Privacy & Security

OVERVIEW:

This policy discussed the information captured and stored by MRO-PRO. Further, the measures taken to ensure that information and data remains secure.


DEFINITIONS:

APP: software application as utilised on mobile Android or iOS platforms.

AWS: Amazon Web Services

Cloud: on-demand Availability of computer system resources without direct active management by the user.

Database: a structured set of data held in a computer and utilised by MRO-PRO APPs, or WEB-APP.

End User: an individual end User of MRO-PRO. E.g., a user account created by an MRO using MRO-PRO 

Host: the provider of the instances involved in running the applications and or Database.

Instance: a server running an application.

MRO: a Maintenance, Repair, or Overhaul (MRO) organisation setup as a user / customer of MRO-PRO.

MRO-PRO: Software owned and operated by MRO Professional Consulting

WEB-APP: an application accessed and utilised through a web browser.


1 – PURPOSE:

This document acts in support of MRO Professional Consulting Ltd – MRO-PRO Software as a Service Subscription (SaaS) agreement to provide an understanding of the information captured and retained within the systems supporting MRO-PRO. Further, the measures taken in relation to information privacy and security.

2 – PRIVACY:

MRO-PRO retains the information its users provide it with. Once an MRO organisation is setup, it begins populating data, or information in the system. The kind of information collected, why it is collected, where it is stored, how it is used and who it is shared with is detailed in the following sections of this policy.

What information is collected?

An MRO populates information in MRO-PRO through the APP, or WEB-APP. This information varies greatly in its content, however, broadly speaking it contains much of the information required to operate and manage the MROprocesses. In greater detail, such information includes:

  • Staff personal data – Names, emails, work locations, budget codes and phone numbers
  • Staff compliance data – Training certificates, competency assessments, approvals and recency records
  • Customer data – Airlines, commercial rates and caps, email addresses and contract numbers
  • MRO records – Airline maintenance records and their location of completion
  • Management data – Procedures, vehicle inspection logs, station inspection records and handover logs
  • Communication data – Messages and read & signs sent between users and or groups in the application
  • Stores data – Tooling and parts inputted into the system

The list above is not exhaustive. In the course of utilising the MRO-PRO the MRO is inputting data. The quality and quantity of the data inputted are the sole responsibility of the MRO.

How information is collected?

MRO-PRO receives information as the MRO utilises the software. In this respect, it is clear at the time of capture how the information is collected, through the user completing a form, or inputting information. However, information is also captured through the use of a device’s camera and GPS location. The camera of a device running the APP is frequently used by a user in capturing images of maintenance records, defects, or inspected items. Further, each report is catalogued and filed with a GPS tag from the device’s GPS location at the time of the event. Therefore, APP usage and location information are collected.

Why information is collected?

Information collected by MRO-PRO is done so for the sole purpose of aiding an MRO in managing its business. MRO-PRO analyses the data inputted by the MRO and presents it back to that MRO in a manner that assists the MRO in efficiently and effectively managing its business to drive compliance and performance.

Why information is collected?

MRO-PRO utilised AWS to Host and store information. Host instances and Cloud storage locations are chosen within the EEC (European Economic Community). Sub-processing functions such as, support and backup may involve contracted third parties with staff located outside of the EEC. Third parties are contracted under substantially similar GDPR terms to those established in the MRO-PRO SaaS contract. MRO Professional Consulting remains fully liable for all acts or omissions of any third-party processor appointed by it.

Who information is shared with?

Information collected is confidential and is not shared beyond MRO-PRO’s administrators and its contracted service providers. MRO-PRO’s contracted provides are those directly involved in the service provision and are discussed in the section that follows.

Third parties with access to information

Two types of third-party services are contracted to perform services directly involved in the provision of MRO-PRO. These are Hosting Services and Development & Support Services.

Hosting Services: MRO-PRO is Hosted utilising AWS under AWS terms and conditions. AWS is a trusted Host to a many blue-chip organisations. Further information on AWS’ data privacy policies can be found their FAQ page: https://aws.amazon.com/compliance/data-privacy-faq/

Development & Support Services: MRO-PRO is developed and supported in conjunction with the United Kingdom based development partner. MRO-PRO access within its development and support partner is limited to those directly involved in service provision as controlled and allocated by MRO Professional Consulting. Pursuant to the MRO-PROSaaS contract, MRO Professional Consulting’s suppliers are contracted to substantially similar terms to those in the SaaS contract and further, also to this policy. MRO Professional Consulting remains fully liable for all acts or omissions of any third-party processor appointed by it.

Removal of End User Personal Data 

An End User (see definitions) can have their personal data remove from MRO-PRO by request to [email protected]. Included in this request must be the following information:

1 – MRO Organisation – the name of the organisation who setup the account
2 – Name 
3 – Stamp Number – MRO-PRO stamp number
4 – Registered email address 
5 – Registered mobile number 

All removals will first be validated by the MRO organisation responsible for issuing the end user account.
 

3 – SECURITY

The continued operation of MRO-PRO and the protection of its data necessitate that effective security measures are in place considering vulnerabilities of the Host, application, web-traffic, internet connection and device. Measures in place in each area and their respective owners are discussed in the sections that follow.

Host security

Information stored in MRO-PRO is stored the Cloud resource provider AWS. In this respect, AWS control the security measures in place to secure data and physical premises. Further information on AWS’s security measures can found at: https://aws.amazon.com/compliance/data-center/controls/  

Application Security

Application security is a function of two key characteristics, 1) Design (code) and 2) Access control. MRO-PRO has been designed and developed to ensure any known vulnerabilities are not present. Further regular penetration testing conducted and rectification remedial actions completed to ensure the system remains secure against a constantly evolving landscape of threats. Vulnerability and penetration testing are discussed further in the Security Testingsection (4) of this policy.

The second vulnerability considered is access control. Access to MRO-PRO is granted through one of two sources: 1) The MRO (95% of cases) and 2) MRO-PRO admin staff. In this respect, each party has a key role to play in application access security.

MRO responsibility: Each MRO is responsible for ensuring their users access is constantly reviewed and that due process is in place deactivate users account as users leave the business.

MRO Professional Consulting responsibility: MRO-PRO admin accounts are issued to users employed by, or contracted to MRO Professional Consulting. To this extent, MRO Professional Consulting only issues accounts justified by business need and maintains a list of all users it grants access to.

To encourage best practice by both parties, further security features in are built into the MRO-PRO APP and WEB-APP to control the log in process. These are:

  • APP: The APP has a single authentication log in, based on the users stamp number and a pin. The APP mandates a pin of at least 6 numbers and schedules it for renewal every 30-days. Further, the APP will log users out after a period of 10-minutes inactivity
  • WEB-APP: The WEB-APP faces the internet and offers far greater control within MRO-PRO. As such, two-factor authentication is utilised. A user logging in requires their user name and password as well a secondary factor authentication code via an TOTP app, sms or email. Passwords must be alpha numeric and contain a special character. Heightened two factor security allows no session expiry. However, the user will be logged out when the browser is closed, or computer shutdown. 

Web traffic security

The web-traffic link between the Host and the Application user represents another potential security vulnerability. To assist in managing this vulnerability Cloud Flare is utilised. Cloudflare acts as an intermediary between a client (application user) and a Host, using a reverse proxy to mirror and cache websites. This intermediary design allows a further degree of optimisation and level of filtration for security. Sitting between the client and the hosting server, Cloud Flare is positioned to detect malicious traffic, intercept distributed denial-of-service attacks, deflect attacks from bots, remove bot traffic and limit spam.

Internet Connection

Internet connections and their security represents a potential system vulnerability that should be considered. Network provision and its security is the sole responsibility of the MRO-PRO customer.

Device security

MRO-PRO can be installed as an APP on an Android or iOS device, or accessed via any computer, or device through the internet. Device provision, vulnerability and their security are the responsibility of the MRO-PRO customer.

4 – TESTING & CERTIFICATION 

The cyber security landscape is constantly evolving. In this regard, the security of MRO-PRO’s systems is tested and certified on an annual basis.

Security testing

MRO-PRO’s continued security is underpinned by annual Penetration Testing performed by an independent CREST accredited tester. Penetration testing, also called PEN testing or ethical hacking, is the practice of testing a computer system, network or WEB-APP to find security vulnerabilities that an attacker could exploit.

Once a penetration test has been completed, the report is analysed and actions completed to close any system vulnerabilities that were discovered during the test. 

MRO-PRO’s annual PEN test results and any resulting remediation activities are published in an annual security report available to all MRO-PRO customers.

Cyber Essentials Certification

Further supporting MRO-PRO’s cyber security measures is its Cyber Essentials accreditation. Cyber Essentials is a simple but effective, government backed scheme that helps protect your organisation, whatever its size, against a whole range of the most common cyber-attacks. Cyber Essential advice is designed to prevent these attacks.

Certification gives you peace of mind that your defences will protect against the vast majority of common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.

More detail on Cyber Essentials can be found at: https://www.cyberessentials.ncsc.gov.uk

Version 3 – dated 05/Dec/2023


Open chat
Hello 👋
Can we help you?