agentOS, Calmony, agentPay, and agentWatch are trading names of agentOS Proptech Group Limited.
agentOS Proptech Group Limited is a registered data controller and processor and will collect and use information in accordance with the data protection principles within the GDPR.
During your time as a customer of AgentOS and for a period of time afterwards the company needs to process information about you and the data that you store within our services. This privacy notice outlines what you can expect when we collect your information.
What data do we process
Data that we process may include but is not limited to the following:
- Data about your company including bank details for billing purposes (“company data”)
- Data about your staff including names, email addresses and telephone numbers (“staff data”)
- Landlord, tenant and contractor data that you store on our services (“client data”)
How do we use the data
We use this data to allow us to comply with our contracts, any legal requirements and to carry out our legitimate interests within our business relationship. The information held will be for these uses only, but from time to time, we may need to disclose some information we hold to relevant third parties (e.g. where legally obliged to do or with your consent).
We may also use the information to contact customers to further discuss customer interest in our company, the Service that we provide, and to send information regarding our company or partners, such as promotions and events. Customers are invited to receive an email newsletter by providing an email address. Customer email addresses and any personal customer information will not be distributed or shared with third parties. Customers can opt out of being contacted by us, or receiving such information from us, at any time by unsubscribing.
Your company data and staff data will be stored for a period of 7 years following the termination of your contract. The client data that you store on our services will only be retained for 90 days after termination of your contract (this includes data hosting agreements).
If we need to use the data we have in any way that you would not expect we will notify you and get your consent if necessary.
Your rights and responsibilities
Customers will be using the Services to host client data and information. agentOS will not review, share, distribute, print, or reference any such Data except as provided in the agentOS Master Subscription Agreement, or as may be required by law. Individual records may at times be viewed or accessed only for the purpose of resolving a problem, support issue, or suspected violation of the Master Subscription Agreement, or as may be required by law. Of course, customers are responsible for maintaining the confidentiality and security of their user registration and password.
agentOS may also collect certain information from visitors to and customers of the Site, such as Internet addresses. This information is logged to help diagnose technical problems, and to administer our Site in order to constantly improve the quality of the Service. We may also track and analyse non-identifying and aggregate usage and volume statistical information from our visitors and customers and provide such information to third parties.
Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability. Please contact firstname.lastname@example.org in the first instance.
If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
You have the right to lodge a complaint to the Information Commissioner’s’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 2018 with regard to your personal data.
When you interact with the AgentOS.com Website we strive to make that experience easy and meaningful. When you come to our Web site, our Web server sends a cookie to your computer. Cookies are files that Web browsers place on a computer’s hard drive and are used to tell us whether customers and visitors have visited the Site previously.
Standing alone, cookies do not identify you personally. They merely recognize your browser. Unless you choose to identify yourself to AgentOS.com, either by responding to a promotional offer, opening an account, or registering for a Trial, you remain anonymous to AgentOS.com. Cookies come in two flavours: session and persistent-based. Session cookies exist only during an online session. They disappear from your computer when you close your browser software or turn off your computer. Persistent cookies remain on your computer after you’ve closed your browser or turned off your computer. They include such information as a unique identifier for your browser.
AgentOS.com uses session cookies containing encrypted information to allow the system to uniquely identify you while you are logged in. This information allows AgentOS.com to process your online transactions and requests. Session cookies help us make sure you are who you say you are after you’ve logged in and are required in order to use the AgentOS.com application. AgentOS.com uses persistent cookies that only AgentOS.com can read and use, to identify the fact that you are a AgentOS.com customer or prior AgentOS.com Website visitor (whatever the case may be). We are especially careful about the security and confidentiality of the information stored in persistent cookies. For example, we do not store account numbers or passwords in persistent cookies. Users who disable their Web browsers’ ability to accept cookies will be able to browse our Website but will not be able to successfully use our Service.
Third Party Cookies
The Site contains links to other websites. AgentOS.com is not responsible for the privacy practices or the content of these other web sites. Customers and visitors will need to check the policy statement of these other websites to understand their policies. Customers and visitors who access a linked site may be disclosing their private information. It is the responsibility of the user to keep such information private and confidential.
GDPR Questions and Answers
Name: AgentOS Proptech Group Ltd
Company Number: 5409547
ICO Registration Number: Z9844348
FCA Registration: agentOS Proptech Group Ltd is registered as a PSD agent with the Financial Services Authority, reference number 850923
Location of Head Office: 13 Lambourne Crescent, Cardiff, CF14 5GF
Data storage in EEA
What locations is the the data stored, processed or accessible (including those outside of the EEA)?
All data is stored with Amazon AWS in Ireland, accessible at AgentOS offices in Cardiff, with IP restriction
Do you inform me when you transfer data?
N/A. Data is stored at Amazon AWS, and never needs to be transferred.
Who can access the data?
Employees of agentOS Proptech Group Limited – with restricted access via IP lockdown and two factor authentication. Client nominated and approved suppliers who can only access client data via AgentOS Open API and subject to AgentOS API terms and conditions.
Do you have security breach notifications in place?
Yes, we monitor attempted logins and would record any breach. There has been no breach to date.
Do you adhere to Binding Corporate Rules (BCRs)?
N/A. AgentOS does not transfer data outside EU.
Are AgentOS employees with access to data and systems screened (eg: criminal background check)?
AgentOS CRB checks their employees annually.
Do you have a Security Policy & Acceptable Use Policy in place which sets out the security measures to be implemented and followed?
AgentOS does have a security policy in place and documented and is included in employment contracts.
Do you have checks and obtain commitments from all staff that they have no conflict of interest with respect to their actual or potential access to client data?
Any conflict of interest is questioned and would be added to the companies risk register with any agreed actions. There have been no reported conflicts to date.
Do the contracts for employees and sub-contracted staff cover roles and responsibilities for security, a requirement to abide by company policies and to keep company and client information confidential?
Are automatic controls implemented to enforce the use of encrypted portable equipment for the storage and transfer of data?
N/A. AgentOS does not transfer data.
Do AgentOS staff undertake mandatory annual training and confirm they have read and understood all relevant security policies?
AgentOS conducts regular reviews and manages training reminders and confirmations recorded with a HR software system.
Is there a formal Risk Policy and Assessment Methodology (inclusive of Threats, Probabilities, Impact and Risk) to the loss of customer data?
Yes, the AgentOS system is located in one AWS availability zone (one very secure warehouse). In event of a server failure, there is automatic failover to new hardware with up to 5 minutes disruption of service. In the unlikely event, a whole availability zone goes we can quickly restart services in another availability zone in Ireland.
Are data loss risks evaluated and treated (reduced or mitigated) using suitable controls with management approval?
AgentOS has an automatic and systematic back up of client data, and access to data is restricted to AgentOS CTO and Managing Director.
Are measures are in place to detect and alert clients of suspicious or fraudulent activity with data?
AgentOS provides security audit that records attempted logins, but do not monitor the reports as this is the responsibility of the client.
AgentOS is also FCA regulated and has a company Money Laundering Report Officer (MLRO).
Do such incident management processes involving data or systems require that an incident report is reported to a client within a maximum of 24 hours?
There is an incident process in place that would notify the client within 24 hours.
Is there a process to manage visitors to your premises?
Yes, we have a security at reception and require visitors to sign in and then have a temporary access card and are then always escorted. All visitors to agentOS offices are record on a security camera.
Are all staff (including temporary contractors) issued with photographic identification?
No, but all staff have and use electronic passes to enter the building.
Are your premises suitably robust in structure and protected from unauthorised access by physical barriers / access controls on doors / alarms etc.
Is access controlled and monitored (via logs) to sensitive areas such as server and communications rooms?
Access to the offices is logged, but there are no sensitive areas onsite, server and communication rooms are stored with Amazon AWS.
Are the premises fitted with an intrusion detection system monitored 24×7 and covering all windows/doors in the facility housing Data?
All data is stored at Amazon AWS and protected with intrusion systems monitored 24/7.
Are measures in place to prevent and detect the unauthorised removal of systems and devices that store or process data ( these include server, desktop, laptop, HDD or any form of removable media?
No data is stored locally, all data is stored on virtual servers with Amazon AWS.
Have you published and communicated a Network Security Policy to all relevant staff?
Are changes to the environment, supporting architecture or systems protected from unauthorised changes via a Change Management Process?
Yes, limited to only the CTO.
Is your IP network physically and logically segregated from any other public or private network?
AgentOS is on a private network with Amazon AWS data centre, and separate from other networks. Access for employees is IP restricted to AgentOS head office.
Is the AgentOS software physically and logically segregated from other third party systems?
Yes, only AgentOS software system is running on the Amazon AWS servers.
Is access to your network restricted and protected by appropriate security devices, i.e. firewalls?
Is the network subject to a periodic vulnerability scan or penetration test?
Yes, agentOS has a periodic penetration test in November that is a requirement by our PLC corporate client, open banking provider Truelayer and EMI provider Modulr.
In addition, the group CTO reviews AWS Guard/Inspector bi weekly and received instant alerts from https://securityscorecard.io.
Is suitable anti-virus, anti-spyware and anti-key logger software in place to protect systems and data from malicious code and phishing attacks across all server and desktop environments and is such software regularly updated?
Yes, with automatic updates.
Are patches to operating systems applied regularly via a patch installation schedule which includes procedures for implementing emergency security patches?
Yes, automatically set to update.
Are policies applied on desktop clients to limit the level of administrative privileges that a user can execute? (such as downloading of software or amending desktop security policies).
Does the password criteria conform to; at least 8 characters in length, a combination of alphanumeric and special character, have an expiry date, history controls prevent the use of previous passwords, and users must change passwords upon access to the system for the first time?
Yes, but clients set the level of security they require.
Are passwords obfuscated during the login process (masked by ‘*’ characters)?
Are password files on all systems protected by encryption during transmission and storage?
Yes, Sha256 hashed and there are no Password files stored on web servers. Passwords / API Keys & configuration are stored in Encrypted s3 buckets & RDS SQL Database's.
Access to the S3 and RDS DB are locked down to the EC2 instances (web servers) using AMI Roles. This means the EC2 instance needs to be running inside our AWS account to access Passwords / Keys.
Do you use two factor authentication to login to agentOS?
Yes, we use google authentication app to 2FA
Do you have a data protection officer?
No, we are not required to have a data protection officer.
Does any data shared with any other third party have sufficient contractual and security arrangements?
Yes, access is via AgentOS Open API and can only be enabled by the client and the issuing of an API key and transmission of data via SSL/TLS channels.
Is data processed (including accessing, handling, disclosing, accuracy, reliability, integrity) in accordance with the General Data Protection Regulation, including the provision of customer rights such as the right to be forgotten?
Yes, AgentOS is compliant with regulations and provides software tools for the client to activate the right to be forgotten.
Is printed media and other disposable material destroyed using approved methods i.e. cross cut shredder or confidential waste bins and the waste removed from site and disposed of in a secure manner?
Yes, AgentOS use a profession external contractor who provides security bins and shreds the waste onsite with a mobile unit.
Confirmation that no negative security / privacy related incidents experiences in the past 5 years?
AgentOS has not had a data breach.
Our Site has security measures in place to help protect against the loss, misuse, and alteration of the Data under our control. AgentOS.com hosts the Site in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from outside intruders. AgentOS provides unique usernames and passwords that must be entered each time a customer logs on with an option to use two factor authentication. These safeguards help prevent unauthorised access, maintain data accuracy, and ensure the appropriate use of Data.
Introduction to Web Application Security
The estate, lettings, property management, apps and banking software constructed by AgentOS follows an industry standard software development lifecycle and is constantly evolving to meet the demands of our clients. New versions of the software, which include additional functionality and defect fixes, are developed and tested by our highly experienced IT team before being released, typically in 6-8 week cycles, to our clients.
Our web-based software is built by certified software developers using robust. Net framework and the latest version of SQL.
All the computers in our offices run on the latest version of Windows 10 and are constantly updated. They are protected by advanced firewalls and further covered by Windows Defender, ensuring that they are clear of any viruses and unauthorised access by hackers is prevented.
Client data is automatically backed up every fifteen minutes to Amazon’s virtual servers, no data is kept on site. In the highly unlikely event of a critical system failure, our clients’ data is still safe. AgentOS is continuously striving to ensure that our letting management software is scalable to meet the demands of both start-up companies and also established multi-branch agents. However, regardless of the size of the company, AgentOS software architecture and infrastructure provide a robust and meticulous approach to security.
Potential Security Vulnerabilities for Web Applications
Web-based applications are particularly vulnerable to attacks from external as well as internal sources.
The three main threats to system architecture are:
- Software vulnerabilities that may allow hackers to gain access to the system
- Hardware vulnerabilities (in the supporting server systems)
- Weaknesses in client websites that may allow access via a back-door
AgentOS remains vigilant against these threats and the measures currently being undertaken to counteract them are detailed in the following points.
AgentOS System Architecture
Network Security: Penetration and Vulnerability Testing
In order to test the robustness of AgentOS online applications, an independent team of network and system testers have subjected the Lettings & Property Management software and hardware to rigorous black box penetration testing. The overall results of the independent penetration testing found the software to be robust. All pages on agentOS software are protected by SSL. All web pages are held securely on our web servers and in source control. SSL certificates are used to encrypt web traffic should the client decide to use our HTTPS service. SSL certificates are used to ensure that web traffic over HTTPS is correct at the client-side, i.e. is the same information as that sent.
Furthermore, the system can be locked down to a range of IP addresses. This allows users to control where it is possible to gain access to the system. Whether it is locking down the entire system to the confines of the office’s network or blocking a certain IP address range to prevent users from gaining access to that location.
Software Security Functionality
The software includes a number of features which increase the overall security of the agentOS software:
- The system requires “strong” passwords.
- Option to activate two factor authentication
- Security Options on a per company basis:
- Username to be optionally displayed. The username displayed at the top of the AgentOS system can be switched off through Control Panel>Security Config>Interface Preferences. Some companies may deem the displaying of the username as a security risk.
- Forced password change and remembering previously stored passwords. More details on request.
Anti-hacking Security Measures
When a staff member is in the process of logging into AgentOS, if an incorrect username or password is entered, the system clears the ‘Password’ box and a pop-up message informs the user that an ‘Invalid username or password’ has been entered.
If a staff member enters their correct username and an incorrect password X times (more details on request) in succession, while attempting to log into their account on AgentOS, then their account will be locked-out. To unlock the account a higher level user must re-activate the staff member and re-set their password.
Security Audit Report
An audit entry is made each time:
- staff member’s password is changed
- a new staff member is added including their user level
- staff member’s log-in has been locked because of too many failed log-in attempts
- new landlord, tenant or contractor is added including their bank details
- landlord, tenant or contractor’s bank details are changed.
- enabling/disabling the Paid Sales functionality
- adding a new IP Filter entry
- staff Access level change
- too many login attempts
- name of a staff member who generated the RSTB, People in Credit/Debit reports.
Restrictions have been put in place to prevent staff members from logging into the system from more than one machine. If the user is logged in on say the office computer and then logs in on a different computer, the system will automatically log them out of the office computer.
Secure Web Pages via SSL. All pages within the Estates, Lettings & Property Management web application is transmitted over https:\\ which displays a small padlock at the bottom of your screen.
IP Lock Down. As previously mentioned, there is a section of the system that allows users to enter an IP address to either allow or disable access to the system from that location.
Staff Activity Restrictions
Restrictions are in place throughout the AgentOS software to regulate that only staff with high level of security clearance are able to access and update critical company information, thus ensuring a high level of defence against staff errors and information leakage (which can result if transient members of staff are compromised). Customisable staff activity restrictions, which apply regardless of whether a user level is able to access a node, include:
- Changing Bank Details – protects the tenant, landlord, contractor and company from having their bank account name, account number or sort code changed.
- Contra Transaction – restricts the user level that can perform a contra on a transaction while not affecting the level of the user able to view accounts and transactions.
- Change Signed Rent Schedule – restricts the level of user that can make changes to the payment or rent schedule for a signed tenancy while not affecting the level of the user able to Modify Instruction / Tenancy.
- Change Utility Responsibility – For a signed tenancy this protects the recording of whether landlord or tenant is responsible for water, electricity, gas or council tax. Update new audit
- End Signed Tenancy – Controls what user level is allowed to set the end date of an active tenancy.
Hardware Perspective: Server Backup and Security
All AgentOS client data is held in S3 buckets in our Amazon account. Access to this account is limited to specific staff members in our IT department. Amazon applications and their data are protected by highly secure facilities and infrastructure, but they’re also protected by extensive network and security monitoring systems. These systems provide basic but important security measures such as distributed denial of service (DDoS) protection and password brute-force detection on AWS Accounts.
Users are then able to implement their own security processes on top of Amazon’s to further protect their systems and data.
More information can be found here: http://aws.amazon.com/security/ and also in the Amazon Web Services: Overview of Security Processes document.
Our web-based lettings software automatically backs up customer data every 5 minutes to our AWS account. The AWS platform provides a solid and reliable infrastructure to ensure our customer’s data is always at their fingertips.
Advanced firewalls, further protected by McAfee Enterprise security software, ensure that any viruses and hackers are kept out of our staff computers, as well as our local file server.
Node Access Security Customisation
AgentOS can specify staff user level access restrictions on a per company basis. Each node in the system can be individually restricted to a minimum user access level independently for each company, thus allowing the system to be tailored to meet the needs of each client. Five user access levels are available: Client Colleague, Client Staff, Client Manager, Client Finance, Client Administrator and each node has a ‘default’ user access level which applies when a company is first set up and remains in place until the access level is changed. User levels that have been restricted from accessing the nodes are not able to view or edit the nodes.
- Node Access Levels. The node access security restrictions can be tailored to meet the needs of individual companies and help to ensure that the system is scalable and flexible for both small single branch companies and also for large multi-branch companies.
- All nodes can be customised to restrict user access levels including Accounting and Reporting nodes.
- Certain nodes which contain critical company contact information, such as Mail Merge> Active Landlords list, are programmed to not be displayed for user levels below Client Manager, even when the node’s access level has been reduced below this user level.
Multi-Branch Staff Restrictions. Staff members can be restricted to only view their own Branch Information (i.e. the Branch Selector cannot be used). Multi-Branch Staff Restrictions work in conjunction with the Multi-County restrictions and group the views together into the same related areas. Restricted staff cannot view reports for other branches in their company.
Multi-Branch Finance Reporting – the staff member is restricted to only viewing their own Branch information on the following accounting reports:
- Invoiced Sales Income
- Un-invoiced Sales Income
- Tenant Bond Deposits Held
- Debtors and Creditors
Multi-County Staff Restrictions. Staff members can be restricted to only view branches within their own ‘county’ by setting the Multi-County Staff Restrictions selectors. The Multi-County Staff restrictions group the nodes together into related areas such as General Views, Applicant Views, Reporting (all non-finance reporting), and Finance Reporting (finance reports). The Multi-County and also the Multi-Branch Staff Restrictions are particularly useful for companies that have franchise branches that must not have access to another branch’s financial or reporting data.
Technical Information: System Security
Security classification scheme:
- Individual records may at times be viewed or accessed only for the purpose of resolving a problem, support issue, or suspected violation of the Master Subscription Agreement, or as may be required by law. Of course, customers are responsible for maintaining the confidentiality and security of their user registration and password. All subsequent levels are client controlled; they are client side
- Basic user
- On agentOS side access to hardware that stores data is restricted to the CTO and a Company Director.
Availability of Business Information
AgentOS regularly reassesses the impact of business information being unavailable:
- AgentOS service is a software as a service subscription company with full Terms & Conditions published in the software and on our website. The target key performance indicator is an uptime of 99.80% between 6am and 10pm, excluding planned downtime with software releases.
Robust and Reliable Computer Systems
Our Amazon virtual machines run on Microsoft Windows Server and make use of the latest version of SQL. Updates are carried out regularly on these machines.
Measures to Physically Protect Critical Facilities
- All staff machines are locked down with cab lock components and are password protected.
- Each member of our IT team has UPS (Uninterrupted Power Supply) units that provide continuous power, for up to 30 minutes, in the event of an outage. This means that they are still able to upload changes/fixes to our Amazon account if something was to happen to that whilst we suffered a power cut.
- AWS’s data centres are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centres. This experience has been applied to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
- AWS only provides data centre access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centres by AWS employees is logged and audited routinely.
Further details on Amazon AWS security policies can be found at https://aws.amazon.com/security/
All server systems have logging enabled (i.e. Windows event logs), and our application software also has full auditing capabilities. Our Network and System Administrators perform these tasks regularly, and system event logs are monitored daily.
An alert system has been put in place to notify our System and Network Administrator of firewall logs with all untoward traffic highlighted, as well customised AWS notifications that report on certain performance/usage statistics and errors that occur with the system.
Firewall routing for network traffic
AgentOS use a SonicWall to prevent unauthorised access. Only the Network Administrator is allowed access to its configuration controls, and all change requests must be passed through to this person for evaluation and potential configuration.
Treating customers fairly policy and complaints
The Financial Conduct Authority’s (FCA) Treating Customers Fairly (TCF) initiative is primarily based on the obligation set out in Principle 6 requiring a firm to pay due regard to the interests of its clients and treat them fairly. This Policy is very close to the core values and beliefs of agentOS.
The FCA’s six core consumer outcomes which explain what it wants TCF to achieve for consumers are:
- Consumers can be confident they are dealing with firms where TCF is central to the corporate culture.
- Products and services marketed and sold in the retail market are designed to meet the needs of identified consumer groups and targeted accordingly.
- Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale.
- Where consumers receive advice, the advice is suitable and takes account of their circumstances.
- Consumers are provided with products that perform as firms have led them to expect and the associated service is both of an acceptable standard and as they have been led to expect.
- Consumers do not face unreasonable post-sale barriers imposed by firms to change product, switch provider, submit a claim or make a complaint.
Inline with FCA guidance and agentOS core values a formal complaints procedure for agents customers is available.
agentOS, agentPay and agentWatch Complaints Process
Core to our values of having our peoples and our clients interest at heart, deliver through being a ‘customer success’ focus business means each and everyone in the company is focused on delivering, within our means, successful outcomes.
While some things are within our control, in some circumstances they are not.
We are focused on your success, sometimes priorities and costs prevent us from making changes to what we do or our software.
Sometimes our training or procedures fail us which in turn fails our clients.
Even when we try our best, sometimes our clients feel they need to complain, and this is why we have a process for making complaints.
If you have a complaint?
Before making a complaint we ask that you discuss your issue with our client success managers, who if they can’t help, will refer to agentOS operations manager.
If you feel you have exhausted discussions and your issue has not been resolved, then feel free to start an official complaint.
Making an Official Complaint
We ask the original signatory of the contract or a company acting director submits official complaints.
We simply ask if you can put in writing and send to agentOS operations manage
- What was the issue that has caused you to complain?
- Was the issue within our control?
- What would you like to happen to resolve your issue?
How long will it take?
Once we have received your complaint, we aim to investigate, review and share our finding no later than 4 weeks.
The complaint will be reviewed by a senior manager from a different part of the company, with the intention for them to be independent.
Outcome of your Complaint
We will share with you our review, findings and outcomes.
Those outcomes could relate to changes in our training & procedures, an apology, compensation recommendations or explaining why the circumstances may be beyond our control.
What if I am not satisfied with the outcome of the complaint review?
If you are not satisfied with our outcome of the complaint, and you believe the complaint relates to the financial service that we have provided, you can refer the complaint to either Financial Ombudsman Service or Financial Conduct Authority.
Updated policy to reflect Calmony trading name.
Modulr audit, moved policy to zendesk for version control.
Updates relating to 2FA and agentOS Client Account.
Updates relating to 2FA and agentOS Client Account