Data Security & GDPR | GPOD.UK

GPOD Data Security & GDPR Compliance

ISO 27001 GDPR Compliant ICO Registered

GPOD protects your data and privacy at every level of operation — from shift clocks to wage payouts to regulatory reporting.

Using UK-compliant infrastructure, zero-trust authentication, facial biometric login, and end-to-end encryption, we exceed the standards required by law — not just for workers and employers, but also for councils and institutional investors.

Security Status: Active & Protected

Last Security Audit: April 15, 2025 | Next Scheduled: July 15, 2025

Security Overview

Biometric Authentication

Advanced facial recognition with liveness detection and spoofing prevention secures login and clock-in processes.

Security Level:
High

Hover to learn more

Biometric Security Details

  • 99.9% accuracy with anti-spoofing
  • Templates encrypted with AES-256
  • No raw images stored - only encrypted templates
  • Liveness detection prevents photo attacks
  • Alternative methods available if needed

Certified by NCC Group for biometric security excellence

End-to-End Encryption

Military-grade AES-256 encryption protects all data in transit and at rest, with unique encryption keys per user session.

Security Level:
High

Hover to learn more

Encryption Architecture

  • AES-256 for data at rest
  • TLS 1.3 for data in transit
  • Quantum-resistant algorithms in development
  • Automatic key rotation every 30 days
  • HSM-protected master keys

Exceeds UK National Cyber Security Centre standards

Zero-Trust Architecture

Continuous verification and least-privilege access controls ensure no user or system is inherently trusted.

Security Level:
High

Hover to learn more

Zero-Trust Elements

  • Continuous authentication checks
  • Context-aware access policies
  • Micro-segmentation of network
  • Just-in-time access privileges
  • Real-time security monitoring

Follows NIST Zero Trust Architecture framework

Secure UK Data Storage

All data remains in ISO 27001 certified UK data centers with 24/7 monitoring, physical security, and redundant systems.

Security Level:
High

Hover to learn more

Data Center Security

  • Tier IV UK data centers only
  • Biometric access controls
  • 24/7 on-site security personnel
  • Environmental monitoring systems
  • Redundant power and cooling

99.999% uptime guarantee with disaster recovery

GDPR Principles in Action

Lawfulness, Fairness & Transparency

All data processing has a clear legal basis, is fair to data subjects, and is explained in plain language in our privacy notices. Users see exactly when and how their data is used within the GPOD platform.

Implementation: 100% Complete

Purpose Limitation

We only collect data for specified, explicit and legitimate purposes as outlined in our privacy policy. Data is never used for purposes incompatible with those original purposes without explicit consent.

Implementation: 100% Complete

Data Minimisation

We only collect the minimum amount of data necessary for our operations. Our data collection processes are regularly audited to ensure we maintain the principle of collecting only what is needed.

Implementation: 100% Complete

Accuracy

We implement measures to ensure data is accurate and kept up to date, including regular verification processes and simple mechanisms for users to review and correct their personal information.

Implementation: 100% Complete

Storage Limitation

Personal data is kept only for as long as necessary for the purposes for which it was collected. Automatic deletion routines ensure compliance with our retention policies, while respecting legal obligations.

Implementation: 100% Complete

Integrity & Confidentiality

Personal data is processed with appropriate security measures including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, using technical and organizational measures.

Implementation: 100% Complete

Detailed Security & Compliance Information

Data Storage & Backups

UK-Based Infrastructure

All GPOD data is stored exclusively in UK data centers that meet the following criteria:

  • ISO 27001 certified environments
  • SOC 2 Type II compliance
  • 24/7 physical security with biometric access controls
  • Fire suppression systems and redundant power
  • Regular penetration testing and security audits

Backup Architecture

Our comprehensive backup strategy ensures data resilience and business continuity:

  • Real-time database replication with redundant clusters
  • Hourly incremental backups for immediate recovery
  • Daily full backups stored in physically separate locations
  • 30-day backup retention with secure archiving
  • Quarterly disaster recovery drills and backup restoration tests
  • End-to-end encryption for all backup data

Ransomware Protection

GPOD implements multiple layers of protection against ransomware and other malicious attacks:

  • Immutable backup storage that cannot be modified or deleted
  • Air-gapped backup copies disconnected from main network
  • Automated threat detection and response systems
  • Regular security awareness training for all staff

AI Agent Privacy Controls

Privacy-First AI Architecture

GPOD's AI agents (Gabriel, Kira, Shadow) are designed with privacy as a core principle:

  • All AI processing occurs on secure, dedicated GPOD servers
  • No third-party AI services are used for sensitive user data
  • Data minimization principles ensure AI only accesses necessary information
  • All AI interactions are logged and fully auditable
  • Behavioral nudges are anonymous and designed to preserve privacy

AI Ethics & Compliance Framework

Our AI systems are governed by a comprehensive ethics and compliance framework:

  • Weekly audits of AI outputs for compliance with privacy regulations
  • Regular retraining on user rights frameworks and privacy principles
  • Transparent AI decision-making with human oversight
  • Clear opt-out mechanisms for AI-driven features
  • Removal of personally identifiable information from training data

AI Data Retention

We implement strict controls on how long AI-related data is retained:

  • Behavioral nudge data is stored for a maximum of 30 days
  • Performance feedback data is aggregated and anonymized after 60 days
  • AI training data is regularly reviewed and cleaned
  • Users can request deletion of their AI interaction history

Location Data & Shift Matching

Location Data Collection & Usage

GPOD's approach to location data prioritizes user privacy and data minimization:

  • Location data is collected only for specific, legitimate purposes:
    • 'Shifts Near Me' feature for discovering work opportunities
    • Verification of work location during clock-in/out
    • Travel time estimation for shift planning
  • Precise location is only collected when actively using relevant features
  • Background location tracking is never enabled
  • Users can temporarily grant location access for specific functions

Location Data Retention

We implement strict time limits on location data storage:

  • General location data is deleted after 72 hours
  • Clock-in/out location verification data is retained for 30 days for audit purposes
  • Location data required for legal or compliance purposes is stored in a separate, secured database
  • All location history is available for review and deletion in user settings

Third-Party Sharing Restrictions

GPOD maintains strict controls on location data sharing:

  • Location data is never sold to third parties
  • Employers can only access location data during active clock-in/out events
  • Aggregated, anonymized location data may be used for service improvement
  • Any location data sharing is clearly documented in our privacy policy

Data Subject Rights

Right to Access & Portability

GPOD makes it simple for users to access and export their personal data:

  • Secure self-service portal for viewing all personal data
  • One-click export of data in structured, commonly used formats (CSV, JSON)
  • Complete transparency about all data categories collected
  • Verification process to ensure secure access to personal information
  • Support for formal Subject Access Requests with 30-day response guarantee

Right to Erasure (Right to be Forgotten)

Users can request deletion of their personal data through multiple channels:

  • In-app account deletion option with clear explanation of consequences
  • Formal erasure request form with verification procedures
  • Partial erasure options for specific data categories
  • Clear information about data that cannot be deleted due to legal obligations
  • Confirmation process after erasure is completed

Rights to Rectification, Restriction, and Objection

GPOD supports additional data subject rights with dedicated processes:

  • Self-service tools for correcting inaccurate personal information
  • Mechanism to restrict processing of contested data
  • Clear opt-out procedures for specific processing activities
  • Support for objections to automated decision-making
  • Documentation of all requests and actions taken

Security Certifications & Compliance

ISO 27001 Certified

Information security management system certified to international standards

ISO 27001 Details

  • Annual certification audits
  • Comprehensive information security management system
  • Risk assessment frameworks
  • Security controls across all operations

Last certified: March 2025

Cyber Essentials Plus

UK government-backed certification for cyber security excellence

Cyber Essentials Plus

  • Independent technical verification
  • On-site security assessment
  • Vulnerability scanning
  • Security control validation

Certified by IASME Consortium

ICO Registered

Registered with UK Information Commissioner's Office for data protection

ICO Registration

  • Formal registration as data controller
  • Annual fee payment
  • Regular compliance updates
  • Direct regulatory channel

Registration Number: ZA123456

GDPR Compliant

Fully compliant with General Data Protection Regulation requirements

GDPR Compliance

  • Annual compliance audits
  • Data Protection Impact Assessments
  • Privacy by Design implementation
  • Regular staff training

Independently verified by NCC Group

Security & Compliance Timeline

April 2025

Completed annual ISO 27001 certification renewal with zero non-conformities

February 2025

Implemented enhanced biometric authentication with liveness detection

December 2024

Successfully completed penetration testing with independent security firm

October 2024

Achieved Cyber Essentials Plus certification

July 2024

Updated data protection impact assessments for all processing activities

May 2024

Implemented enhanced zero-trust architecture across all systems

Our Data Protection Team

GPOD maintains a dedicated data protection team led by our Data Protection Officer (DPO). This team is responsible for ensuring compliance with data protection regulations, responding to data subject requests, and continuously improving our security practices.

Contact Our Data Protection Officer

For questions about data protection, privacy concerns, or to submit a data subject request, please contact our DPO:

dpo@gpod.uk

Responsibilities

  • Monitoring compliance with data protection regulations
  • Conducting data protection impact assessments
  • Providing advice and training on data protection
  • Serving as the point of contact for data subjects
  • Liaising with supervisory authorities
  • Maintaining records of processing activities

Commitment to Excellence

  • Regular professional development and certification
  • Staying updated on regulatory changes and best practices
  • Independent status within the organization
  • Direct reporting line to executive leadership
  • Collaboration with industry working groups and forums
  • Regular internal audits and continuous improvement

Frequently Asked Questions

How is my personal data protected when using GPOD?

GPOD protects your personal data through multiple layers of security measures:

  • End-to-end encryption for all data in transit and at rest
  • Biometric authentication with facial recognition
  • Zero-trust architecture requiring continuous verification
  • Data stored in secure UK-based data centers with ISO 27001 certification
  • Regular security audits and penetration testing
  • Strict access controls with principle of least privilege
  • Comprehensive monitoring and threat detection systems

Our security measures exceed industry standards and are regularly updated to address emerging threats.

How does GPOD use my location data?

GPOD uses location data for specific, limited purposes:

  • The "Shifts Near Me" feature uses your location to find work opportunities in your vicinity
  • Location verification during clock-in/out confirms you're at the designated work site
  • Travel time estimation helps with shift planning and scheduling

Important privacy protections for location data include:

  • Location data is only collected when you're actively using relevant features
  • We never enable background location tracking
  • General location data is deleted after 72 hours
  • Location data is never sold to third parties
  • You can review and delete your location history in your account settings

How do I access or delete my personal data?

GPOD makes it easy to exercise your data subject rights:

To access your data:

  1. Log in to your GPOD account
  2. Go to Settings > Privacy & Data
  3. Select "Download My Data"
  4. Choose the data categories you want to export
  5. Verify your identity with facial recognition
  6. Receive your data in a structured, machine-readable format

To delete your data:

  1. Log in to your GPOD account
  2. Go to Settings > Privacy & Data
  3. Select "Delete My Data"
  4. Choose between partial deletion (specific categories) or complete account deletion
  5. Verify your identity with facial recognition
  6. Receive confirmation once deletion is complete

Alternatively, you can contact our Data Protection Officer at dpo@gpod.uk to submit a formal data subject request.

Contact Our Data Protection Team

Our Data Protection team is ready to help with any questions or concerns about your data privacy and security. Whether you're reviewing GPOD as a tech partner, council funder, regulator, or user, we welcome your inquiries.

Email

For general data protection inquiries:

dpo@gpod.uk

Email Support

Our data protection team typically responds within 2 business days to all inquiries.

For urgent matters, please include "URGENT" in your subject line.

Send Email Now

Data Subject Requests

To submit formal data subject requests:

dsar@gpod.uk

DSAR Process

Data Subject Access Requests are processed within 30 days as required by GDPR.

We may ask for verification of your identity to protect your privacy.

Submit Request

Security Concerns

To report security issues or vulnerabilities:

security@gpod.uk

Security Response

Our security team reviews all vulnerability reports within 24 hours.

We operate a responsible disclosure program for security researchers.

Report Security Issue

Response Commitment: We aim to acknowledge all inquiries within 2 business days and provide a substantive response within 5 business days. For formal data subject requests, we'll respond within the statutory timeframe (typically 30 days).

Data Security & GDPR Policy | Last Updated: April 15, 2025

Š 2025 GPOD.UK Ltd. All rights reserved.