whom we intend to share it, and how we keep it secure.

Please read the policy carefully. By accessing or using this web site you are deemed to agree to the terms of this privacy policy, and if you do not agree with it, then you must not send us any personal information.

Please note that if you follow a link from this site to another site, this policy will no longer apply. We are not responsible for other sites’ information handling practices. Use of your information by the owner of the linked site will normally be governed by that site’s privacy policy, which we encourage you to read.

Further information about privacy and data protection issues, including the online Register of Data Controllers, can be found on the Information Commissioner’s website at https://ico.org.uk/.

2. Who we are

We are TextAnywhere a fully owned subsidiary of SRCL, a company registered in England and Wales with company registration number 03226910.

We are located at and our registered address is:

Indigo House
Sussex Avenue
Leeds
West Yorkshire
LS10 2LF
United Kingdom

If you have any queries about the information we hold on you, please contact us by email at customercare@textanywhere.net or by telephone on +44 (0) 8451 221 302.

We are entered in the Register of Data Controllers with registration number Z1250309.

3. How we collect information from you

3.1. By the use of “cookies”

3.1.1. A cookie is a small text file which is transferred from a website and stored on your computer, tablet, or smartphone. It enables a website to “remember” who you are.

3.1.2. Most browsers are automatically set to accept cookies but if you are using Microsoft’s Internet Explorer, Safari, Mozilla Firefox, and most other popular browsers, you should be able to configure your browser to restrict cookies or block all cookies if you wish.

3.1.3. We use cookies on the TextAnywhere website to collect information about how visitors use the website, and to collect standard analytics data to enhance the performance of our website. This is important to us as we want to improve the visitor journey when you browse our website and ensure that it is as user friendly as possible.

3.1.4. However, our cookies do not gather any personally identifying information such as a person's name or email address, and any information gathered by the use of cookies is compiled on an aggregate and anonymous basis.

3.1.5. The table below provides further details about the cookies which are currently in use on our static and application websites, and a description of the purpose of each of these cookies.

Cookie Purpose of the Cookie Intrusiveness to Client Expiry Will areas of the Website fail if I disable Cookies?
Necessary

ASP.NET_Session Id cookie
This cookie is necessary to provide essential services to the client as it maintains your page-by-page browsing, useful for your website experience as it remembers when you log in and maintains this logged in "session". Low End of session (when you have finished using the website) Yes
Essential

Google Analytics Tracking

This cookie collects information in an anonymous form, data including the number of visitors to the TextAnywhere websites, where visitors have come from and the pages they have visited during their session/time spent on the website.

These cookies are used to collect non-personal information about how visitors use the TextAnywhere website. We use the information to compile reports on usability for internal company use only, and so we can improve the website for our clients.

Low Visit the Privacy Policy of Google to find out further information about these cookies. No – but it is required for monitoring and improvement to TextAnywhere services
Optional

TextAnywhere

Remember My Email
This is an optional cookie collected when a user selects the "Remember my email" tick box on the login page of the TextAnywhere Application website. It is used as an optional time saving function for users. Low None No
Optional

Social Media Widgets
These cookies are used to allow users to login and use the social sharing widgets on many of our webpages. These include Twitter, Google+ and Linkedin. We also use a 3rd party plugin, AddThis, that further expands our social media sharing capabilities. Low More Info No

3.1.6 You can disable the cookies that we attach if your browser supports this. To check and update your cookie settings, you will need to know what browser you are using (Internet Explorer, Google Chrome, Firefox, Safari or any other) and what version of it you have. You can usually find this out by opening the browser, then clicking on 'Help' and then 'About'. This will give you information about the browser version you are using.

3.1.7 To find out how to manage cookies please refer to www.aboutcookies.org or your browser's help options for more information.

3.1.8 Please remember that if you amend your cookie settings your browsing experience may be negatively affected. You may be unable to use some of our online services.

3.2. By registration

3.2.1. We collect information about you that you provide when you register to use our services.

3.3. Through completion of online forms

3.3.1. We collect information about you if you complete any of the various forms on our site to contact us, make enquiries, order products and services, apply to open an account with us, and give us feedback.

3.3.2. We need you to give us certain information, which will be indicated on the form you are required to complete, in order to purchase items from us. It would help us if you give us any other information that you think will be relevant, but you are under no obligation to do so.

3.3.3. Through traffic data and site statistics. We do keep a record of traffic data which is logged automatically by our server, such as your IP address, the URL you visited before ours, the URL you visit after leaving our site, and which pages you visit.

3.3.4. We also collect some site statistics such as page hits and page views.

3.3.5. We are not readily able to identify any individual from traffic data or site statistics.

3.4. By you contacting us by other methods other than the website

3.4.1. The website provides our primary telephone number and email addresses for you to contact us. We will collect information from you that you provide through any of these methods.

3.4.2. We may also collect other information you supply to us after your initial contact with us.

4. Security and storage of information

4.1. We will keep your information secure by taking appropriate technical and organisational measures against its unauthorised or unlawful processing and against its accidental loss, destruction or damage.

4.2. Please remember that normal Internet email is unsecure. We do, however, use secure connections when you open an account with us and when you access your account.

4.3. We will store your information at least for the duration of any client relationship we have with you, or as otherwise required by law (normally up to a maximum of 7 years for legal and tax reasons).

4.4. Our approach, responsibilities, and commitment to information security are set out in our Information Security policy.

5. What your information is used for

5.1. If you buy software or services from us, we will use your information to fulfil your order and to provide you with the software or service you have requested.

If you agree when you register with us or buy from us, we will also use your information for marketing purposes. If you do not want the information we hold on you to be used in this manner, you must contact us by email at customercare@textanywhere.net or telephone on +44 (0) 8451 221 302 and establish your preferences.

If you do not object, we will use the information we hold on you to contact you for feedback on your use of our software and/or services and/or website.

5.4. We may use aggregated data about users of our site, sales patterns and other statistical data to improve our site, but it will not be possible to identify individuals from that aggregated data.

6. With whom we may share your information

6.1. We will not share your information with any other organisation except in the following circumstances.

6.1.1. We will share your information with another organisation to which we transfer, or are in discussions to transfer, our rights and obligations under our agreement with you.

6.1.2. We may share your information with another organisation that buys our company or our assets, or with another organisation from which we acquire a company or business, and in the course of any preceding negotiations with that organisation, which may or may not lead to a sale.

6.1.3. We may share your information with our funders or potential funders, such as our bank and with our professional advisers who have a reasonable need to see it.

6.1.4. We will disclose your information to enforcement authorities if asked to do so, or to a third party in the context of actual or threatened legal proceedings or if otherwise required to do so by law.

7.1 Your rights

7.1. You have the right to:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

7.2. You also have a right to be removed from any mailing list we hold at any time, but you must first contact us email at customercare@textanywhere.net or telephone on +44 (0) 8451 221 302.

7.3. You have a right to see a copy of the information we hold about you on payment of a statutory fee, which is currently £10. Before we agree to this, you must provide us with sufficient evidence of your identity and sufficient details of the information you wish to see to enable us to locate it.

8. Summary

Our Privacy Policy has the full support TextAnywhere senior management who regularly reviews this policy to ensure it is properly implemented.


Section B – Data Processing Addendum

Data Processing Addendum to TextAnywhere’s standard Terms and conditions ("Agreement") between SRCL Limited trading as TextAnywhere (“Processor”) and the client, (“Controller”) (each a “Party”, together the “Parties”).

BACKGROUND

  1. The Processor agreed to provide the Controller with services as further specified in the Agreement and Annex 1 to this DPA (the “Services”) and to implement the technical and organizational measures further specified in Annex 2 to this DPA; and
  2. In providing the Services, the Processor may from time to time be provided with, or have access to, information of the Controller which may qualify as personal data within the meaning of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and other applicable data protection laws and provisions.

In order to enable the Parties to carry out their relationship in a manner that is compliant with law, the Parties have entered into this DPA as follows:

  1. Terminology

    For the purposes of this DPA, the terminology and definitions as used by the GDPR shall apply. Further definitions are provided throughout this DPA.
  2. Responsibilities of the Controller
    1. The Controller confirms that, in respect of the processing to be carried out under this DPA, the technical and organisational measures of the Processor, as set out in Annex 2, are appropriate and sufficient to protect the rights of the data subject.
    2. The Controller confirms that the processing to be carried out under this DPA is lawful according to Art. 6 GDPR and that data subjects were informed sufficiently.
    3. The Controller warrants that all personal data provided to the Processor for its performance of the Services by the Controller has been and shall be processed (including its disclosure to Processor) by the Controller in accordance with GDPR and other applicable data protection laws at all times.
  3. Instructions
    1. The Processor shall process the personal data only on behalf of the Controller and in accordance with the documented instructions given by the Controller, unless prohibited by law applicable to the Processor; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless such notification is prohibited by applicable law.
    2. The Controller's instructions are provided in this DPA and the Agreement. Any further instructions that go beyond the instructions contained in this DPA or the Agreement shall not be effective unless recorded in an amendment to this DPA or the Agreement.
    3. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection provisions. In such case, the Processor is not obliged to follow the instruction until the Controller has confirmed or changed it in a way addressing the infringement.
  4. Obligations and rights of the Processor
    1. The Processor shall ensure that persons authorised by the Processor to process the personal data on behalf of the Controller, in particular the Processor's employees as well as employees of any other processors engaged by the Processor, are subject to a binding obligation of confidentiality and that such persons process any personal data to which they have access in the context of performing the Services in compliance with the Controller's instructions.
    2. The Processor shall implement the technical and organisational measures as specified in Annex 2 before processing the personal data on behalf of the Controller. The Processor may amend the technical and organisational measures from time to time provided that the amended technical and organisational measures are not less protective than those set out in Annex 2.
    3. The Processor shall make available to the Controller the information necessary to demonstrate compliance with the obligations of the Processor relating to information security as required by applicable data protection law and by this DPA as applicable to the Services. The Processor shall in particular allow for and contribute to audits (e.g., providing audit reports and/or other relevant information or certificates to Controller upon Controller's request) or on-site inspections, conducted by the Controller or an auditor mandated by the Controller. The extent of the Processor’s obligation to assist with such audits shall be proportionate to the nature and purpose of the processing and subject to reasonable prior notice by the Controller.
    4. The Processor shall notify the Controller without undue delay of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed under this DPA ("Personal Data Breach"). The Processor will assist the Controller with the Controller's obligation under applicable data protection law to inform the data subjects and the supervisory authorities, as applicable, by providing the necessary information taking into account the nature of the processing and the information available to the Processor.
    5. The Processor shall provide reasonable assistance to the Controller with its obligation to carry out a data protection impact assessment and prior consultation with the supervisory authorities that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Controller.
    6. The Processor shall, at the option of the Controller, delete or return to the Controller all personal data which are processed by the Processor on behalf of the Controller under this DPA after the end of the provision of the Services, and delete any existing copies unless applicable law requires the Processor to retain such personal data. For the avoidance of doubt, this obligation shall not be infringed by the destruction of personal data in the proper performance of the Services.
    7. The Processor shall designate a data protection officer and/or a representative, to the extent required by applicable data protection law. The Processor shall provide contact details of the data protection officer and/or representative, if any, to the Controller.
  5. Data subject rights
    1. Taking into account the nature of the processing, the Processor shall provide reasonable assistance to the Controller, including through appropriate technical and organisational measures, with the fulfilment of the Controller's obligation to comply with the rights of the data subjects and respond to data subjects' requests relating to their rights of (i) access, (ii) rectification, (iii) erasure, (iv) restriction of processing, (v) data portability, and (vi) objection to the processing.
    2. The Controller shall determine whether or not a data subject has a right to exercise any such data subject rights and give instructions to the Processor to what extent the assistance is required.
  6. Subprocessing
    1. The Processor shall not engage another processor without prior authorisation of the Controller.
    2. The Processor shall enter into a written contract with another processor (“Subprocessing Agreement”) and such Subprocessing Agreement shall (i) impose upon the other processor the same obligations as imposed by this DPA upon the Processor, to the extent applicable to the subcontracted part of the Services, (ii) describe the subcontracted part of the Services, and (iii) describe the technical and organizational measures the other processor has to implement pursuant to Annex 2, as applicable to the subcontracted part of the Services.
    3. Where the other processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the other processor's obligations.
    4. In case any other processor is located outside the EU/EEA in a country that is not recognized as providing an adequate level of data protection, the Processor will (i) take reasonable measures to enable the Controller and the other processor to enter into a direct data processing agreement based on EU Model Clauses (Controller to Processor), or (ii) provide the Controller with information on the other processor's certification under the Privacy Shield program and regularly, at least annually, re-confirm that the other processor's certification under the Privacy Shield program is still valid, or (iii) provide the Controller with other information and relevant documentation on the mechanism for international data transfers pursuant to Art. 46 GDPR that is used to lawfully disclose the Controller's personal data to the other processor.
  7. Term and termination

    The term of this DPA is identical to the term of the Agreement (inclusive of any renewals or extensions). Save as otherwise specified herein, termination rights and requirements shall be the same as those set out in the Agreement.
  8. Liability and indemnification
    1. Each Party’s liability for government/authority fines and penalties and any other loss or expense whatsoever (whether direct or indirect) incurred by the other Party for failure to comply with the requirements of any laws or regulations that affect the other Party, to the extent such failure was caused by the Party’s breach of the terms of this DPA, shall be subject to and limited by the limitations of liability contained in the Agreement.
    2. The limitation of liability set out in clause 8 (a) above shall not apply in case of a Party’s liability for intentional or willful default and any mandatory statutory liability imposed on that Party.
    3. Subject to clause 8 (a) and clause 8 (b) above, each Party shall indemnify and hold the other Party harmless from and against all losses due to claims from third parties including government/authority fines and penalties resulting from, arising out of or relating to any material breach of this DPA by the indemnifying Party.
  9. Miscellaneous
    1. Each Party shall comply with its obligations under the GDPR and under any other applicable data protection laws.
    2. This DPA shall be governed by the same law as the Agreement except as otherwise stipulated by applicable data protection law. The place of jurisdiction for all disputes regarding this DPA shall be as determined by the Agreement except as otherwise stipulated by applicable data protection law.
    3. In the event of conflict between the provisions of this DPA and any other agreements between the Parties, the provisions of this DPA shall prevail with regard to the Parties' data protection obligations. In case of doubt as to whether clauses in such other agreements relate to the Parties' data protection obligations, the relevant provisions of this DPA shall prevail.
    4. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or – should this not be possible – (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this DPA contains any omission.
    5. Each Party has the right to request changes to this DPA to the extent required to satisfy any applicable and mandatory findings, guidance or orders issued by competent European Union or EU Member State authorities, national implementation provisions, or other legal developments concerning the GDPR requirements for the commissioning of data processors under the national laws applicable and binding to the Controller. The Party receiving such a request shall not unreasonably delay or withhold its agreement.

Section C - Annex 1 to the DPA – Description of the processing activities

  1. Categories of data subjects

    The personal data processed concern the following categories of data subjects:
    • TextAnywhere customers
    • TextAnywhere prospective customers
    • Employees/contacts of the above
    • Any person identifiable from the content of a text message, e.g. the recipient
  2. Subject-matter of the processing

    The subject-matter of the processing is described in the Agreement. The services that process data are set out in Annex 2.
  3. Nature and purpose of the processing

    The nature and purpose of the processing is described in the Agreement. Essentially the processing enables customers to send messages using TextAnywhere products.
  4. Type of personal data

    The personal data processed by the Processor on behalf of the Controller is determined by the customer who creates the content of the message and chooses its recipient(s). All categories of personal data may therefore be contained in a message.
  5. 5. Special categories of data (if appropriate)

    The personal data processed by the Processor on behalf of the Controller is determined by the customer who creates the content of the message and chooses its recipient(s). Special categories of personal data may therefore be contained in a message.

    A summary of the processing pathway is set out in the diagram overleaf.

TextAnywhere Data Processing Pathway

Client = data controller
Client can send and receive data by:-
Online application
Email to SMS/SMS to email
API

Outbound (MT) SMS

Inbound (MO) SMS

Client = data controller
TextAnywhere processes and holds data on servers at Rackspace UK. Including:-
Receiving/sending mobile number
SMS message content
If used, TextAnywhere holds client online address book data (First/Last Name, mobile number).

Outbound (MT) SMS

Inbound (MO) SMS

SMSCs (SMS aggregators). TextAnywhere engages with SMSCs who provide connections to the mobile Networks.

Outbound (MT) SMS

Inbound (MO) SMS

Mobile Networks.

Outbound (MT) SMS

Inbound (MO) SMS

Mobile Handset

Annex 2 to the DPA – Description of the technical and organizational measures implemented by Processor in accordance with applicable data protection law:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement the following technical and organizational measures to ensure a level of security appropriate to the risks for the rights and freedoms of natural persons. In assessing the appropriate level of security the Controller and the Processor took account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

  1. Purpose and scope of Document

    To detail the technical and organisational measures undertaken by TextAnywhere (as a Stericycle Group company) to ensure a level of security is provided in its service delivery that is appropriate to the risks represented by the processing and the nature of the personal data being processed, as required by Article 32(1) of the General Data Protection Regulation (GDPR).

    Security is a set of preventive measures taken to guard against risk and this document describes those measures.

    Failure to comply with the requirements of this procedure may result in investigation and subsequent formal action in line with the Company’s Capability and Disciplinary procedures.

    This Document should be read in conjunction with Stericycle policies on data protection which can be found on Stericycle’s website.

  2. Policy Statement

    Stericycle protects the company’s assets from all threats, whether internal or external, deliberate or accidental.

    Stericycle will meet all applicable legal, regulatory and contractual requirements and duties of care.

    Stericycle is committed to the key principles of GDPR, namely that personal data are:

    • processed lawfully, fairly and in a transparent manner in relation to individuals;
    • collected and processed for specified, explicit and legitimate purposes;
    • adequate, relevant and limited to what is necessary for the processing;
    • accurate and, where necessary, kept up to date;
    • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing (subject to limited exceptions); and
    • processed in a manner that ensures the security of the personal data, using appropriate technical or organisational measures.

    In particular, it is the policy of Stericycle and TextAnywhere to ensure that:

    • Company and client data are protected against unauthorised access
    • Confidentiality of information is assured
    • Integrity of information is maintained
    • Regulatory, legislative and contractual requirements are met
    • All staff are familiar with security measures, procedures and standards i.e. aware and conscious of security, potential risks to security, and the value of information.
    • Security standards and procedures are used, including the use of passwords and virus control.
    • All parties cooperate with each other to prevent or respond quickly to breaches of security i.e. all breaches of security, actual or suspected are reported, investigated and recorded.
    • There is general agreement about what is appropriate in terms of security and who is responsible for their implementation.
    • Technical and organisational security measures are clear and explained to all employees.
  3. Company Overview

    TextAnywhere was founded in 2003 with the aim of providing first class, secure text messaging systems; in 2013 TextAnywhere was acquired by Stericycle and currently forms part of the Stericycle Communications Solutions Group.

  4. Description of services / products provided / How we work with you

    TextAnywhere provides software and services that deliver 2-Way Electronic Communications to Customers.

    TextAnywhere offers the following suite of products enabling the transmission and receipt of SMS messaging:-

    • TextOnline – send and receive messages online
    • TextCampaign – send bulk messages on line
    • TextSurvey – SMS based online surveys
    • TextMail – send and receive SMS by email
    • Developer – build or integrate an SMS function using an API
    • Inbound services – run virtual long numbers or shortcodes
    • SMS Alerts – convert emails to SMS
    • Partner programs – White label text services and reseller accounts
  5. Accreditations and Memberships

    TextAnywhere has been awarded the following BSI ISO accreditations:-

    • ISO 9001: 2015 – This Quality Management certification enables TextAnywhere to demonstrate our commitment to service quality and customer satisfaction. Customers can be assured that we are continually improving our quality management system.
    • ISO 14001:2015 – The environmental management certification demonstrates TextAnywhere’s commitment to the environment. The standard provides guidelines on how manage the environmental aspects of our business activities more effectively.
    • ISO 27001:2013 –The information Security certification enables TextAnywhere’s commitment to managing information safely and securely.
    • ICO Registered – We are registered with the ICO (Registration number: Z1250309) and follow the guidelines provided by the ICO on what our obligations are and how to comply with these including protecting personal information and providing access to official information.
    • Certificates can be viewed at http://www.textanywhere.net/accreditations.aspx
  6. Responsibilities

    Managing Director / VP International

    The Managing Director / VP International endorses and actively supports this Document and e security policy. The Managing Director / VP International ensures that appropriate systems security measures are implemented and adhered to and those individual responsibilities are taken seriously at every level of the organisation.

    IT Director

    The IT Director has direct responsibility for maintaining the Data Security Policy. This includes:

    • Developing, implementing and periodically reviewing security policies and procedures
    • Providing technical advice and guidance on all aspects of Data Security Policy, including legislation, standards, practice and contractual obligations affecting data security
    • Ensuring the administration of security access controls
    • Reviewing Data Security at regular intervals to ensure compliance with the data security policy, procedures and best practice
    • Assessing new security risks as technology and systems change
    • Taking reasonable steps to ensure the reliability of staff members e.g. obtaining references from previous employers
    • Ensuring that only authorised individuals have access to services and information
    • Approving access to secure or sensitive data
    • Requiring third party data processors to contractually comply with the obligations imposed on Stericycle TextAnywhere by the Data Protection Act

    Quality and Compliance Director

    As part of Stericycle TextAnywhere investment in Data Security and Data protection, we have recently introduced the Quality and Compliance Director role, which amongst others, has the responsibility to ensure:

    • Compliance to ISO 9001:2015
    • Reviewing additional certifications required for the business.
    • Providing a framework to conduct Corrective and Preventative action investigations.
    • Providing guidance and supporting corporate with the implementation of the GDPR framework and other compliance initiatives.

    Line managers

    • The implementation of the Data Security Policy within their areas of business and for the adherence to the Policy, standards and procedures by their staff
    • Ensuring that their staff are familiar with the Data Security policy, and their individual responsibilities
    • Ensuring that user access is restricted to what is necessary
    • Ensuring that individual userids are suspended when staff members leave
    • Ensuring that all staff are broadly familiar with the relevant sections of legislation
    • Ensuring that adequate and reliable service restoration plans are available to deal with emergencies, disasters and other incidents to ensure continued availability of IT resources

    All employees

    • Be knowledgeable and informed about security practices and procedures.
    • Be aware of their responsibilities and accountability with regard to security and understand the consequences of abusing their access privileges.
    • Use data and IT equipment in a manner that ensures security of the same.
    • Comply with all legal and contractual requirements that apply to the data that they have access to.
    • Not disclose their passwords to anyone.
    • Not use another individual’s userid and password.
    • Ensure that IT equipment and company premises are protected against physical damage, loss, theft or abuse.
    • Ensure that contractual requirements relating to security are complied with.
    • Call to the attention of a line manager, or the IT director those whom they feel are violating the Data Security Policy. Every effort will be made to ensure anonymity.
    • Report to the systems department, flaws observed in the system or technology.
    • Refrain from exploiting any lapses in security.
    • Be aware that users with access to electronic mail and the Internet can put a strain on data links by downloading large files or attachments.

    TextAnywhere maintains a legal register and, amongst others, recognises and complies with the following legislation:-

    • Data Protection Act (1998) to be superseded with the General Data Protection requirement.
    • Data Protection (Processing of Sensitive Personal Data) Order 2000
    • Copyright, Designs and Patents Act (1988)
    • Computer Misuse Act (1990)
    • Health and Safety at Work Act (1974)
    • Human Rights Act (1998)
    • Regulation of Investigatory Powers Act 2000
    • Freedom of Information Act 2000
  7. Security Awareness / Training

    All TextAnywhere staff receive security training on induction and are contracted to adhere to Stericycle information security policies.

    Security refresher training is performed at least annually.

  8. Risk & Opportunities

    TextAnywhere maintains a risk register which is regularly reviewed by the management team. Any identified risks are mitigated and opportunities for improvement are effected.

  9. Sub-Processors / Third Parties

    TextAnywhere does not directly sub-contract data processing.

    In order to send text messages, TextAnywhere engages with aggregator partners for final delivery and receipt of the text messages. An aggregator acts as an intermediary between companies that want to interact with end users (through their mobile phones) and mobile operators. They provide a ‘gateway’ through which the text message is forwarded to the correct network. TextAnywhere uses multiple aggregators which may vary over time. Further details of the aggregators used by TextAnywhere can be obtained on request by contacting us at customercare@textanywhere.net.

    Where a third party carries out data processing of personal data for Stericycle TextAnywhere, we will ensure that:

    • There is a data processing agreement in place between Stericycle and the relevant 3rd party which details the nature and purpose of processing and meets the requirements for data processing as set out in GDPR.
    • That appropriate technical and organisational measures are in place to protect the data.
    • That the third party is contractually obliged to process data only under instructions from Stericycle TextAnywhere.
    • That the third party is obliged to comply with Stericycle TextAnywhere obligations under GDPR.

    Any third parties that TextAnywhere engages with in the performance of our services are subject to due diligence and annual audits including:-

    • Restrictions on copying and disclosing data
    • Ownership of software and data
    • Return or destruction of data
    • Measures to protect against viruses /other malicious software

    TextAnywhere does not transfer data outside of the EEA. Note however that a customer may choose to send a text message outside the EEA in which case it will be subject to third party aggregation and transmission via the normal telephony network.

  10. Information Security

    Back Ups and Retention Periods

    TextAnywhere takes daily back-ups all client data held on a rolling five day basis. Backups are stored securely at Rackspace UK.

    Sent and received SMS data (mobile numbers and message content is deleted after 365 days. Online address book data (first/last name and mobile numbers) is held indefinitely until/unless the client deletes this or requests TextAnywhere to do so.

    Business Continuity Plan

    TextAnywhere maintains a Business Continuity Plan in accordance our ISO 27001 accreditation requirements. The BCP is reviewed at least annually.

    Viruses and other Malicious Software

    TextAnywhere runs and keeps up to date anti-virus software.

    TextAnywhere runs a monthly patching program in line with industry standards.

  11. Resilience

    TextAnywhere runs internal monitoring systems to ensure system availability.

    TextAnywhere works on multiple mirrored systems and partners to ensure system continuity.

    TextAnywhere ensures that all system changes are subject to test and review before being made available in the live customer environment.

  12. Access Control

    System access is controlled by VPN.

    Staff access to data is on a need-to-know basis, all staff have unique Userids and passwords, access is controlled by an audited rights system.

    TextAnywhere data and systems are hosted at Rackspace UK. Physical Security is strictly controlled in line with Rackspace policies.

  13. Data

    Data is processed only in accordance with TextAnywhere’s contractual obligations for the purpose of transmitting and receiving text messages. TextAnywhere does not share this data with any third parties for any reason beyond processing messages unless required to by law.

    TextAnywhere does not allow the storage of data on any removable devices.

    Personal data processed by TextAnywhere for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

    Message data is available for client download through the online account for up to 60 days before secure segregation.

    Message data outbound and inbound, including the mobile number and message body, is retained in total for 365 days before permanent electronic deletion.

    Address book data, if used, including First Name, Last Name and mobile number is retained indefinitely until deleted by the client through the online tools or requests TextAnywhere to do so.

  14. Data Security Incidents

    TextAnywhere has a fully documented data security incident which includes:-

    • Reporting procedures
    • Incident reporting portal
    • Defined escalation procedures
    • Procedures audited in line with ISO 27001 requirements.
  15. Confidentiality

    TextAnywhere undertakes not to use, nor disclose to any unauthorised person, any confidential information relating to or received from our Clients for any reason unless expressly authorised by the Client, or required by law.

    We understand that the use and disclosure of all information about living, identifiable individuals is governed by the Data Protection Act and we will not use or disclose any personal data acquired for any purpose that beyond the purposes of processing text messages in accordance with the Client’s requirements.

    We understand that we are required to keep all confidential and personal data securely, and undertake to follow all relevant procedures in doing so.

Legal requirements are reviewed as part of our quality management systems and ISO 9001, ISO 27001 accreditation.

Take a free trial today

No hidden charges for replies, support or features. Just pay for the services you use.

Hosting provided by RackSpace
TextAnywhere is a PCI DSS Level 4 Compliant company
TextAnywhere is a Carbon Neutral company
Verisign Protected
Back to Top