Security and GDPR
 
Security of your data is our first priority and this page outlines some of our operating procedures and security practices.
 
Definitions
We, our, us - Lodge Manager (Mint Solutions UK Ltd).
 
You, your, user - a person logging on via the Lodge Manager login page.
 
Support team - our employees or contractors who have access to provide support to you.
 
Confidentiality
We place strict access controls over your data and are committed to ensuring that nobody has access to your data that shouldn't.
 
If you contact our support team, you will grant them temporary access to your Membership information so that they can provide support to you. Members of our support team are vetted and have strict rules and controls about what they can do with their access, and their usage is monitored. They cannot access your section(s) unless you contact support.
 
We will only access your information to either contact you to notify you of system maintainence or for the purposes of sending a subscription bill.
 
Security Features
Logging
Usage of our system by users is logged. We track every login, including the time. 
 
Access
We have a password policy requiring passwords to be at least 8 characters with two different types of characters. Passwords are stored using a non-reversible method.
 
If users forget their credentials, they can only reset their password after receiving an email with a link to reset their password. They are then sent a temporary password which they have to change after loggin in.
 
Users are automatically logged out of the system after a period of inactivity.
 
Users are encouraged to periodically review their access control lists to ensure fellow users have the right access.
 
Infrastructure
Physical Locations
Our data is hosting in an EU datacentre and backups are taken of the database.
 
All administrative users (those with secretary rights) are responsible for keeping copies of their documents and are setup to receive a monthly email backup of the the member information in CSV format. They can stop this feature by logging into the system and updating their settings.
 
Data
We do not share personal data to third-parties with the exception of email providers.
 
We are not responsible for the data that users add within the system, including its accuracy. This includes, but is not limited to, contents of external links, activities, emails, downloads and attachments.
 
The system automatically removes data held on the device when the user no longer has access to the section. In the event of a device being lost, users can contact our support team to tell the device to remove its data when it is next used online.
 
A lodge or chapters members data will be removed up to 6 months after their trial has expired or they no longer wish to use the service i.e. lapsed payment. We can of course remove their membership data sooner if they request this.
 
Encryption
Our data is encrypted in transit and at rest.
 
Database backups are encrypted individually and off-site backups have full-disk encryption too.
 
Our employees' computers have full-disk encryption (although your data is not stored on employees' devices).
 
Firewalls and Software Patching
Firewalls are configured according to industry best practices and all unnecessary ports are blocked.
 
Our server provider performs automated network vulnerability scanning and software patching.
 
Backups
System-wide backups are held for a period of six months.
 
Legal Jurisdiction
We operate under the laws of England and Wales.
 
Data Subject Rights (GDPR)
Breach Notification
We will notify our administrative users of any breach of data via email within 72hrs of identifying the breach.
 
Right to Access
Users are able to download information about members if required, and the support team can provide assistance if the downloads are not sufficient.
 
Right for Erasure
Users are able to delete all personal data with the exception of the audit trail. Users can contact the support team for 'Right for Erasure' requests.
 
Also we will delete a users data 
 
Data Portability
Admin Users (with secretary rights) can download personal information abouth their membership in a spreadsheet format.
 
Privacy by Design
Our system is always designed with privacy as our top priority. Features are tested manually by our expert development teams, automatically as part of the development & deploy process, and through external security audits.
 
GDPR compliance
Lodge Manager is GDPR compliant - see above for details of technical and organisational security measures.
 
Personal data search
Lodge Manager allows you to view members you have access to, subject to your permission levels.
 
Personal data deletion
Lodge Manager can delete all member data on request from a lodge but if a member is a member in another lodge using the system, the user data will not be fully removed unless requested by that user.