With GDPR just around the corner, we've put together this F.A.Q to clarify some points from a Tonic perspective.
The important thing to remember is GDPR is mainly focused on data accessibility and while we provide the system to you we have no say on how you actually use it (e.g. staff logins, access to reporting, data security policy etc). So please feel free to come to us if you would like any further data protection features created or activated.
- Where's the data located: Tonic CRM products data is located securely within the cloud in the EU including both local and remote backups. Each client has 1 physical server that contains their active installation and these are compartmentalised from any other Tonic installation. Each server has a dedicated Firewall, IDS and DDoS mitigation system.
- Who can access the system: Anyone with a Tonic CRM username or password can access the system, clients also have the opportunity to whitelist the system to specific IP's on request ensuring that remote access is forbidden. Access can be revoked at any time either on a User, Introducer or IP basis
- Who can see customer data: Tonic has 3 distinct user account levels these have varying access permissions but a basic user has absolutely no reporting access, this is split further by "introducer" access which limits suppliers access to only information they themselves have provided.
- What is logged: User login dates/times and locations are logged by default, changes to accounts are logged and clients have the option to request that we turn on user activity logging in the form of page activity, accounts viewed and logout times as well, however, this is disabled by default.
- Anything else; Tonic is a bespoke system so other changes have also been requested by clients such as PCI compliance logging, account detailed changelogs and data obfuscation for example.
