Legal

Overview
At The Messaging Centre (TMC) security of client data is taken very seriously. The following security policy outlines the features and procedures that TMC have  implemented to protect your clients and data.
This document may be updated at any time – Please contact TMC customer services for the latest details and to confirm any specific requirements.

Physical location security
All TMC offices are secured with 5 Lever locks, window locks and window bars (where necessary). Any confidential data is stored using encryption and can only be decrypted at a separate secure location.

All third party data centres are required to have a high standard of security and monitoring including constant 24 hour staff, secure access to both the building and server/sensitive areas.

Gateway providers must provide suitable security standards to ensure compliance with TMC data security before they are accepted by TMC.

Service Providers internal security (TMC access)
The following details the policy required of any third party Service providers before they are accepted for use within the TMC system.

1. Service providers do not have direct access to TMC servers (secured using Operating System password security and overseen by contracts).
2. Any data stored using automated backup systems must be encrypted using encryption and stored in a secure location.
3. Servers must be securely stored in locked server racks.
4. Physical access to servers is restricted to staff that have been security vetted.

TMC Customer Service Operators and Administrators security
The following details the policy for all TMC Customer Services Operators, Administrators and Staff.

1. Access to live systems and backend data is restricted to the senior developer.
2. No confidential details are relayed to clients during telephone communications.
3. All members of staff are required to use long passwords.
4. Access to client mobile numbers are only available to senior or key staff.
5. TMC Staff are allocated one of 3 levels to ensure client data privacy:
   1. Level one access = Standard users.
   2. Level two access = accountant
   3. Level three access = super user
   4. Level four = extra super user

Details on these levels are available on request.

6. Users at Level 2 and above are forced to change their password monthly.
7. Where a TMC staff member accesses or changes an account this is logged with details of the staff member and what activities were performed.
8. All paper documents and portable storage (CD/DVD etc) are stored in locked filing cabinets and shredded / formatted / destroyed when no longer required.
9. The user security policy below also applies to TMC staff.

Clients and Users Security

The following details the policy for all clients and their defined users of the TMC system.

1. Users are allocated one of 3 levels:
   1. Controller – Account setup and overall management
   2. Administrator – Manage users and features
   3. User – Basic access to system, sending messages, adding recipients.

      More specific details are available on request.

2. Access to the system is via a username and password.
3. Administrators and Controllers must enter a second password to facilitate access to backend control areas and reports.
4. When using the web based system, the user session will automatically time out after 20 minutes of inactivity.
5. Users are encouraged to use a password, minimum of 8 characters mixing numbers and letters (e.g. P4s5W0rD)
6. Each client must specify an account controller who oversees the administration of the account and can control their package.
7. The client can allocate a hierarchy of user levels and permissions, to restrict the access of their staff and other defined users of their account. Users can be restricted from administrative tasks (such as creating users, accessing reports, message limits, viewing mobile numbers etc)
8. Users can choose to use the “Remember” option, Outlook plug-in or Desktop alerts system to automatically access the system without following the login process for future access. Use of this feature is the user’s responsibility and they should ensure it is not used in a shared or unsecured environment (such as a public computer).
9. Users are allowed 5 attempts to access their account. After 5 incorrect attempts the account is locked. The account can be unlocked by the company controller or TMC Staff.
10. Administrators are notified of password changes and access failures for all access levels (after five attempts).
11. Logs record all user activities including login, actions, changes and messages.
12. Controllers and Administrators receive notifications of new users and new password requests
13. When integrating TMC with third party systems security is the responsibility of the relevant developer, please refer to the TMC API integration guide for more details.

TMC Database, networking and application security

The following details the policy for all TMC developers, system administrators and technical staff.

1. Access to live systems is only by the TMC senior developer.
2. Overall system administrator also retains access codes to all systems as a backup.
3. All remote access to servers is logged, monitored and checked.
4. No copies of database except by signed agreement or encrypted back up to secure facility.
5. Logs are retained of manual system access with details of who accessed the system, what was done and why.
6. Server and database passwords are reset on a monthly basis.
7. All client passwords are stored as an encoded hash so that the plaintext password is only accessible to the owning user.
8. All systems and code is tested by the project team and then by a separate independent testing team to check for security vulnerabilities and back doors.
9. Data is backed up to encrypted files stored in several secure locations to ensure disaster recovery.