Third Party Use Of Data

Owned by Roxy Sanchez
Last updated: Dec 13, 2022 by Benjy Meyer

Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?

Yes. Commonplace operates a documented Supplier Security Policy that ensures providers are using appropriate controls are in place within their organisation. Terms of service / contracts are checked and reviews completed in a standard template to confirm all necessary clauses relating to information security and data protection with appropriate mechanisms for reporting, including Data Processing Agreements (DPAs), and Standard Contractual Clauses (where applicable).

Customer information while residing on third party services (AWS, MongoDB, Sendgrid) is not accessible to the providers and in all cases is transferred using secure mechanisms such as https.

Critical suppliers are reviewed annually to verify the maintenance of certifications (such as ISO 27001, etc) and continued resilience (any incidents, failures, etc). Where an incident affecting Commonplace services or customer information, immediate reviews of provision are undertaken.

As a small company, we have a limited ability to influence the contracts and operations of large scale suppliers. Therefore, the approach is to ensure that supplier agreements contain all the necessary provisions to meet our information security requirements.