Auomated Payment Transfer - Backup and Retention Policy
020 8760 9898       Back to APT website
Download Full Policy in PDF

APT Ltd Backup and Retention Policy

1. Introduction

This document covers Clause 12.3.1 of APT’s ISO27001 certification.

As part of APT’s ISMS, to ensure the integrity and availability of data, APT are required to take regular backups that allow:

  • Primary software functionality to be restored and data critical to operations to be recovered in the event of a disaster scenario, in accordance with respective SLAs for each service provided.
  • The protection of integrity of customers data, allowing the recovery of data that may have been lost, damaged or modified by accident.

This policy also contains details on the retention of data within APT’s environments as this goes hand in hand with backups.

2. Backups

2.1. Scope of systems

2.1.1 Backups will be taken from all systems critical to the delivery of the following services:

  • iConnect
  • Bureau Online Services
  • Validata
  • APT’s Website & CDN

2.1.2 Backups will also be taken from supporting systems including those under APT’s Office 365 subscription (Including emails) and local area network software and hardware supporting APT’s office environment including file servers.

2.1.3 Items not included in the scope and therefore are not backed up are:

  • Information held in a non-electronic format
  • Data stored on individual’s staff’s PCs and end user’s devices
  • Data stored on removable media

2.2. Backup procedures

2.2.1 APT will use and maintain a backup solution suitable for its purposes.

2.2.2 Backups will target all servers, workstations and virtual machines in the scope and will capture all files and directories required to restore services to full functionality following a disaster scenario.

2.2.3 Backups will be carried out daily outside of the operational hours of the specified service or at a time of expected low usage that will cause minimal disruption to services.

2.2.4 Backups will be stored off site, preferably in a trusted and secure cloud environment.

2.2.5 Where scoped machines are part of the local network and do not require internet access to deliver related services, a local backup solution will be configured and maintained to provide an extra layer of backups where normal backups over the internet could fail due to a loss of network connectivity.

2.2.6 On the last Friday of every calendar month, backups from each service shall be mounted and tested to make sure they are functioning correctly and recovery will be possible if required.

2.2.7 A weekly report outlining the successful capture of backups will be generated and checked by IT staff.

2.2.8 A Monthly report will be created by IT staff outlining the manual tests carried out and their success/failure. Any failures will have remedial actions attached and this report will be available to customers on demand.

3. Retention

3.1 In accordance with APT’s GDPR and data protection obligations, all customer data including that which is stored in backups, shall be kept for no longer than required for the purposes that they were collected.

3.2 The retention periods and backup retention shall be set to provide, in managements opinion, the best balance of availability of APT’s services and security of customer data. As such the following table details all information assets relevant to APT’s services and their respective retention and backup periods.

iConnect
Onboarding
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Quote Name LAN EOC 3 months
Contracts Names, Email Addresses LAN EOC 3 months
Preconfiguration Sheet Names, Email Addresses, Account Numbers, Sort Codes LAN EOC 3 months
iConnect Database Names, Email Addresses Database EOC 35 days
Originator Bank Account Details Account Names, Account Numbers, Sort Codes Database EOC 35 days
Sample File(s) Account Names, Account Numbers, Sort Codes LAN 1 year 3 months
Processing
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Uploaded File(s) Account Names, Account Numbers, Sort Codes VM 30 days 35 days
File Uploader File(s) Account Names, Account Numbers, Sort Codes VM 30 days 35 days
Bacs Records Account Names, Account Numbers, Sort Codes Database 30 days 35 days
Presubmission Listing Account Names, Account Numbers, Sort Codes VM 1 year 3 months
File Listing Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Error/Integrity Report Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Transmit File Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Logs User Names, Email Addresses, Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Contingency
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Contingency Form Names, Email Addresses, Account Numbers, Sort Codes, Signatures LAN EOC 3 months
Uploaded File(s) Account Names, Account Numbers, Sort Codes VM 30 days 35 days
Bacs Records Account Names, Account Numbers, Sort Codes Database 30 days 35 days
Presubmission Listing Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Transmit File Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Logs User Names, Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Reports
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Reports Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Bureau Online Services
Onboarding
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Contacts Name, Email Address, Account Number, Sort Code LAN EOC 3 months
BOS Database Name, Email Address Database EOC 35 days
Processing
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Fax Paper Record Name Office ~30 days 74 days
Uploaded File(s) Account Names, Account Numbers, Sort Codes VM, LAN 30 days 35 days
Bacs Records Account Names, Account Numbers, Sort Codes Database 30 days 35 days
Presubmission Listing Account Names, Account Numbers, Sort Codes VM, LAN 1 year 3 months
File Listing Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Transmit File Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Logs Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Reports
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Reports Account Names, Account Numbers, Sort Codes VM 1 year 3 months
Validata
Onboarding
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Validata Database Email Address Database EOC 35 days
Processing
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Logs IP Address, Email Address VM ~2 months [1] 35 days
Common
Origin Personal/Confidential Data Location Normal Retention Backup Retention
Emails IP Address, Email Address, Any confidential content disclosed by Customer Cloud 1 Year -
Infrastructure logs IP Address Cloud 31 Days -
Customer Database Name, Email Address Database EOC 35 days

[1] Logs are rolling and a new log file is only created once the existing log file reaches a certain size. The files are deleted based on the last modified date. Because of the way the logs work, we cannot give a precise retention period, but at current usage the retention given is an accurate approximation.