Credentially approach to security

Credentially is on a mission to make doctors working lives better. To help us achieve this, we need to make sure, that your data is secure, and protecting it is one of our most important responsibilities. We’re committed to being transparent about our security practices and helping you understand our approach.

Organizational security

At Credentially we are creating and maintaining a platform that is based on world’s best data protection and security standards at all levels. We are registered with ICO and comply with IG SoC. Credentially is actively preparing to comply with the new european directive - GDPR (General Data Protection Regulation) from the 25th of May 2018. Credentially has established an industry-leading security program, dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our security program is aligned to the ISO 27000 standards and is regularly audited and assessed by third parties and customers.

Personnel security

Credentially personnel practices apply to all members of the Credentially workforce (“workers”)—regular employees and independent contractors—who have direct access to Credentially internal information systems (“systems”) and / or unescorted access to Credentially office space. All workers are required to understand and follow internal policies and standards.

Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.

Upon termination of working at Credentially, all access to Credentially systems is removed immediately.

Security and privacy training

During their tenure, all workers are required to complete a refresh of privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow Credentially information security policies at least annually. Some workers, such as engineers, operators and support personnel who may have elevated access to systems or data, will receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate internal teams. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.

Dedicated security professionals

Credentially has defined roles and responsibilities to delineate which roles in the organization are responsible for operating the various aspects of our Information Security Management System (ISMS). The responsibilities of each role are detailed in Credentially security documents.

At the center of administering our ISMS is Credentially Security Team. Credentially has appointed a Chief Security Officer (CSO) with overall responsibility for the implementation and management of our ISMS. The CSO is supported by the other members of Credentially Security Team, which currently consists of over a dozen security professionals with more than 100 years of combined experience, focusing on Product Security, Security Operations, Computer Security Incident Response, and Risk and Compliance.

Together, these teams divide responsibilities for key aspects of Credentially security program, as follows:

Product Security

• Establish secure development practices and standards
• Ensure project-level security risk assessments
• Provide design review and code review security services for detection and removal of
• common security flaws
• Train developers on secure coding practices Security Operations
• Build and operate security-critical infrastructure including Credentially public key
• Infrastructure, event monitoring, and authentication services
• Maintain a secure archive of security-relevant logs
• Consult with operations personnel to ensure the secure configuration and maintenance of Credentially production environment

CSIRT (Computer System Incident Reporting Team)

• Respond to alerts related to security events on Credentially systems
• Manage security incidents
• Acquire and analyze threat intelligence

Risk and Compliance

• Coordinate penetration testing
• Manage vulnerability scanning and remediation
• Coordinate regular risk assessments, and de ne and track risk treatment
• Manage the security awareness program
• Coordinate audit and maintain security certifications
• Respond to customer inquiries
• Review and qualify vendor security posture

These policies are living documents: they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.

Audits, compliance, and 3rd party assessments

Credentially operates a comprehensive information security program designed to address the vast majority of the requirements of common security standards. Please contact your Account Executive, or Support, for more information about the security standards with which Credentially companies and to request copies of available reports and certifications.

Audits

Credentially evaluates the design and operation of its overall ISMS for compliance with internal and external standards. Credentially engages credentialed assessors to perform external audits at least once per year. Audit results are shared with senior management and all findings are tracked to resolution.

Penetration testing

Credentially engages independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with Credentially management. Credentially Security Team reviews and prioritizes the reported findings and tracks them to resolution. Customers wishing to conduct their own penetration test of Credentially application may request to do so and should contact their account representative to obtain permission from both Credentially and Credentially hosting provider.

Legal compliance

Credentially employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. These professionals are embedded in the development lifecycle and review products and features for compliance with applicable legal and regulatory requirements. Credentially also has a business code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values and defines standards for meeting those goals.

Secure by design. Secure Development Lifecycle

Credentially assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, Credentially undertakes an assessment to qualify the security risk of the software changes introduced.

This risk analysis leverages both the OWASP Top 10 and the experience of Credentially Product Security team to categorize every project as High, Medium, or Low risk. Based on this analysis, Credentially creates a set of requirements that must be met before the resulting change may be released to production.

All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For the Credentially web application, Credentially Security Team operates continuous automated static analysis using advanced tools and techniques.

Signi cant defects identified by this process are reviewed and followed to resolution by the Security Team.

Protecting customer data

The focus of Credentially security program is to prevent unauthorized access to customer data. To this end, our team of dedicated security practitioners, working in partnership with peers across all our teams, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.

Data encryption in transit and at rest

Credentially transmits data over public networks using strong encryption. This includes data transmitted between Credentially clients and the Credentially service. Credentially supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES 256 encryption, and SHA 2 signatures, as supported by the clients.

Credentially monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.

Data at rest in Credentially production network is encrypted using FIPS 140-2 compliant encryption standards. This applies to all types of data at rest within Credentially systems-relational databases, i.e. stores, database backups, etc. Credentially stores encryption keys in a secure server on a segregated network with very limited access. Keys are never stored on the local filesystem, but are delivered at process start time and retained only in memory while in use.

The Credentially service is hosted in data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Credentially service.

These service providers are responsible for restricting physical access to Credentially systems to authorized personnel.

Each Credentially customer’s data is hosted in Credentially shared infrastructure and segregated logically by the Credentially application. Credentially uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.

Network security

Credentially divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Credentially production website. Customer data submitted into the Credentially services is only permitted to exist in Credentially production network, its most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.

Network access to Credentially production environment from open, public networks (the internet) is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of Credentially service to its users are open at Credentially perimeter. Credentially deploys mitigations against distributed denial of service (DDoS) attacks at its network perimeter. Changes to Credentially production network configuration are restricted to authorized personnel.

In Credentially hosted production environment, control of network devices is retained by the hosting provider. For that reason, Intrusion Detection / Intrusion Prevention (IDS/IPS) are performed using host-based controls. For example, Credentially logs, monitors, and audits system calls and has developed alerts for system calls that indicate a potential intrusion.

Classifying and inventorying data

To better protect the data in our care, Credentially classifies data into different levels and specifies the labeling and handling requirements for each of those classes. Credentially ISMS considers data classifications in its encryption standards, its access control and authorization procedures, and incident response standards, among other security documents. Customer data is classified at the highest level.

Data classifications are maintained as part of the asset management process. Credentially inventories hardware, software and data assets at least annually to maintain correct data classification levels. Credentially restricts the flow of data to ensure that only appropriately

classified systems may contain Customer data.

Authorizing access

To minimize the risk of data exposure, Credentially adheres to the principle of least privilege-workers are only authorized to access data that they reasonably must handle in order to

fulfill their current job responsibilities. To ensure that users are so restricted, Credentially employs the following measures:

• All systems used at Credentially require users to authenticate, and users are granted unique identifiers for that purpose.
• Each user’s access is reviewed at least quarterly to ensure the access granted is still appropriate for the user’s current job responsibilities.

Workers may be granted access to a small number of internal systems, such as the corporate Credentially instance, by default upon hire. Requests for additional access follow a documented process and are approved by the responsible owner or manager.

Authentication

To further reduce the risk of unauthorized access to data, Credentially employs multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, Credentially uses private keys for authentication. For example, at this time, administrative access to production servers requires operators to connect using both an SSH key and a one-time password associated with a device-specific token. Where passwords are used, multi-factor authentication is enabled for access to higher data classifications. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).

Credentially requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.

System monitoring, logging, and alerting

Credentially monitors servers, workstations and mobile devices to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers in Credentially production network are logged.

Credentially Security Team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the Security Team. Logs are protected from modification and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.

Endpoint monitoring

Credentially workstations run a variety of monitoring tools that may detect suspicious code or unsafe configurations or user behavior. Credentially Security Team monitors workstation alerts and ensures significant issues are resolved in a timely fashion.

Mobile device management

Mobile devices that are used to transact company business are centrally managed and required to be enrolled in the appropriate mobile device management systems, to ensure they meet Credentially security standards.

Responding to security incidents

Credentially has established policies and procedures (also known as runbooks) for responding to potential security incidents. All incidents are managed by Credentially dedicated Computer Security Incident Response Team. Credentially defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

Data and media disposal

Customer data is removed immediately upon deletion or message retention expiration. Credentially hard deletes all information from currently running production systems (excluding team and channel names, and search terms embedded in URLs in web server access logs). Backups are destroyed within 14 days. Credentially follows industry standards and advanced techniques for data destruction.

Credentially defines policies and standards requiring media be properly sanitized once it is no longer in use. Credentially hosting provider is responsible for ensuring removal of data from disks allocated to Credentially use before they are repurposed.

Protecting secrets

Credentially has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Workstation security

All workstations issued to workers are configured by Credentially to comply with our standards for security. These standards require all workstations to be properly configured, kept updated, run monitoring software, and be tracked by Credentially endpoint management solution. Credentially default configuration sets up workstations to encrypt data, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorized software and mobile storage devices.

Controlling system operations and continuous deployment

We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorized access.

Controlling change

To minimize the risk of data exposure, Credentially controls changes, especially changes to production systems, very carefully. Credentially applies change control requirements to systems that store data at higher levels of sensitivity. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.

Prevention and detection of malicious code

In addition to general change control procedures that apply to our systems, Credentially production network is subject to additional safeguards against malware.

Server hardening

New servers deployed to production are hardened by disabling unneeded and potentially insecure services, removing default passwords, and applying Credentially custom configuration settings to each server before use.

File change management

Credentially maintains the configuration of its production servers by using a configuration management system (CMS) that runs frequently to check that only the authorized version of key files are deployed. This CMS will overwrite files found on servers that don’t match the correct version stored in a change controlled repository.

Disaster recovery and business continuity

Credentially utilizes services provided by its hosting provider to distribute its production operation across four separate physical locations. These four locations are within one geographic region, but protect Credentially service from loss of connectivity, power infrastructure and other common location-specific failures. Production transactions are replicated among these discrete operating environments, to protect the availability of Credentially service in the event of a location-specific catastrophic event. Credentially also retains a full backup copy of production data in a remote location more than 2500 miles from the location of the primary operating environment. Full backups are saved to this remote location once per day and transactions are saved continuously. Credentially tests backups at least quarterly to ensure they can be correctly restored.

3rd party suppliers

To run its business efficiently, Credentially relies on sub-service organizations. Where those sub-service organizations may impact the security of Credentially production environment, Credentially takes appropriate steps to ensure its security posture is maintained. Credentially establishes agreements that require service organizations adhere to confidentiality commitments Credentially has made to its users. Credentially monitors the effective operation of the organization’s safeguards by conducting reviews of its service organization controls before use and at least annually.

Data security, international transfers and breaches

Security policy

Credentially has an information security policy supported by appropriate security measures.

International transfers

Credentially ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Union.

Breach notification

Credentially has effective processes to identify, report, manage and resolve any personal data breaches.

We care about your privacy and the security of your data

This site is operated by, and for the purposes of the Data Protection Act 2018 (the “Act”) the data controller is, Appraise Me Limited (traded as Credentially) (“Credentially”) of 3Space, Keeton's Road, London, SE16 4EE.

This cookies and privacy policy sets out how  uses and protects any information that you give when you use this website.

Credentially is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

Credentially may change this policy by updating this page. You should check this page from time to time to ensure that you are happy with any changes made.

Information security

• The information collected by this website is stored securely within the EU.
• All data in-transit is encrypted via TLS 1.2, data in-rest is protected using file-system based AES 256 bit encryption and daily backups.
• In our databese, your password is encrypted using one-way hashing algorithm. This means that if you will lose access to your password, it will not be possible to restore it. But, you will be able to reset it using the email address that you provided.
• However, you are responsible for keeping your password confidential and protecting access to the area of the website that are accessible to you. Please do not share your password with anyone.
• The server infrastructure that we use is audited under ISO 27001:2013, AICPA SOC1, SOC 2, SOC 3 and PCI-DSS

What information will Credentially collect about me?

• Information about your visits to and use of this website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit and page views). We collect this information in a way which does not identify anyone.
• Information you provide by filling in forms on our website, such as when you register to receive information, complete user profile or submit work reports or employment details.
• Information you provide when you refer yourself

How will Credentially use the information they collect about me?

We require this information to understand your needs and provide you with a better service, for example:

• To improve the content and design of the website,
• To contact you about a request/enquiry you have made with us,
• To provide you with information you may have requested, for example a newsletter.

Work details you send to us electronically for reporting to your employer and analyzing it, details other purpose may be transmitted to dedicated NHS body (Hospital) with admitting rights at Credentially for their professional opinion. By sending us your details, work log, professional information etc. you consent and accept that it may be necessary for us to forward these details electronically or in other formats.

Credentially will never share your information with other organisations for marketing, market research or commercial purposes.

Cookie Policy

What is a cookie?

A cookie is a simple text file that is stored on your computer or mobile device by a website’s server and only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the site name and some digits and numbers. It allows a website to remember things like your preferences or what’s in your shopping basket.

Cookie categories

• Strictly necessary cookies
• These cookies enable services you have specifically asked for.
• Performance cookies
• These cookies collect anonymous information on the pages visited.
• Functionality cookies
• These cookies remember choices you make to improve your experience.
• Targeting cookies or advertising cookies
• These cookies collect information about your browsing habits in order to make advertising relevant to you and your interests.

Cookies used on Credentially website

How do I turn cookies off?

It is usually possible to stop your browser accepting cookies, or to stop it accepting cookies from a particular website.

All modern browsers allow you to change your cookie settings. These settings will typically be found in the ‘options’ or ‘preferences’ menu of your browser. In order to understand these settings, the following links may be helpful, otherwise you should use the ‘Help’ option in your browser for more details.

Last reviewed: 26.04.2023

Terms of Use

This website (“ Site ”) is provided by Appraise Me Limited (Credentially). By using this Site and the free services offered on it you agree to be legally bound by these Terms of Use, as they may be modified and posted on this Site from time to time. If you do not wish to be bound by these Terms of Use you may not use this Site.

Privacy Policy

We are committed to protecting your privacy. Please carefully read our Privacy Policy [IB1] as by using this Site you confirm that you agree with it. www.credentially.io/terms-policies/privacy-policy

Service Availability

We endeavour to make our Site and services available at all times, but we cannot be liable if, for any reason, our services or Site are unavailable for any period of time. Access to this Site may be suspended at any time without any notice being given.

Copyright

This Site contains data and information, which are protected by trademark, patent and/or copyright laws. No part of this Site or our services may be published, distributed, extracted, re-utilised, or reproduced in any material form (including photocopying or storing it in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) except in accordance with separately agreed permissions or as permitted by the Copyright Designs and Patents Act 1988 or the Copyright and Rights in Databases Regulations 1997, as applicable. We reserve the right at any time at our discretion to withdraw or modify the licenses we grant for use of our content.

Links to other Websites

Our Site and services may offer links to other websites and services thereby enabling you to leave our Site and go directly to linked websites. We are not responsible for the content of any linked website or any link in a linked website. We are not responsible for any transmission received from any linked website. Such links are provided to assist users of this Site and our services and the inclusion of a link does not imply that we endorse or have approved the linked website or services. Please note that the terms of use and privacy policy of linked websites may differ from the Terms of Use and Privacy Policy of our Site. We encourage users to be aware of this when they leave our Site, and to read the terms of use and the privacy policy of such third party websites.

Data provided by You

You agree that all data you send or upload to this Site (including, but not limited to e- mails, text, pictures, videos or responses to any information available via this Site) is legal, not offensive, decent and truthful, complies with all laws and regulations, does

not infringe the intellectual property rights or other rights of us or any third party, is not defamatory, unreliable or misleading or otherwise objectionable and is free from bugs, worms or viruses. You are solely responsible for your data. If we consider that any part of your data exposes us to the risk of a claim or complaint by a third party, we may block access to all or part of this Site and remove all or part of your data. You must provide all reasonable assistance in this respect. By responding to or using any information on this Site you grant us a non-exclusive, royalty free, transferable, perpetual license to use the data submitted for research or other similar purposes.

Liability

We do not accept any liability for the accuracy, completeness or suitability for a particular purpose of any content published or made available on or by means of our Site or services, unless liability cannot be restricted by any applicable law. We will not liable for any damages arising in contract, tort or otherwise from the use of or inability to use this Site, services or another website linked to or from our site or any material contained therein, or from any action or decision taken as a result of using this Site or services. We shall not be liable for any damage which may result from the download, installation, storage or use of software or content from our Site or services.

Governing Law and Jurisdiction

Your use of this Site shall be governed by and construed in accordance with the laws of England and Wales. Any dispute arising out of use of this Site shall be referred to the English courts.

How to contact us

If you want to request any further information you can contact us via contact details listed at the very bottom of credentially.io website.

Changes to these Terms of Use

These Terms of Use may change from time to time and therefore you should review them regularly. We will of course notify you of any changes where we are required to do so. These Terms of Use were last updated on 01/03/2018 and replace all other terms of use previously applicable.

To support the delivery of our Services, Credentially may use data processors with access to certain Customer Data (hereby known as “Subprocessor”). This page provides important information about the identity and role of each Subprocessor.

Third parties

Credentially uses third parties which are essential to provide various business functions and services to our customers. Security is essential to us and we perform an extensive due diligence before we engage with any third party.

Major Subprocessors‍

Credentially may use these to store customer data:

1. AWS Europe - Cloud Service Provider
2. Mailchimp (The Rocket Science Group LLC) - cloud email notification service
3. Nano Net Technologies Inc
4. Microsoft Limited - Cloud Service Provider

Other Subprocessors‍

Credentially may use the following Subprocessors to perform other Service functions:

1. Intercom - customer support
2. Google - web analytics
3. GoCardless - payments
4. Hotjar - web analytics
5. Stripe - payments
6. Videoask - user feedback
7. Amplitude - web analytics
8. Sentry - system and perfomance logs monitoring
9. Salesforce - cloud-based sales service
10. Dropbox
11. Revenue Hero (demo booking system)
12. Twilio - SMS notifications

‍

Updates

As our business evolve, we may change (add or remove) any of the Subprocessors. We will notify all the customers if we do so.

Modern slavery is a crime and a violation of fundamental human rights. It takes various forms, such as slavery, servitude, forced and compulsory labour and human trafficking, all of which have in common the deprivation of a person’s liberty by another in order to exploit them for personal or commercial gain.

Credentially has a zero-tolerance approach to modern slavery, and we are committed to acting ethically and with integrity in all our business dealings and relationships and to implementing and enforcing effective systems and controls to ensure modern slavery is not taking place anywhere in our own business or in any of our supply chains.

We are also committed to ensuring there is transparency in our own business and in our approach to tackling modern slavery throughout our supply chains, consistent with our disclosure obligations under the Modern Slavery Act 2015.

We expect the same high standards from all our contractors, suppliers and other business partners, and as part of our contracting processes, in the coming year we will include specific prohibitions against the use of forced, compulsory or trafficked labour, or anyone held in slavery or servitude, whether adults or children, and we expect that our suppliers will hold their own suppliers to the same high standards.

This policy applies to all persons working for us or on our behalf in any capacity, including employees at all levels, directors, officers, agency workers, seconded workers, volunteers, interns, agents, contractors, external consultants, third-party representatives, and business partners. This policy does not form part of any employee’s contract of employment, and we may amend it at any time.

Responsibility for the policy

Credentially has overall responsibility for ensuring this policy complies with our legal and ethical obligations, and that all those under our control comply with it.

Credentially has primary and day-to-day responsibility for implementing this policy, monitoring its use and effectiveness, dealing with any queries about it, and auditing internal control systems and procedures to ensure they are effective in countering modern slavery.

Management at all levels are responsible for ensuring those reporting to them understand and comply with this policy and are given adequate and regular training on it and the issue of modern slavery in supply chains.

Our Performance Indicators

We have a zero-tolerance approach to modern slavery and will know the effectiveness of the steps and policies we have put in place to ensure that human trafficking/ slavery is not taking place at all within the business or end user clients if we receive no reports from employees, the public, clients directly or law enforcement agencies.

You are invited to comment on this policy and suggest ways in which it might be improved. Comments, suggestions and queries are encouraged and should be addressed to the CEO.

Kit Latham

CEO - Credentially

This DPA is entered into between Credentially (Appraise Me Limited)  and the Customer and is incorporated into and governed by the terms of the Agreement.

1. Definitions

Any capitalised terms not defined in this DPA shall have the meaning given to it in the Agreement.

“Affiliates” means any entity that directly or indirectly controls, is controlled by or is under common control of a party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;

“Agreement” means the agreement between the Company and the Customer for the provision of the Services;

“Controller” means the Customer;

“Data Protection Legislation” means all applicable data protection and privacy legislation, regulations and guidance including:

 (i)       Regulation (EU) 2016/679) (as incorporated into UK legislation by way of the European Union (Withdrawal Agreement) Act 2020 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)Regulations 2020, together forming the “UKGDPR”) and the Privacy and Electronic Communications (EC Directive)Regulations 2003;

(ii)     the Data Protection Act 2018; and

(iii)    all applicable law about the processing of Personal Data and privacy;

and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.

“Data Subject” shall have the same meaning as in the Data Protection Legislation;

“DPA” means this data processing agreement together with Appendix A and the Security Policy;

“Personal Data” shall have the same meaning as in the Data Protection Legislation;

“Process” has the meaning set out in the Data Protection Legislation.  ‘Processed’ and ‘Processing’ shall be interpreted in the same way.  

“Processor” means the Company;

“Regulator” means the UK Information Commissioner(including any successor or replacement body);

“Security Policy” means the Company’s security document as updated from time to time, and made reasonably available by the Company;

“Standard Contractual Clauses” means the standard clauses for transfers of personal data to third countries adopted under Decision 2021/914 or such other equivalent mechanism adopted by the Regulator pursuant to section 119A of the Data Protection Act 2018;

“Sub-Processor” means any person or entity engaged by the Company or its Affiliate to process Personal Data in the provision of the Services to the Customer.

2. Purpose

2.1 The Processor has agreed to provide the Services to the Controller in accordance with the terms of the Agreement. In providing the Services, the Processor shall process Customer Data on behalf of the Controller. Customer Data may include Personal Data. The Processor will process and protect such Personal Data in accordance with the terms of this DPA.

3. Scope

3.1 In providing the Services to the Controller pursuant to the terms of the Agreement, the Processor shall process Personal Data only to the extent necessary to provide the Services in accordance with both the terms of the Agreement and the Controller’s instructions documented in the Agreement and this DPA.

4. Processor Obligations

4.1 The Processor may collect, process or use Personal Data only within the scope of this DPA, as further specified in Appendix A.

4.2 The Processor confirms that it shall process Personal Data on behalf of the Controller and shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data shall only process the Personal Data on the documented instructions of the Controller.

4.3 The Processor shall promptly inform the Controller, if in the Processor’s opinion, any of the instructions regarding the processing of Personal Data provided by the Controller, breach the Data Protection Legislation.

4.4 The Processor shall ensure that all employees, agents, officers and contractors involved in the Processing of Personal Data: (i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential; (ii) have received appropriate training on the Data Protection Legislation; and (iii) are bound by the terms of this DPA.

4.5 The Processor shall implement appropriate technical and organisational procedures to protect Personal Data as required by Article 32 of the UK GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

4.6 The technical and organisational measures detailed in the Security Policy shall be at all times adhered to as a minimum security standard. The Controller accepts and agrees that the technical and organisational measures are subject to development and review and that the Processor may use alternative suitable measures to those detailed in the attachments to this DPA.

4.7 The Controller acknowledges and agrees that, in the course of providing the Services to the Controller, it may be necessary for the Processor to access the Personal Data to respond to any technical problems or Controller queries and to ensure the proper working of the Services. All such access by the Processor will be limited to those purposes.

4.8 Personal Data will not be transferred outside of the UK or EEA unless one of the following applies:

(i) the provisions of the Standard Contractual Clauses;

(ii) the third country or territory has been recognised by the Regulator to have an adequate level of protection;

(iii) the  organisation is located in a country which has other legally recognised appropriate safeguards in place, such as Binding Corporate Rules; or

(iv) the processing is otherwise necessary for the performance of contract with, or concluded in the interests of, the data subject.

4.9 Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller by having in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights and the Controller’s compliance with the Controller’s data protection obligations in respect of the processing of Personal Data.

4.10 The Processor confirms that it and/or its Affiliate(s) have appointed a data protection officer where such appointment is required by applicable data protection legislation. The appointed data protection officer may be reached at dpo@credentially.io

5. Controller Obligations

5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and all applicable data protection laws.

5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA.

5.3 The Controller is responsible for compliance with all applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement.

5.4 All Affiliates of the Controller who use the Services shall comply with the obligations of the Controller set out in this DPA.

5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data as required by Article 32 of the UK GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller.

5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after the termination of the Agreement. The Processor will process the request to the extent it is lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible.

5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, assisting with audits, inspections or DPIAs by the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

6. Sub-Processors

6.1 The Controller acknowledges and agrees that: (i) Affiliates of the Processor may be used as Sub-processors; and (ii) the Processor and its Affiliates respectively may engage Sub processors in connection with the provision of the Services.

6.2 All Sub-processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor set out in this DPA.

6.3 Where Sub-processors are located outside of the UK or EEA, the Processor confirms that such personal data will only be transferred to that Sub-processor where one of the scenarios listed at clause 4.8 above applies.

6.4 The Processor shall make available to the Controller the current list of Sub-processors which shall include the identities of Sub-processors and their country of location. During the term of this DPA, the Processor shall provide the Controller with prior notification, via email, of any changes to the list of Sub-processor(s) who may process Personal Data before authorising any new or replacement Sub-processor(s) to process Personal Data in connection with the provision of the Services.

6.5 The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-processor, and that objection is not unreasonable, the Controller may terminate the Agreement or applicable Order Form with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub-processor. The Processor will refund the Controller any prepaid fees covering the remainder of the Term of the Agreement (or applicable Order Form) following the effective date of termination with respect to such terminated Services.

7. Liability

7.1 The limitations on liability set out in the Agreement apply to all claims made pursuant to any breach of the terms of this DPA.

7.2 The parties agree that the Processor shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Sub-processors to the same extent the Processor would be liable if performing the services of each Sub-processor directly under the terms of the DPA, subject to any limitations on liability set out in the terms of the Agreement.

7.3 The parties agree that the Controller shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Affiliates as if such acts, omissions or negligence had been committed by the Controller itself.

7.4 The Controller shall not be entitled to recover more than once in respect of the same claim.

8. Audit

8.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with its processing obligations and allow for and contribute to audits and inspections.

8.2 Any audit conducted under this DPA shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not deemed sufficient in the reasonable opinion of the Controller, the Controller may conduct a more extensive audit which will be: (i) at the Controller’s expense; (ii) limited in scope to matters specific to the Controller and agreed in advance; (iii) carried out during UK business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does not interfere with the Processor’s day-to-day business.

8.3 This clause shall not modify or limit the rights of audit of the Controller, instead, it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.

9. Data Breach

9.1 The Processor shall notify the Controller without undue delay after becoming aware of (and in any event within 72 hours of discovering) any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any Personal Data (“Data Breach”).  

9.2 The Processor will take all commercially reasonable measures to secure the Personal Data, to limit the effects of any Data Breach, and to assist the Controller in meeting the Controller’s obligations under applicable law.

10. Compliance, Cooperation and Response

10.1 In the event that the Processor receives a request from a Data Subject in relation to Personal Data, the Processor will refer the Data Subject to the Controller unless otherwise prohibited by law. The Controller shall reimburse the Processor for all costs incurred as a result of providing reasonable assistance in dealing with a Data Subject request. In the event that the Processor is legally required to respond to the Data Subject, the Controller will fully cooperate with the Processor as applicable.

10.2 The Processor will notify the Controller promptly of any request or complaint regarding the processing of Personal Data, which adversely impacts the Controller unless such notification is not permitted under applicable law or relevant court order.

10.3 The Processor may make copies of and/or retain Personal Data in compliance with any legal or regulatory requirement including, but not limited to, retention requirements.

10.4 The Processor shall reasonably assist the Controller in meeting its obligation to carry out data protection impact assessments (DPIAs), taking into account the nature of processing and the information available to the Processor.

10.5 The parties acknowledge that it is the duty of the Controller to notify the Processor within a reasonable time, of any changes to applicable data protection laws, codes or regulations which may affect the contractual duties of the Processor. The Processor shall respond within a reasonable timeframe in respect of any changes that need to be made to the terms of this DPA or to the technical and organisational measures to maintain compliance. If the parties agree that amendments are required, but the Processor is unable to accommodate the necessary changes, the Controller may terminate the part or parts of the Services which give rise to the non- compliance. To the extent that other parts of the Services provided are not affected by such changes, the provision of those Services shall remain unaffected.

10.6 The Controller and the Processor and, where applicable, their representatives, shall cooperate, on request, with a supervisory data protection authority in the performance of their respective obligations under this DPA.

11. Term and Termination

11.1 The Processor will only process Personal Data for the term of the DPA. The term of this DPA shall coincide with the commencement of the Agreement and this DPA shall terminate automatically together with termination or expiry of the Agreement.

11.2 The Processor shall at the choice of the Controller, upon receipt of a request received within 14 days at the end of the provision of the Services relating to processing sent to team@credentially.io delete or return Personal Data to the Controller. The Processor shall in any event delete all copies of Personal Data in its systems within 60 days of the effective date of termination of the Agreement unless: (i) applicable law or regulations require storage of the Personal Data after termination; or (ii) partial personal data of the Customer is stored in backups, then such personal data shall be deleted from backups up 1 year after the effective date of termination of the Agreement.

12. General

12.1 This DPA sets out the entire understanding of the parties with regard to the subject matter herein.

12.2 Should a provision of this DPA be invalid or become invalid then the legal effect of the other provisions shall be unaffected. A valid provision is deemed to have been agreed upon which comes closest to what the parties intended commercially and shall replace the invalid provision. The same shall apply to any omissions.

12.3 This DPA shall be governed by the laws of England and Wales. The courts of England shall have jurisdiction for the settlement of all disputes arising under this DPA.

The parties agree that this DPA is incorporated into and governed by the terms of the Agreement.

Appendix A

Overview of data processing activities to be performed by the Processor

1. Controller The Controller transfers Personal Data identified in sections 3, 4 and 5 below, as it relates to the processing operations identified in section 6 below.

The Controller is the Customer.

2. Processor The Processor received data identified in sections 3, 4 and 5 below, as it relates to the processing operations identified in section 6 below.

The Processor is the Company.

3. Data Subjects The Personal Data transferred includes but is not limited to the following categories of Data Subjects:

• Employees, freelancers and contractors of the Controller. and other users added by the Controller from time to time.

• Authorised Users, Affiliates and other participants from time to time to whom the Controller has granted the right to access the Services in accordance with the terms of the Agreement.

• Clients of the Controller and individuals with whom those end users communicate with by email and/or instant messaging.

• Service providers of the Controller.

• Other individuals to the extent identifiable in the content of emails or their attachments or in archiving content.

4. Categories of Data The Personal Data transferred includes but is not limited to the following categories of data:

• Personal details, names, user names, passwords, email addresses of Authorised Users.

• Personal Data derived from the Authorised Users use of the Services such as professional information including but not limited to grade, medical speciality, GMC number and business intelligence information.

• Personal Data within the email and messaging content which identifies or may reasonably be used to identify, data subjects.

• Metadata including sent, to, from, date, time, subject, which may include Personal Data.

• Photos.

• Data concerning education and profession

• Medical data: occupational health records

• Criminal convictions records (DBS)

• Workplace related information: company, location, start and end date of employment and other work-related data.

• File attachments that may contain Personal Data.

• The information offered by users as part of support enquiries.

• The survey, feedback and assessment messages

• Other data added by the Controller from time to time.

5. Special categories of Data Personal Data transferred includes but is not limited to the following special categories of data:

• Medical data: occupational health records.

• Criminal convictions records (DBS).

6. Processing operations The Personal Data transferred will be subject to the following basic processing activities:

• Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the Controller’s instructions. The Processor processes Personal Data only on behalf of the Controller.

• Processing operations include but are not limited to: management of employees and intermediaries, monitoring of the workplace, client management, training, medical registration details, indemnity information, information required for CQC compliance by medical employers, appraisals, performance reviews, feedback, objectives and personal development tracking, making comments and updates on these, management of lists of employees, intermediaries and other users, providing support to users and other HR functions for medical employers, etc. this operation relates to all aspects of Personal Data processed.

• Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyse and resolve technical issues both generally in the provision of the Services and specifically in answer to a Controller query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible.

• Virus, anti-spam and Malware checking in accordance with the Services provided. This operation relates to all aspects of Personal Data processed.

• URL scanning for the purposes of the provision of targeted threat protection and similar service which may be provided under the Agreement. This operation relates to attachments and links in emails and will relates to any Personal Data within those attachments or links which could include all categories of Personal Data.

1.Overview

Credentially (Appraise Me Limited) strives to be a leader in environmental sustainability. We believe that a successful futurefor our business and the customers we serve depends on the sustainability of the environment, communities, and economies in which we operate.

As a responsible corporate citizen, we bear a responsibility to consider the impacts of our actions and how they affect the environment, both directly in terms of our own operations, and indirectly through our purchasing decisions, the products and services we offer to our customers, and the business opportunities we pursue.

We are fully committed to minimizing the impact of our operations on the environment.

2.Scope

The requirements of this policy apply to all entities and employees of Credentially (Appraise MeLimited).

Although this policy applies to all entities and employees, the primary audience is those responsible for its implementation, namely the business line leaders and local management of each entity of the Company.

3.Commitment from Credentially (Appraise Me Limited)

We want our products, services, and production to be part of a sustainable society. We are committed to:

a) Environmental Commitments and environmental management systems:

Protect the Environment

Credentially (Appraise Me Limited) will protect the environment, including preventing pollution, through responsible management of our operations.

Will give appropriate weight to this environmental policy when making future planning and investment decisions.

Will reduce resource consumption, waste and pollution in our operations.

Additionally, Credentially will offset each employee's yearly carbon footprint using carbon footprint offsetting systems such as a tree planting. The amount to offset will be calculated as followed:

The average number of employees during the previous financial period x 4.24 tonnes = The total estimated CO2 carbon footprint of each employee during working hours (based on an 8 hour working day).

Compliance

Credentially (Appraise Me Limited) will comply with, or exceed, our environmental obligations. Operations Credentially senior management team will review this policy yearly at the end of each accounting period.

Own operations

Credentially (Appraise Me Limited) will minimize the environmental impacts of our own operations through best practice management of our use of energy, transportation, material consumption, water use, waste and emissions. Will encourage suppliers, subcontractors, retailers and recycles of our products to adopt the same environmental principles as Credentially (Appraise Me Limited).

PurchasingDecisions

Credentially (Appraise Me Limited) will consider the environmental performance of our suppliers and the environmental at tributes of products and services in our purchasing decisions.

b)  Engagement and Transparency:

Employees

Credentially (Appraise Me Limited) will raise employee awareness and support employee creativity and enthusiasm with respect to implementing our environmental policies, guidelines, programs, and initiatives.

‍

Policy statement

The Company is an equal opportunity employer and is committed to a policy of treating all its employees and job applicants equally. The Company will avoid unlawful discrimination in all aspects of employment including recruitment and selection, promotion, transfer, opportunities for training, pay and benefits, other terms of employment, discipline, selection for redundancy, and dismissal.

It is the policy of the Company to take all reasonable steps to employ and promote employees on the basis of their abilities and qualifications without regard to age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race (including colour, nationality, and ethnic or national origins), religion or belief, sex and/or sexual orientation. In this policy, these are known as the ‘protected characteristics’. The Company will appoint, train, develop and promote on the basis of merit and ability alone.

Employees have a duty to co-operate with the Company to ensure that this policy is effective to ensure equal opportunities and to prevent discrimination. Action under the Company’s disciplinary procedure will be taken against any employee who is found to have committed an act of improper or unlawful discrimination. Serious breaches of the equal opportunities policy will be treated as potential gross misconduct and could render the employee liable to summary dismissal. Employees should also bear in mind that they can be held personally liable for any act of unlawful discrimination.

Employees must not harass, bully or intimidate other employees for reasons related to one or more of the protected characteristics. Such behaviour will be treated as potential gross misconduct under the Company's disciplinary procedure. Employees who commit serious acts of harassment may also be guilty of a criminal offence. The Company has a separate dignity at work policy which deals with these issues and sets out how complaints of this type will be dealt with.

Employees should draw the attention of their line manager to suspected discriminatory acts or practices. Employees must not victimise or retaliate against an employee who has made allegations or complaints of discrimination or who has provided information about such discrimination. Such behaviour will be treated as potential gross misconduct under the Company’s disciplinary procedure. Employees should support colleagues who suffer such treatment and are making a complaint.

Direct discrimination

Direct discrimination occurs when, because of one of the protected characteristics, a job applicant or an employee is treated less favourably than other job applicants or employees are treated or would be treated.

The treatment will still amount to direct discrimination even if it is based on the protected characteristic of a third party with whom the job applicant or employee is associated and not on the job applicant’s or employee's own protected characteristic. In addition, it can include cases where it is perceived that a job applicant or an employee has a particular protected characteristic when in fact they do not.

Discrimination after employment is also unlawful if it arises out of and is closely connected to the employment relationship, for example refusing to give a reference or providing an unfavourable reference for a reason related to one of the protected characteristics.

The Company will take all reasonable steps to eliminate direct discrimination in all aspects of employment.

Indirect discrimination

Indirect discrimination is a treatment that may be equal in the sense that it applies to all job applicants or employees but which is discriminatory in its effect on, for example, one particular sex or racial group.

Indirect discrimination occurs when there is applied to the job applicant or employee a provision, criterion or practice (PCP) which is discriminatory in relation to a protected characteristic of the job applicant's employee’s. A PCP is discriminatory in relation to a protected characteristic of the job applicant’s or employee’s if:

• It is applied, or would be applied, to persons with whom the job applicant or employee does not share the protected characteristic,
• The PCP puts, or would put, persons with whom the job applicant or employee shares the protected characteristic at a particular disadvantage when compared with persons with whom the job applicant or employee does not share it,
• It puts or would put, the job applicant or employee at that disadvantage, and it cannot be shown by the Company to be a proportionate means of achieving a legitimate aim.

The Company will take all reasonable steps to eliminate indirect discrimination in all aspects of Employment.

Victimisation

Victimisation occurs when an employee is subjected to a detriment, such as being denied a training opportunity or a promotion, because they have raised or supported a grievance or complaint of unlawful discrimination, or because they have issued employment tribunal proceedings for unlawful discrimination or they have given evidence in connection with unlawful discrimination proceedings brought by another employee. However, an employee is not protected if they give false evidence or information or make a false allegation, and they do so in bad faith. Post-employment victimisation is also unlawful, for example refusing to give a reference or providing an unfavourable reference because the former employee has done one of the protected acts set out above.

The Company will take all reasonable steps to eliminate victimisation in all aspects of employment.

Sources of recruitment

The recruitment process will be conducted in such a way as to result in the selection of the most suitable person for the job in respect of abilities and qualifications. The Company is committed to applying its equal opportunities policy at all stages of recruitment and selection.

Advertisements

Advertisements will aim to positively encourage applications from all suitably qualified people. When advertising job vacancies, in order to attract applications from all sections of the community, the Company will, as far as reasonably practicable:

1. Ensure advertisements are not confined to those areas or publications which would exclude or disproportionately reduce the numbers of applicants with a particular protected characteristic;

2. Avoid setting any unnecessary provisions or criteria which would exclude a higher proportion of people with a particular protected characteristic.

Where vacancies may be filled by promotion or transfer, they will be published to all eligible employees in such a way that they do not restrict applications from employees with a particular protected characteristic.

However, where, having regard to the nature and context of the work, having a particular protected characteristic is an occupational requirement and that occupational requirement is a proportionate means of achieving a legitimate aim, the Company will apply that requirement to the job role and this may, therefore, be specified in the advertisement.

Selection methods

The selection process will be carried out consistently for all jobs at all levels.

The selection of new staff will be based on the job requirements and the individual’s suitability and ability to do, or to train for, the job in question. Person specifications and job descriptions will be limited to those requirements that are necessary for the effective performance of the job. Candidates for employment, promotion or transfer will be assessed objectively against the requirements for the job.

With disabled job applicants, the Company will have regard to its duty to make reasonable adjustments to work provisions, criteria, or practices or to physical features of work premises or to provide auxiliary aids or services in order to ensure that the disabled person is not placed at a substantial disadvantage in comparison with persons who are not disabled.

Selection tests

Any selection tests which are used will be limited to questions relating to the particular job and/or career requirements. The tests will measure the individual’s actual or inherent ability to do or to train for the work or career. Thus, questions or exercises on matters which may be unfamiliar to applicants with a particular protected characteristic will not be included in the tests if they are unrelated to the requirements of the particular job. The tests which are used will be reviewed from time to time in order to ensure that they remain relevant and free from any unjustifiable bias, either in content or in a scoring mechanism.

Applications and interviewing

All applications will be processed in the same way. The staff responsible for short-listing, interviewing and selecting candidates will be clearly informed of the selection criteria and of the need for their consistent application.

Wherever possible, all applicants will be interviewed by at least two interviewers. All questions that are put to the applicants will relate to the requirements of the job.

If it is necessary to assess whether personal circumstances will affect the performance of the job (for example, if the job involves unsociable hours or extensive travel), this will be discussed objectively, without detailed questions based on assumptions about any of the protected characteristics.

Training, transfer, and promotion

The Company will take such measures as may be necessary to ensure the proper training, supervision, and instruction for all line managers in order to familiarise them with the Company’s policy on equal opportunities, and in order to help them identify discriminatory acts or practices and to ensure that they promote equal opportunity within the departments for which they are responsible. The training will also enable line managers to deal more effectively with complaints of bullying and harassment.

The Company will also provide training to all employees to help them understand their rights and responsibilities under the Company’s equal opportunities and dignity at work policies and what they can do to create a work environment that is free from discrimination, bullying, and harassment.

All persons responsible for selecting new employees, employees for training or employees for transfer or promotion to other jobs will be instructed not to discriminate because of one or more of the protected characteristics.

Where a promotional system is in operation, the assessment criteria will be examined to ensure that they are not discriminatory. The promotional system will be checked from time to time in order to assess how it is working in practice.

When a group of workers who predominantly have a particular protected characteristic appear to be excluded from access to promotion, transfer and training and to other benefits, the Company’s systems and procedures will be reviewed to ensure there is no unlawful discrimination.

Terms of employment, benefits, facilities and services

All terms of employment, benefits, facilities, and services will be reviewed from time to time in order to ensure that there is no unlawful direct or indirect discrimination because of one or more of the protected characteristics.

Equal pay and equality of terms

The Company is committed to equal pay and equality of terms in employment. It believes its male and female employees should receive equal pay where they are carrying out like work, work rated as equivalent or work of equal value. In order to achieve this, the Company will endeavour to maintain a pay system that is transparent, free from bias and based on objective criteria.

Grievances and complaints

All allegations of discrimination will be dealt with seriously, confidentially, and speedily. The Company will not ignore or treat lightly grievances or complaints about unlawful discrimination from employees. Such complaints should be raised promptly under the terms of the Company’s grievance procedure.

If the complaint involves bullying or harassment, the grievance procedure is modified as set out in the dignity at work policy.

Employees will not be penalised for raising a grievance, even if it is not upheld unless the complaint was both untrue and made in bad faith.

Monitoring equal opportunity

The Company will regularly monitor the effects of selection decisions and personnel practices and procedures in order to assess whether an equal opportunity is being achieved. This will also involve considering any possible indirectly discriminatory effects of its standard working practices. If changes are required, the Company will implement them. The Company will also make reasonable adjustments to its standard working practices to overcome substantial disadvantages caused by disability.

‍

Definitions

All terms defined in this SLA shall have the meaning set out in the Terms and Conditions, unless defined otherwise below.

“Availability Service Level” has the meaning set out in section 1.1 of this SLA (and “Available” and “Availability”shall be construed accordingly).

“Bug” an unwanted or unintended property of the Service that can be reproduced and causes the Service to malfunction but does not affect the availability of theService;

“Business Day” Monday to Friday excluding any national holiday in the United Kingdom;

“Business Hours” 09:00 - 17.00 on Business Days;

“Emergency Maintenance” maintenance, upgrades, Updates, repairs to hardware and software related to resolving immediate problems causing in stability in the Services;

“Out of Scope Issues” has the meaning set out in section 6 of this SLA;

“Incident” a malfunction of the Service which can be reproduced, is not a Bug and whose root cause is found in the hosting service, network, hardware or third party software components;

“Licence Fees” the recurring licence fees paid by the Customer in the Measurement Period during which the Availability Service Level was not met;

“Measurement Period” each year of the Term after go-live From go-live of the Service;

“Planned Maintenance” maintenance, upgrades, Updates, installation of new versions and repairs which are non-critical and not urgent, to hardware and software, as further described in section 4.3 below;

“Release” a modification in the functionality of the Services which results in a change in the version number set out in the SLA, as further described in section 4.1 below.

1. Hosting Service

1.1 Availability

The Company will use commercially reasonable measures in terms of redundancy, monitoring and platform management to make the Service available via the Internet 99.9% of the time 24 hours a day 7 days a week during the Measurement Period, except during Planned Maintenance, and excluding unavailability caused by Out of ScopeIssues (“Availability Service Level”). All Availability measurements shall be calculated by the Company.

‍1.2 Service Credits

If the Company fails to meet the Availability Service Level in any Measurement Period, the Company will credit the Customer (against Company’s next invoice issued after the relevant Measurement Period) a sum which is equal to the percentage of the Licence Fees indicated below that corresponds to the Availability of the Service during that Measurement Period (“Service Credits”):

‍

‍

Service Credits: (a) must be claimed by the Customer within 30 days of notification of the Customer’s entitlement; (b) are not a refund and cannot be exchanged into a cash amount; (c) are capped at a maximum of 10% of the Licence Fees in any Measurement Period; (d) are subject to the Customer paying all outstanding invoices; (e) expire upon termination of the Agreement (such that where the Company has issued the final invoice for the Fees, no further Service Credit shall apply); and (f) are the Customer’s sole and exclusive remedy for any failure by the Company to meet the Availability Service Level.

2. Support Services

In response to Bugs and Incidents reported to the Company’s support centre in accordance with section 2.3 below (“Reported” and “Report”), the Company will use reasonable endeavours to respond to such Bugs and Incidents, except to the extent of Out of Scope Issues (“Support”).

The Company may provide Support through remote access methods and the Customer shall provide remote access to the Customer’s systems for the purposes of the delivery of such Support.

2.1 Scope of Support Services

Maintenance and support services shall not be provided for, or in respect of any, Out of Scope Issues.

2.2 Problem Notification

Bugs and Incidents must be reported to the Company’s support centre by email info@credentially.io or via the help desk tool available in the Services. The Company provides support services in English. The Customer will use its best endeavours to provide sufficient information about the Bug or Incident and its effect to allow the Company to reproduce it (and as may be otherwise requested by the Company).

2.3 Problem Acknowledgement

Upon receipt of a Bug or Incident Report, the Company shall respond to the Customer via the help desk tool or via email (“Response”), within the time frame set out in section 3.2 of this SLA as applicable, based on the severity allocated to the Bug or Incident by the Company, and type of problem. The Response shall specify the severity level and type of problem.

2.4 Support Hours

The Company offers Support for the Services during Business Hours.

3. Problem Resolution

Reported Incidents and Bugs will be dealt with in accordance with the level of severity allocated by the Company (in its sole discretion). The time frame in which Reported problems will be resolved will depend upon whether they are classified as a Bug or an Incident.

3.1 Problem Severity Classification

‍

‍

3.2 Response and Target Resolution Times

The Company shall use reasonable endeavours to acknowledge the Report of any Bug or Incident and commence identification of the cause and commence work on a resolution within the following timescales. All of such timescales commence following Company’s receipt of the Report, and shall be calculated based on Business Hours. A resolution may include a temporary workaround (in which case a permanent resolution will be provided in the next Release, as defined in section 4 below).

‍

4. Maintenance Services

Nothing in this Agreement shall entitle the Customer to any new version of the software underlying the Service, being a version which contains such significant differences from the previous versions as to be generally accepted in the marketplace as constituting a new product (“New Product”). Any New Products must be ordered and paid for separately by the Customer by agreeing a new Order Form with the Company. Maintenance shall involve the Company from time to time providing and implementing within the System “Releases” and “Patches” (as defined below), each of which may include updates to relevant documentation:

4.1 Releases

Releases contain new or amended features (but will not constitute New Products) as made generally available in accordance with the Company’s timetable for releasing new versions (as amended from time to time, and available on request). There may be some need for configuration and additional user training in order to obtain the maximum benefit of the new features, in which event Company shall notify Customer, and such services may be provided as Extras (in accordance with, and subject to, clause 2.3 of the Terms and Conditions). Releases do not significantly impact the existing technical setup of the Customer or training materials. Releases are numbered as follows: 3.1.1, 3.2.1, 3.3.1, etc.

4.2 Patches

Patches provide bug fixes, performance and SLA improvement. Such features and functionality do not impact the current configuration of the Customer, nor require additional training.

There are 2 categories of patches:

• Normal Patches’ which include fixes on medium or low severity bugs, as well as a combination of change requests and small features. These patches are usually deployed weekly during the maintenance window.
• ‘Emergency Patches’ include fixes on issues that are determined to be urgent by the Company, or relate to high severity bugs, security threats, performance, or availability. Emergency patches are deployed as and when necessary.

Patches are deployed as determined by Company to be required for all Customers of a given release. Releases (and Patches) may require enhancements to the Customer’s system. The Company will advise the Customer if such enhancements are required. The Customer is responsible for procuring and implementing such enhancements.

4.3 Planned Maintenance

“Planned Maintenance” involves the Company providing Releases and Normal Patches to the Customer from time to time. The Company usually carries out Planned Maintenance in the maintenance windows set out below. If Planned Maintenance is to be performed outside of these windows, the Company shall give the Customer at least 48 hours’ prior notice.

‍

‍

‍

4.4 Emergency Maintenance

“Emergency Maintenance” usually comprises of the provision of Emergency Patches by the Company.

‍

‍

The Customer acknowledges that, during the provision of Planned Maintenance or Emergency Maintenance, the Service may be unavailable.

5. Customer’s Obligation

The Customer has the following obligations under this SLA and the Agreement:

• to provide access to a computer system capable of running the TCP/IP network protocol and an Internet web browser and uses a web browser that supports JavaScript.
• to provide all suitable hardware and software and telecommunications equipment required for accessing the Service;
• responsibility for the network connection between the Company’s hosting centres and the Customer’s premises (backend) connection to a telecommunication network;
• to inform the Company without delay of any problems with the Service;
• to purchase upgrades for its own software, if necessary, for the error free operation of its own software with the Service;
• to check its systems for the most commonly known worms and viruses;
• to have a current virus scanner installed for each Customer system accessing the Service.

6. Out of Scope Issues

The Company shall have no obligation to fix, resolve, or respond to (and shall not be liable for), any errors, Bugs, Incidents, or other problems or any lack of availability of the Service caused by any one or more of the following:

• breach of the Customer’s obligations in section 5 or Customer’s breach of the Terms and Conditions;
• use of services, hardware, or software not provided by the Company, including, but not limited to, issues resulting from inadequate bandwidth, unavailability of telecommunications, faults or omission of ISPs, lack of connectivity or other issues related to third-party software or services;
• use of the Service on a system not supported by the Company or specifically agreed in writing in the Agreement;
• interconnection of the Services with other softwareproducts not supplied by the Company except as expressly agreed in writing in the Agreement;
• any DNS issues not within the direct control of the Company i.e. a fault on the Customer’s network or own equipment configuration;
• problems or errors that occur while the Company is waiting for the Customer to provide information to enable it to rectify a fault or restore the Service;
• use of the Services after the Company advises the Customer to modify its use of the Services, if the Customer did not modify its use as advised.
• the Customer’s unauthorized action or lack of action when required, or from its employees, agents, contractors, or vendors, or any unauthorised person gaining access to the Company’s or Customer’s network by means of the Customer’s passwords or equipment, or otherwise resulting from the Customer’s failure to follow appropriate security practices;
• the Customer’s failure to adhere to any required configurations, Service documentation, use supported platforms, follow any policies for acceptable use, or its use of the Services in a manner inconsistent with the features and functionality of the Service or inconsistent with the Company’s published guidance;
• faults caused by the Customer’s management or connection to the Service;
• faulty Customer Data or input, instructions, or arguments (for example, requests to access files that do not exist);
• the Customer failing to take part in training offered by the Company necessary for use of the Service;
• attempts to perform operations that exceed prescribed quotas or that result from the Company’s throttling of suspected abusive behaviour.
• any Services not paid for at the time of the problem;
• Force Majeure;
• modifications, alteration or configuration of the Service by the Customer or a third party that has not been authorised by the Company;
• problems occurs outside of the Company network and systems;
• problems which are not Bugs or Incidents;
• hacking, spamming, viruses or other hostile computer programs where the Company has taken reasonable steps to avoid them, including use of up to date commercially available anti-hacking, anti-spamming and anti-virus software.

‍

Credentially is a trading name of Appraise Me Ltd is a limited liability company registered in England and Wales with registered number 10098246. A list of the members is open to inspection at its registered office, 320d High Road, Benfleet, Essex, England, SS7 5HB. This document is confidential and may contain information that is privileged. If you are not the named recipient, or responsible for delivering the message to the named recipient, you must not use this document or its attachments in any manner. If you have received this document in error, please inform the sender and immediately delete this message. Our Privacy Policy explains our commitment to respecting data protection laws. You can read the full text about your rights as a data subject and our data privacy statement on our website at credentially.io/terms-policies/privacy-policy

‍

‍

‍

‍

‍

‍

‍

‍

‍

1. Policy

This policy is intended to set out the values, principles and policies underpinning our approach to safe working practices.

Health and Safety at Work Policy

AppraiseMe Limited (t/a Credentially) is committed to ensuring the health, safety and welfare of its staff. The organisation will take the following steps to ensure that its statutory duties are met at all times:

• Each employee should be given such information, instruction and training as is necessary to enable the safe performance of work activities.

• All processes and systems of work should be designed to take account of health and safety and will be properly supervised at all times.

• Adequate facilities and arrangements will be maintained to enable employees to raise issues of health and safety.

• This document will be regularly monitored to ensure that its objectives are achieved. It will be reviewed and, if necessary, revised in the light of legislative or organisational changes.

Relevant Duties  

AppraiseMe Limited (t/a Credentially) recognises its responsibility under the HSWA 1974 and the Management of Health and Safety at Work Regulations 1999 (MHSWR) to ensure that all reasonable precautions are taken to provide and maintain working conditions which are safe, healthy and compliant with all statutory requirements and codes of practice. Employees and contractors are expected to abide by safety rules, and to have regard to the safety of others within the organisation.

Our policy is, so far as is reasonably practicable, to apply the following:

• Negotiate appropriate risk management measures to reduce any identified risks or hazards to an acceptable level

• Communicate agreed risk management measures to all necessary persons and staff involved and to ensure regular monitoring of risk levels

• Provide and maintain equipment such that it is safe and appropriate to use

• Provide any relevant and appropriate protective equipment or clothing required by staff to perform their role safely

• Arrange for the safe and healthy use, handling, storage and transport of articles and substances

• Provide the information, instruction, training and supervision required to ensure the health and safety, at work, of employees and others

• Control and maintain the organisation’s offices in a safe condition, with appropriate risk assessments and management as above

• Provide a safe means of access to and exit from the place of work

• Maintain a working environment that is safe, healthy and equipped with adequate facilities and arrangements for welfare at work

• Сonduct, record and implement the findings from regular risk assessments performed in accordance with Regulation 3 of theMHSWR

• In the event of any accident or incident (such as a near miss) involving injury to anybody, to make a full investigation

• Appoint a Health and Safety Manager.

The Health and Safety Manager for the organisation is our COO (Colin Breavington).

Duties on employees

The successful implementation of this policy requires total commitment from all employees. Each individual has a legal obligation to take reasonable care for their own health and safety, and for the safety of other people who may be affected by either their acts or omissions.

It is the policy of this organisation that, under S.7 of the HSWA 1974, it is the duty of every employee at work:

• To take reasonable care of their own health and safety and those of any other person who may be affected by their acts or omissions at work

• To co-operate with their employer to enable any duty or requirement to be complied with that is either imposed on their employer by or under any relevant statutory provisions.

In addition, no person employed by the organisation shall intentionally or recklessly interfere with or misuse anything provided in the interests of health, safety and welfare in pursuance of any statutory provisions.  

‍

This document sets out the Health & Safety Statement of Appraise Me Limited (t/a Credentially).  

The purpose of this is to encourage the ownership, commitment and compliance at all levels of the business and to provide a framework to establish and review Health and Safety policies, objectives and guidance across the business.

Senior management fully recognises the importance of Health and Safety and is committed to both its legal and moral Health and Safety obligations. The development of a positive safety culture across the business as an essential part of our success and we aim to:

• Maintain compliance with any statutory national laws, regulations or directives placed upon us by external regulatory bodies to continuously manage, develop and improve its Health and Safety related policies, strategies and processes to meet these responsibilities and to achieve industry best practice across the organisation.

• Provide a safe working environment for all employees, contractors.

• Conduct a regular programme of inspections and assessments to assess risk, identify and eliminate unsafe conditions/practices and to control and reduce any hazards found in the working environment.

• Promptly investigate every accident, incident, occupational health issue and near miss to determine their cause and prevent re-occurrence.

• Ensure that this policy statement is communicated and maintained across all levels of the organisation.

• Review and/or revise the Health and Safety policy and statement annually or at times of significant change.

It is also the duty of every employee to exercise reasonable care for the health, safety and welfare of themselves and others who may be affected by:

• their actions or omissions. To report any unsafe act, condition or occurrence at the earliest opportunity.

• respect of Health, Safety and Welfare matters.

• Not to intentionally or recklessly interfere with any rules or equipment provided by the company in the interests of Health,Safety or Welfare.

‍

We want everyone who wants to use the Credentially web app to feel welcome and find the experience rewarding.

What are we doing?

This site has been built using code compliant with W3C standards for HTML and CSS. The site displays correctly in current browsers and using standards compliant HTML/CSS code means any future browsers will also display it correctly.

To help us make the Credentially website a positive place for everyone, we've been using the Web Content Accessibility Guidelines (WCAG) 2.1. These guidelines explain how to make web content more accessible for people with disabilities, and user friendly for everyone.

The guidelines have three levels of accessibility (A, AA and AAA). We’ve chosen Level AA as the target for the Credentially website.

How are we doing?

We're working hard to achieve our goal of Level AA accessibility and strive to adhere to the accepted guidelines and standards for accessibility and usability. This means, for example, that:

• people can navigate main parts of our web service using a keyboard;
• zoom in up to 200% without the text spilling off the screen;
• it is enabled for people with epilepsy to safely use our web service by eliminating the risk of seizures resulting from flashing or blinking animations and risky color combinations;
• our web app is adjusted so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others;
• we avoid using video content for the most important parts of our service or providing it with captions;
• we keep required colour combinations across our web app;
• components that have the same functionality identified consistently across the web site;
• etc.

Please be aware that our efforts to maintain accessibility and usability are ongoing and we realise there are some areas that still need improving and it is not always possible to do so in all areas of the website. The following information explains what we're doing to make that happen and exceptions.

2.1.1: Keyboard

The possibility to fully operate through a keyboard will be added in 2023.

2.4.2: Page Titled

Adding topics and descriptions to all pages is in progress.

Please note that our website may link to, or interface with, third party websites that we do not control. These third-party vendors may not have undertaken the efforts that CommunityAmerica has to comply with WCAG-2.0 AA standards.

Let us know what you think

If you enjoyed using the Credentially website, or if you had trouble with any part of it, please get in touch. We'd like to hear from you in any of the following ways:

• email us at support@credentailly.io

The Company aims to adopt policies and practices that will maximise the abilities, skills and experience of all its’ staff. It encourages a culture where all employees and other non-Company workers are valued and can contribute to our mission to increase the economic prosperity of the people.

The objectives of the Equal Opportunities Policy and Skills Policy are to ensure that all:

• Credentially’s employees or potential employees do not suffer unfair discrimination in the workplace.
• Individuals and groups within Credentially work in an environment where all decisions are free of discrimination, where they have equal opportunity based on relevant abilities, skills and merit.
• Employees are encouraged to take positive action towards promoting equal opportunity throughout the organization.
• Personnel actions such as compensation, benefits, transfers, layoffs, company-sponsored training programs and social and recreational programs will be administered on a non-discriminatory basis.
• Application of labour laws to be uniformly applied in the organization.

Last reviewed: 26.04.2023

Appraise Me limited ("we", “us”, “our”) are committed to protecting and respecting your privacy.

This privacy policy (“Privacy Policy”) together with our Terms of Use or Terms and Conditions and any other documents referred to herein, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. This Privacy Policy outlines the manner in which we will use personal data collected as a result of you visiting credentially.io and all subdomains, (“Site”), and/or any personal data received from you or third parties more generally.

For the purpose of the Data Protection Legislation (meaning all applicable data protection and privacy legislation, regulations and guidance including Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), Directive (EU) 2016/680 (“the Law Enforcement Directive”, or “LED”), and the Privacy and Electronic Communications (EC Directive) Regulations, Data Protection Act 2018 and any guidance or codes of practice issued by any Regulator from time to time (all as amended, updated or re-enacted from time to time)the data controller is Credentially (Appraise Me Limited) of WeWork, 30 Churchill Place, London, E14 5RE.

Our data protection officer for the purpose of the Act can be contacted by emailing dpo@credentially.io

Information we may collect from you

We may collect and process the following data about you:

Information you give us. You may give us information about you by filling in forms on our Site or by corresponding with us by phone, email or otherwise. This includes information you provide when you register to use our Site, apps, subscribe to our services or newsletter, add employment and human resource records, submit employment history and credentials for employment checks and verification, search for a product, place an order on our Site, participate in discussion boards or other social media functions on our Site, enter a competition, promotion or survey and when you report a problem with our Site. The information you give us may include your name, address, email address and phone number, financial and credit card information, personal description and photograph, and where required for use of ‘Credentially’, any other data provided by you regarding employment history, occupational health records or criminal record (DBS) checks.

Information we collect about you. With regard to each of your visits to our Site we may automatically collect the following information:

• technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
• information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our Site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.

Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide. In particular, we will carry out professional registration checks with your regulatory body (such as the General Medical Council or Nursing and Midwifery Council), and reference checks with previous employers.  As a result, we will receive personal data relating to you from those particular third parties. When we collect that data it may be shared internally and combined with other personal data we hold about you (whether collected on this Site or otherwise). We also work closely with third parties (including, for example, business partners, subcontractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.

Cookies

We use cookies on our Site to distinguish you from other users of our Site. This helps us to provide you with a good experience when you browse our Site and also allows us to improve the Site. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the Site.

We use persistent cookies and session cookies on our Site. We use persistent cookies to save your login information for future logins to the Site. We use session cookies to enable certain features of the Site, to better understand how you interact with the Site and to monitor aggregate usage by users and web traffic routing on the Site. Unlike persistent cookies, session cookies are deleted from your computer when you log off from the Site and then close your browser.

The section below explains the cookies we use and why we use each of them.

Cookie Name: __utma  This cookie enables the function of Google Analytics software. This software helps us collect and analyse visitor information such as visitor numbers, pages visited, browsers used and response to marketing activity. This helps us improve the website and its performance.

The data stored by this cookie does not identify people or collect any personal data. Expires in 2 years

Cookie name: __utmb This cookie enables the function of Google Analytics software. This software helps us collect and analyse visitor information such as visitor numbers, pages visited, browsers used and response to marketing activity. This helps us improve the website and its performance.

The data stored by this cookie does not identify people or collect any personal data. Expires in 30 minutes

Cookie name: __utmc This cookie enables the function of Google Analytics software. This software helps us collect and analyse visitor information such as visitor numbers, pages visited, browsers used and response to marketing activity. This helps us improve the website and its performance.

The data stored by this cookie does not identify people or collect any personal data. Expires at the end of the session

Cookie name: __utmz This cookie enables the function of Google Analytics software. This software helps us collect and analyse visitor information such as visitor numbers, pages visited, browsers used and response to marketing activity. This helps us improve the website and its performance.

The data stored by this cookie does not identify people or collect any personal data. Expires in 6 months

You can set up your browser options, to stop your computer accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to use the whole of the Site or all functionality of the services.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org. To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

Uses made of the information

We use information held about you in a range of ways, as set out in further detail below. In doing so, we generally rely on Article 6(1)(b) namely that the processing is necessary for the performance of a contract you have entered into with us, and/or Article 6(1)(f) which relates to processing necessary for the pursuit of Credentially’s or a relevant organisation's legitimate interests. Those interests are the provision of a service to you, which you have actively and voluntarily pursued; or if you are a stakeholder in, or hold a relevant role at an organisation that would benefit from Credentially’s product offering. In all other scenarios we will only do so if we have your specific and positive consent.

Information you give to us. We will use this information:

• to carry out our obligations arising from any contracts entered into between you and us;
• to provide you with the information, products and services that you request from us;
• to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
• to provide you, if you have consented to us doing so, or permit selected third parties to provide you with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (email or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this by ticking the relevant box situated on the form on which we collect your data;
• to notify you about changes to our service;
• to ensure that content from our Site is presented in the most effective manner for you and for your computer.

Information we collect about you. We will use this information:

• to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
• to improve our Site to ensure that content is presented in the most effective manner for you and your computer;
• to allow you to participate in interactive features of our service when you choose to do so;
• as part of our efforts to keep our Site safe and secure;
• to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
• to make suggestions and recommendations to you and other users of our Site about goods or services that may interest you or them (only with consent).

Information we receive from other sources. We may combine this information with information you give to us and the information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).

DISCLOSURE OF YOUR INFORMATION

Information we share with third parties. We may share your information with selected third parties including:

• Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
• Business partners, suppliers and subcontractors for the performance of any contract we enter into with them or you.
• Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we may provide them with aggregate information about our users (for example, we may inform them that 250 women aged over 25 have clicked on their advertisements on any given day). We may also use such aggregate information to help advertisers reach the kind of audience they want to target (for example, men living in London). We may make use of the personal data we have collected from you to enable us to comply with our advertisers' wishes by displaying their advertisement to that target audience.
• Analytics and search engine providers that assist us in the improvement and optimisation of our Site.
• Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.

Information we disclose to third parties. We may disclose your personal data to third parties:

• In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
• If Appraise Me Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
• If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use or Terms and Conditions and/or any other agreements; or to protect our rights, property, safety, our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Where we store your personal data

The personal data that we collect from you may be transferred to and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers or partners. Such staff or subcontractors may be engaged in, among other things, the fulfilment of your order, the processing of your payment details or the provision of support services.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. In particular, this means that your personal data will only be transferred to a country that provides an adequate level of protection (for example, where the European Commission has determined that a country provides an adequate level of protection),  where the recipient is bound by standard contractual clauses according to the conditions provided by the European Commission (“EU Model Clauses”) or, if neither of those scenarios apply, then only where the transfer is necessary in order to perform the contract we have with you.

Our Site is accessible via the internet and if you choose to upload data from a location outside the EEA then you do so of your own volition and noting any local limitations on internet security which may apply.  

Protection of information

All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Site, you are responsible for keeping this password confidential. We ask you not to share any password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will endeavour to protect your personal data, we cannot guarantee the security of your data transmitted to our Site. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Links to other websites

Our Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Your rights

In certain circumstances you have the right under the Data Protection Legislation, free of charge, to request:

• Access to your personal data.
• Rectification or deletion of your personal data.
• A restriction on the processing of your personal data.
• Object to the processing of your personal data.
• A transfer of your personal data (data portability).

You can make a request in relation to any of the above rights by writing to us at the contact address given at the end of this Privacy Policy. We will respond to such queries within 30 days and deal with requests we receive from you, in accordance with the provisions of the Data Protection Legislation.

Consent

In specific circumstances where we rely upon your consent to process personal data, as outlined further above, you have the right to withdraw that consent, at any time, by writing to us at the contact address given at the end of this Privacy Policy.

In particular, where we process your personal data for marketing purposes, we will inform you and obtain your opt-in consent (before collecting your personal data) if we intend to use your personal data for such purposes or if we intend to disclose your information to any third party for such purposes. If you change your mind about being contacted in the future, please click on the opt-out options and we will remove you from our mailing lists.

We send push notifications from time to time in order to update you about any service updates, events and promotions we may be running. If you no longer wish to receive these communications, please disable these in the settings on your device.

Data retention

We retain personal data for as long as necessary for the relevant activity for which it was provided or collected. This will be for as long as we provide access to the Site to you, your account with us remains open or any period set out in any relevant contract you have with us. However, we may keep some data after your account is closed or you cease using the Site for the purposes set out below.

After you have closed your account, or ceased using the Site for a period of at least 60 days, we usually delete personal data, however we may retain personal data where reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, maintain security, prevent fraud and abuse, resolve disputes, enforce our Terms of Use or Terms and Conditions, or fulfil your request to “unsubscribe” from further messages from us.

We will retain de-personalised information after your account has been closed.

Please note: After you have closed your account or deleted information from your account, any information you have shared with others will remain visible. We do not control data that other users may have copied from the Site. Your profile may continue to be displayed in the services of others (e.g. search engine results) until they refresh their cache.

Complaints

If you have any complaints about our use of your personal data please contact us as set out at the end of this Privacy Policy or contact our supervisory authority in the UK: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England (“ICO”).

Age of users

This Site is not intended for and shall not be used by anyone under the age of 18.

Changes to our privacy policy

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Privacy Policy. This Privacy Policy was last updated on 25/04/2023 and replaces any other Privacy Policy previously applicable from this date. The previous version of the Privacy Policy can be found www.credentially.io/terms-policies/privacy-policy-v1

Contact

Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to team@credentially.io

‍