GPOD Data Security & GDPR Compliance
GPOD protects your data and privacy at every level of operation â from shift clocks to wage payouts to regulatory reporting.
Using UK-compliant infrastructure, zero-trust authentication, facial biometric login, and end-to-end encryption, we exceed the standards required by law â not just for workers and employers, but also for councils and institutional investors.
Security Status: Active & Protected
Last Security Audit: April 15, 2025 | Next Scheduled: July 15, 2025
Security Overview
Biometric Authentication
Advanced facial recognition with liveness detection and spoofing prevention secures login and clock-in processes.
End-to-End Encryption
Military-grade AES-256 encryption protects all data in transit and at rest, with unique encryption keys per user session.
Zero-Trust Architecture
Continuous verification and least-privilege access controls ensure no user or system is inherently trusted.
Secure UK Data Storage
All data remains in ISO 27001 certified UK data centers with 24/7 monitoring, physical security, and redundant systems.
GDPR Principles in Action
Lawfulness, Fairness & Transparency
All data processing has a clear legal basis, is fair to data subjects, and is explained in plain language in our privacy notices. Users see exactly when and how their data is used within the GPOD platform.
Purpose Limitation
We only collect data for specified, explicit and legitimate purposes as outlined in our privacy policy. Data is never used for purposes incompatible with those original purposes without explicit consent.
Data Minimisation
We only collect the minimum amount of data necessary for our operations. Our data collection processes are regularly audited to ensure we maintain the principle of collecting only what is needed.
Accuracy
We implement measures to ensure data is accurate and kept up to date, including regular verification processes and simple mechanisms for users to review and correct their personal information.
Storage Limitation
Personal data is kept only for as long as necessary for the purposes for which it was collected. Automatic deletion routines ensure compliance with our retention policies, while respecting legal obligations.
Integrity & Confidentiality
Personal data is processed with appropriate security measures including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, using technical and organizational measures.
Detailed Security & Compliance Information
Data Storage & Backups
UK-Based Infrastructure
All GPOD data is stored exclusively in UK data centers that meet the following criteria:
- ISO 27001 certified environments
- SOC 2 Type II compliance
- 24/7 physical security with biometric access controls
- Fire suppression systems and redundant power
- Regular penetration testing and security audits
Backup Architecture
Our comprehensive backup strategy ensures data resilience and business continuity:
- Real-time database replication with redundant clusters
- Hourly incremental backups for immediate recovery
- Daily full backups stored in physically separate locations
- 30-day backup retention with secure archiving
- Quarterly disaster recovery drills and backup restoration tests
- End-to-end encryption for all backup data
Ransomware Protection
GPOD implements multiple layers of protection against ransomware and other malicious attacks:
- Immutable backup storage that cannot be modified or deleted
- Air-gapped backup copies disconnected from main network
- Automated threat detection and response systems
- Regular security awareness training for all staff
AI Agent Privacy Controls
Privacy-First AI Architecture
GPOD's AI agents (Gabriel, Kira, Shadow) are designed with privacy as a core principle:
- All AI processing occurs on secure, dedicated GPOD servers
- No third-party AI services are used for sensitive user data
- Data minimization principles ensure AI only accesses necessary information
- All AI interactions are logged and fully auditable
- Behavioral nudges are anonymous and designed to preserve privacy
AI Ethics & Compliance Framework
Our AI systems are governed by a comprehensive ethics and compliance framework:
- Weekly audits of AI outputs for compliance with privacy regulations
- Regular retraining on user rights frameworks and privacy principles
- Transparent AI decision-making with human oversight
- Clear opt-out mechanisms for AI-driven features
- Removal of personally identifiable information from training data
AI Data Retention
We implement strict controls on how long AI-related data is retained:
- Behavioral nudge data is stored for a maximum of 30 days
- Performance feedback data is aggregated and anonymized after 60 days
- AI training data is regularly reviewed and cleaned
- Users can request deletion of their AI interaction history
Location Data & Shift Matching
Location Data Collection & Usage
GPOD's approach to location data prioritizes user privacy and data minimization:
- Location data is collected only for specific, legitimate purposes:
- 'Shifts Near Me' feature for discovering work opportunities
- Verification of work location during clock-in/out
- Travel time estimation for shift planning
- Precise location is only collected when actively using relevant features
- Background location tracking is never enabled
- Users can temporarily grant location access for specific functions
Location Data Retention
We implement strict time limits on location data storage:
- General location data is deleted after 72 hours
- Clock-in/out location verification data is retained for 30 days for audit purposes
- Location data required for legal or compliance purposes is stored in a separate, secured database
- All location history is available for review and deletion in user settings
Third-Party Sharing Restrictions
GPOD maintains strict controls on location data sharing:
- Location data is never sold to third parties
- Employers can only access location data during active clock-in/out events
- Aggregated, anonymized location data may be used for service improvement
- Any location data sharing is clearly documented in our privacy policy
Third-Party Access & APIs
Vendor Due Diligence
All third-party service providers undergo a rigorous security and compliance assessment:
- Comprehensive security questionnaire and documentation review
- Verification of compliance with relevant regulations (GDPR, DPA, etc.)
- Assessment of data protection measures and breach notification procedures
- Review of security certifications (ISO 27001, SOC 2, etc.)
- Evaluation of data processing locations and cross-border transfer safeguards
API Security
GPOD implements multiple layers of API security to protect data in transit:
- All APIs require authentication using JWT tokens with short expiration times
- Role-based access control ensures APIs only access authorized data
- Rate limiting protects against brute force and DoS attacks
- API traffic is encrypted using TLS 1.3 with strong cipher suites
- Regular API penetration testing by independent security firms
- Comprehensive API logging for audit and security monitoring
Data Processing Agreements
All third-party relationships involving personal data are governed by formal agreements:
- GDPR-compliant Data Processing Agreements (DPAs) with all service providers
- Clearly defined data processing purposes and limitations
- Explicit obligations regarding data security and breach notification
- Regular compliance verification and right to audit
- Documented sub-processor relationships and safeguards
Data Subject Rights
Right to Access & Portability
GPOD makes it simple for users to access and export their personal data:
- Secure self-service portal for viewing all personal data
- One-click export of data in structured, commonly used formats (CSV, JSON)
- Complete transparency about all data categories collected
- Verification process to ensure secure access to personal information
- Support for formal Subject Access Requests with 30-day response guarantee
Right to Erasure (Right to be Forgotten)
Users can request deletion of their personal data through multiple channels:
- In-app account deletion option with clear explanation of consequences
- Formal erasure request form with verification procedures
- Partial erasure options for specific data categories
- Clear information about data that cannot be deleted due to legal obligations
- Confirmation process after erasure is completed
Rights to Rectification, Restriction, and Objection
GPOD supports additional data subject rights with dedicated processes:
- Self-service tools for correcting inaccurate personal information
- Mechanism to restrict processing of contested data
- Clear opt-out procedures for specific processing activities
- Support for objections to automated decision-making
- Documentation of all requests and actions taken
Response Process & Timeline
We have established a formal process for handling data subject requests:
- Acknowledgment of all requests within 2 business days
- Dedicated Data Protection team for processing requests
- Resolution of most requests within 14 days (maximum 30 days)
- Notification if extension is needed for complex requests
- Regular training for staff handling data subject requests
Documentation & Reporting
Record of Processing Activities
GPOD maintains comprehensive documentation of all data processing activities:
- Detailed inventory of all personal data processing activities
- Documentation of purposes, data categories, and retention periods
- Mapping of data flows and third-party transfers
- Regular review and updates to processing records
- Availability for regulatory inspection when required
Breach Detection & Reporting
We have implemented robust processes for security incident management:
- Automated systems for detecting potential security incidents
- 24/7 security monitoring with alerting capabilities
- Formal incident response plan with defined roles and responsibilities
- 72-hour ICO notification process for qualifying breaches
- Communication templates and procedures for notifying affected individuals
- Post-incident review process to prevent recurrence
Compliance Reporting
GPOD generates regular compliance reports for internal and external stakeholders:
- Monthly data protection compliance dashboards
- Quarterly security assessment reports
- Annual GDPR compliance audit with action plans
- Regular reporting to leadership on privacy metrics
- Customized compliance reports for enterprise clients and councils
Institutional Readiness
Enterprise-Grade Security
GPOD's security infrastructure is designed to meet the requirements of even the most security-conscious organizations:
- Enterprise-level encryption standards for data at rest and in transit
- Support for single sign-on (SSO) and SAML integration
- Role-based access control with granular permission settings
- Security Information and Event Management (SIEM) integration
- Compliance with industry security frameworks (NIST, CIS, ISO)
Council & Public Sector Compliance
We ensure compatibility with public sector security and procurement requirements:
- Alignment with UK Government Cyber Essentials Plus certification
- Compliance with Digital Marketplace security requirements
- Support for Public Sector Network (PSN) connectivity standards
- Documentation packages for council IT security reviews
- Processes aligned with National Cyber Security Centre guidance
Financial Institution Requirements
GPOD meets the stringent security requirements of financial institutions:
- PCI DSS compliance for payment card handling
- Support for enhanced due diligence processes
- Rigorous third-party risk management processes
- Comprehensive security documentation for financial audits
- Resilient business continuity and disaster recovery plans
User Transparency
Privacy Information & Notices
GPOD provides clear, accessible information about data practices:
- Comprehensive privacy policy in plain, understandable language
- Layered privacy notices tailored to different user groups
- Just-in-time notifications for specific data collection moments
- Visual privacy summaries and infographics
- Regular privacy updates communicated to users
User Data Dashboards
Users have access to transparent information about their data:
- Personal data dashboard showing all data categories held
- Activity logs detailing system interactions
- Behavioural nudge history and badge summaries
- Location access logs and history
- Data sharing transparency reports
Consent Management
GPOD provides robust tools for managing consent preferences:
- Granular consent options for different processing activities
- Easy-to-use consent management interface
- Clear record of consent history and changes
- Ability to withdraw consent at any time
- Regular consent refresh requests for long-term processing
Security Certifications & Compliance
ISO 27001 Certified
Information security management system certified to international standards
Cyber Essentials Plus
UK government-backed certification for cyber security excellence
ICO Registered
Registered with UK Information Commissioner's Office for data protection
GDPR Compliant
Fully compliant with General Data Protection Regulation requirements
Security & Compliance Timeline
April 2025
Completed annual ISO 27001 certification renewal with zero non-conformities
February 2025
Implemented enhanced biometric authentication with liveness detection
December 2024
Successfully completed penetration testing with independent security firm
October 2024
Achieved Cyber Essentials Plus certification
July 2024
Updated data protection impact assessments for all processing activities
May 2024
Implemented enhanced zero-trust architecture across all systems
Our Data Protection Team
GPOD maintains a dedicated data protection team led by our Data Protection Officer (DPO). This team is responsible for ensuring compliance with data protection regulations, responding to data subject requests, and continuously improving our security practices.
Contact Our Data Protection Officer
For questions about data protection, privacy concerns, or to submit a data subject request, please contact our DPO:
Responsibilities
- Monitoring compliance with data protection regulations
- Conducting data protection impact assessments
- Providing advice and training on data protection
- Serving as the point of contact for data subjects
- Liaising with supervisory authorities
- Maintaining records of processing activities
Commitment to Excellence
- Regular professional development and certification
- Staying updated on regulatory changes and best practices
- Independent status within the organization
- Direct reporting line to executive leadership
- Collaboration with industry working groups and forums
- Regular internal audits and continuous improvement
Frequently Asked Questions
How is my personal data protected when using GPOD?
GPOD protects your personal data through multiple layers of security measures:
- End-to-end encryption for all data in transit and at rest
- Biometric authentication with facial recognition
- Zero-trust architecture requiring continuous verification
- Data stored in secure UK-based data centers with ISO 27001 certification
- Regular security audits and penetration testing
- Strict access controls with principle of least privilege
- Comprehensive monitoring and threat detection systems
Our security measures exceed industry standards and are regularly updated to address emerging threats.
How does GPOD use my location data?
GPOD uses location data for specific, limited purposes:
- The "Shifts Near Me" feature uses your location to find work opportunities in your vicinity
- Location verification during clock-in/out confirms you're at the designated work site
- Travel time estimation helps with shift planning and scheduling
Important privacy protections for location data include:
- Location data is only collected when you're actively using relevant features
- We never enable background location tracking
- General location data is deleted after 72 hours
- Location data is never sold to third parties
- You can review and delete your location history in your account settings
How do I access or delete my personal data?
GPOD makes it easy to exercise your data subject rights:
To access your data:
- Log in to your GPOD account
- Go to Settings > Privacy & Data
- Select "Download My Data"
- Choose the data categories you want to export
- Verify your identity with facial recognition
- Receive your data in a structured, machine-readable format
To delete your data:
- Log in to your GPOD account
- Go to Settings > Privacy & Data
- Select "Delete My Data"
- Choose between partial deletion (specific categories) or complete account deletion
- Verify your identity with facial recognition
- Receive confirmation once deletion is complete
Alternatively, you can contact our Data Protection Officer at dpo@gpod.uk to submit a formal data subject request.
How does facial recognition work in GPOD?
GPOD uses facial recognition technology for secure authentication and clock-in verification:
How it works:
- During onboarding, you create a secure facial template (not an actual photo)
- This template is encrypted and stored securely on our servers
- When you log in or clock in, a new scan is compared to your stored template
- Liveness detection ensures it's really you and not a photo or video
- The system confirms your identity without storing the new scan
Privacy safeguards:
- Biometric templates cannot be reverse-engineered into facial images
- Templates are encrypted with keys unique to each user
- You can delete your biometric data at any time
- Alternative authentication methods are available if preferred
- Facial recognition processing occurs on secure GPOD servers, not third-party services
What security certifications does GPOD have?
GPOD maintains several key security certifications and compliance validations:
- ISO 27001: Certified information security management system meeting international standards
- Cyber Essentials Plus: UK government-backed certification for robust cyber security measures
- ICO Registration: Registered with the UK Information Commissioner's Office as a data controller
- GDPR Compliance: Independently verified compliance with General Data Protection Regulation
- Penetration Testing: Regular security testing by independent security firms
- SOC 2 Type II: Service Organization Control reporting for security, availability, and confidentiality
These certifications are maintained through regular audits and assessments, ensuring our security measures remain at the highest standards.
How does GPOD handle data breaches?
GPOD has a comprehensive data breach response plan that includes:
- Detection: Advanced monitoring systems to quickly identify potential breaches
- Assessment: Rapid evaluation to determine scope, impact, and affected data
- Containment: Immediate steps to contain the breach and prevent further data exposure
- Notification: Timely reporting to regulators (within 72 hours) and affected individuals
- Investigation: Thorough analysis to understand cause and impact
- Remediation: Actions to address vulnerabilities and prevent recurrence
Our breach notification process includes clear, plain-language information about:
- The nature of the breach and types of data affected
- Potential consequences for data subjects
- Measures taken to address the breach
- Steps individuals can take to protect themselves
- Contact information for additional questions
Contact Our Data Protection Team
Our Data Protection team is ready to help with any questions or concerns about your data privacy and security. Whether you're reviewing GPOD as a tech partner, council funder, regulator, or user, we welcome your inquiries.
Response Commitment: We aim to acknowledge all inquiries within 2 business days and provide a substantive response within 5 business days. For formal data subject requests, we'll respond within the statutory timeframe (typically 30 days).
Data Security & GDPR Policy | Last Updated: April 15, 2025
Š 2025 GPOD.UK Ltd. All rights reserved.