Data is stored securely in Microsoft Azure data centres throughout the world. Data will be held in the data centre nearest to the location of your venues e.g. for EU this will be held in London, AU – New South Wales, China – HK, Asia – Singapore, North America – Illinois. Data is encrypted at rest and is also encrypted in transit with all communications over HTTPS. No data leaves the production environment and only qualified personnel have access to the Azure data centers. And no data on our UK server is transferred outwith the EEA.
Backup and Security
In terms of security, access to security logs are strictly controlled within our development team, we follow advice from Microsoft as to when security patches should be applied, and we use Cloudflare to monitor for unauthorised intrusion attempts. Authorised support and sales executives have access to your diary; a smaller set of ResDiary staff have administrator access to our network and server infrastructure. Data is backed up automatically every day. Data cleansing is the responsibility of the restaurant operator. Data-retention policies will be put in place as part of the GDPR work that is currently underway. All access to diaries is controlled by username and password. Each diary may set its own level of password complexity, as required – the minimum password length is 6 characters and the restaurant operator can specify the level of complexity required. Data can be deleted upon request either by you or by us. Data can only be deleted by ResDiary if a diner booked on resdiary.com or the ResDiary Now app. If a diner booked via social media/a venue’s widget/website, then the restaurant must delete that customer’s data. A diner can contact ResDiary at firstname.lastname@example.org to delete their record. We’ve agreed our data retention period will be 18 months.
In the event of a data breach, the point of contact from ResDiary is the Marketing Director, Hari Farzin, who is also our Data Protection Officer. She will invoke the data control procedure with the CEO, Colin Winning, as required. Then we will report the breach to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. We will notify affected venues within 48 hours of becoming aware of the breach.
Please note that consent given does not last forever. Personal information will be retained for the purposes of making a booking and, if diners’ opt in, marketing. In the case of making a booking, personal data can only be used for a limited time, so you must ensure you have a retention policy in place. For the purposes of marketing, you should ensure you refresh opt-ins on a semi-regular basis.
You will need to:
- review the length of time you keep personal data.
- consider the purpose or purposes you hold the information for when deciding whether (and for how long) to retain it.
- securely delete information that is no longer needed for this purpose or these purposes.
- update, archive, or securely delete information if it goes out of date.
At ResDiary, we’ve agreed our data retention period will be 18 months. This means we will delete ResDiary profiles after 18 months of inactivity. We will be giving you the tools to create your own retention policy. Please note that your policy may be different from ours or other venues, depending on the type of venue you are.