At MyKnowledgeMap, the security, privacy and integrity of customer data is central to how we design, build and operate the MyProgress platform.

This article provides a clear overview of our technical and organisational data security measures (TOMs), our approach to data protection, and how we meet the requirements of the UK GDPR and our Data Processing Agreement (DPA).

1. Our Commitment to Data Protection

MyKnowledgeMap acts as a Data Processor for Customer Personal Data processed within MyProgress.
We comply with all relevant UK data protection legislation, including:

• UK GDPR
• Data Protection Act 2018
• PECR (where applicable)

We only process personal data on the documented instructions of the Customer and solely for the purpose of delivering the MyProgress service.

All commitments are formalised within our Data Processing Agreement (Appendix A).

2. Hosting & Infrastructure Security

MyProgress is hosted entirely within Microsoft Azure, using data centre regions chosen by the Customer. Azure provides:

• ISO 27001 / SOC 2 Type 2 accredited infrastructure
• 24/7 manned security
• Biometric access control & CCTV
• Redundant power, UPS and backup generators
• Tier 4 resilience and high-availability architecture

Customer data is stored in isolated databases to ensure separation between institutions.

3. Data Security Overview

Data in Transit

• Encrypted using TLS 1.2 with RSA 2048-bit encryption

Data at Rest

• Encrypted using Azure Transparent Data Encryption (TDE)
• Backups encrypted with AES-256

Backups & Resilience

• Daily website backups retained for 30 days
• Weekly database backups retained for 365 days
• 35-day point-in-time recovery
• Backups replicated across regional data centres
• Azure high-availability for continuity during hardware or node failure

Recovery Objectives

• RPO: < 1 hour
• RTO: < 24 hours

4. Access Control & Identity Management

Access to systems and data is strictly controlled using:

• Azure Active Directory / Entra ID
• Multi-Factor Authentication (MFA) for privileged access
• Role-based access control (RBAC)
• Least-privilege access principles
• Secure password standards
• Automatic account locking on suspected compromise
• Support for SSO: SAML, OAuth, OpenID Connect, ADFS, LDAP

Administrative access is restricted to a small number of authorised staff and fully logged.

5. Monitoring, Logging & Threat Detection

MyProgress and its Azure environment make use of:

• Azure Security Center & Azure Monitor
• Real-time threat detection (including SQL Injection & brute-force alerting)
• Monthly external vulnerability scanning (Intruder.io)
• Log retention (minimum 90 days for system access events)
• Continuous monitoring for unusual access or anomalous activity

Critical vulnerabilities are prioritised and fixed immediately.

6. Secure Development & Change Management

We follow a secure development lifecycle, including:

• Secure coding practices and code reviews
• Version control
• Patch and update management
• Automated virus scanning on file uploads
• Optional penetration testing on a customer-by-customer basis

System changes are tested, reviewed and deployed through controlled processes.

7. Incident Response & Breach Notification

MyKnowledgeMap maintains a formal Cyber Security Incident Response Plan which covers:

• 24/7 security monitoring
• Rapid containment and investigation procedures
• Forensic evidence preservation
• Categorisation and escalation processes
• Customer notification within one hour of confirmation of a personal data breach
• Support with regulatory reporting obligations
• Post-incident review

8. Sub-processors

We only use approved Sub-processors, listed in the DPA (Schedule A-3). Key providers include:

• Microsoft Azure (hosting and infrastructure)
• Azure Active Directory / Entra ID (identity management)
• Microsoft O365 / Exchange / Azure Communication Services (email delivery)
• Intruder.io (external vulnerability scanning)
• Mailgun / SendGrid (transactional email delivery)

Customers are notified at least 30 days in advance of any new Sub-processor.

9. Data Retention, Export & Deletion

• Customers retain full ownership of their data.
• Customers may request database copies at any time (standard charge applies).
• On contract termination:
  • Data may be provided in a machine-readable format.
  • Data may be archived for 12 months (if agreed).
  • Data is securely deleted upon Customer instruction.
  • A certificate of destruction is provided.

10. Organisational Security & Staff Controls

All MyKnowledgeMap personnel:

• Receive mandatory cyber security and data protection training
• Are bound by confidentiality agreements
• Use secure laptops and devices
• Follow Clean Desk and Clean Screen principles
• May only access Customer data when strictly required for support
• Are subject to identity- and access-review processes

11. Supply Chain & Third-Party Assurance

We perform due-diligence and continuous security assessments on all suppliers, including checks for:

• Security certifications
• Data protection controls
• Appropriate contractual clauses
• Audit rights
• Sub-processing restrictions

Cloud providers must meet stringent requirements for encryption, access control, monitoring and resilience.

12. Compliance, Auditing & Assurance

MyKnowledgeMap maintains:

• Cyber Essentials Plus certification
• Annual security policy reviews
• Regular internal audits and supplier reviews
• Monthly vulnerability scanning
• Support for Customer audits upon request (subject to reasonable notice)

Azure’s independent certifications and audit reports further support compliance.

13. GDPR Alignment

Our Technical and Organisational Measures map directly to the GDPR obligations for processors under Articles 28 and 32, covering:

• Confidentiality
• Integrity
• Availability
• Resilience
• Access control
• Auditability
• Breach response
• Secure deletion

A detailed mapping is included within the DPA (Schedule A-2).

Need More Information?

For data protection queries: donna.cartman@myknowledgemap.com or craig.willis@myknowledgemap.com