Security and Data Protection¶
Tender and RFI Information
This page provides a high‑level summary of security and data protection practices for the Paperwork platform.
Security principles¶
Dsposal’s security approach is founded on:
- Least privilege
- Separation of concerns
- Defence in depth
- Secure‑by‑default design
Identity and access management¶
- Authentication: Provided by Clerk
- Authorisation: Role‑based access controls within Paperwork
- Session management: Appropriate timeouts and validation
- Administrative access: Restricted to authorised Dsposal personnel
Data protection controls¶
- Encryption in transit: TLS (HTTPS)
- Encryption at rest: Azure‑managed encryption
- Data segregation: Logical separation of customer data
- Backups: Regular automated backups
Secure development practices¶
- Controlled releases with pre‑deployment testing
- Vulnerability and dependency management
- Configuration tracking and review
- Managed change processes
Logging and audit¶
- Security‑relevant events logged
- Administrative actions traceable
- Log retention managed in line with operational requirements
Incident handling¶
- Documented internal procedures for triage, containment, and remediation
- Customer communication follows legal and contractual obligations
- Post‑incident review informs improvements
Data protection and GDPR¶
Dsposal processes data in accordance with: - UK GDPR - Data Protection Act 2018
Data categories¶
Paperwork typically processes: - User account data - Business contact data - Waste and compliance records
Data subject rights¶
Paperwork supports: - Data export and portability - Deletion following contract termination - Assistance with data subject requests
Customer data is deleted within 30 days of contract termination unless otherwise agreed.
Subprocessors¶
Paperwork uses the following subprocessors:
- Microsoft Azure — cloud infrastructure (UK)
- Clerk — authentication and identity management
- SendGrid — transactional email delivery
- Cloudflare — content delivery and edge security
- Metabase — analytics and reporting (hosted within Azure)
A current subprocessor list is maintained as part of the Data Processing Agreement.