GDPR

• DocMonster will comply with the GDPR when it becomes enforceable on May 25, 2018.
• Data Protection Officer: support@docmonster.co.uk

Data Security

• All your personal data is protected using an industry standard Advanced Encryption Standard (AES-256) encryption algorithm to encrypt data in transfer and at rest.
• Our servers are protected by fully managed Amazon Web Services firewalls.
• Only key technical staff have direct access to our servers.
• Backoffice systems have user based access control and a full audit history.
• All employees and contractors are required to sign a confidentiality or non-disclosure agreements.
• Server software is updated daily to ensure we have all the security latest patches.
• Cyber insurance policy is provided by Hiscox.
• Servers are regularly tested using a industry standard PCI security scan.

Data Location

• Our servers are hosted by Amazon Web Services in their EU Ireland datacenter.
• Security documentation: https://aws.amazon.com/security/
• Compliance documentation: https://aws.amazon.com/compliance/

Your Data

• The personally identifiable data we hold on our system; Name, Address, Telephone Number, Email Address & Last IP Address.
• All data relating to card payments is processed by our payment provider Sagepay UK (www.sagepay.co.uk) using a industry standard secure token system.
• Data contained within the DocMonster repository itself is encrypted.
• We do not share or transfer your data to any 3rd party.

Data Retention

• Your personal data is retained for 5 years from termination of contract, unless the data controller requests removal.
• Your personal data is retained for our company accounting records, and also to allow customers to reactivate thier account.
• To request removal of personal data please email our Data Protection Officer (DPO). Email: support@docmonster.co.uk

Trusted Device Cookie Policy

DocMonster uses a Trusted Device cookie as part of its Two-Factor Authentication (2FA) process to enhance user convenience while maintaining security.

If a user opts to trust their device, a secure cookie is stored in their browser, allowing them to bypass 2FA on that device for a limited period. This cookie is linked to the user’s account and expires automatically after the set duration.

Users can manage and revoke trusted devices at any time from their account settings. Expired records are automatically removed as part of routine security maintenance.