Online Policies

Online Security Policy

Rescue Global uses the trusted payment gateway provided by Sage Pay

As a payment service provider (PSP), thousands of businesses outsource their transaction security to Sage Pay. It is their top priority to ensure that our customers’ transaction data is kept secure at all times.

Transaction security

All transaction information passed between merchant sites and Sage Pay’s systems is encrypted using 128-bit SSL certificates. No cardholder information is ever passed unencrypted and any messages sent to your servers from Sage Pay are signed using MD5 hashing to prevent tampering. You can be completely assured that nothing you pass to Sage Pay’s servers can be examined, used or modified by any third parties attempting to gain access to sensitive information.

Encryption and Data Storage

Once on Sage Pay systems, all sensitive data is secured using the same internationally recognised 256-bit encryption standards used by, among others, the US Government. The encryption keys are held on state-of-the-art, tamper proof systems in the same family as those used to secure VeriSign's Global Root certificate, making them all but impossible to extract. The data is extremely secure and Sage Pay are regularly audited by the banks and banking authorities to ensure it remains so.

System security

Sage Pay’s systems are scanned quarterly by Trustwave which are an independent Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) for the payment card brands.

Sage pay is also audited annually under the Payment Card Industry Data Security Standards (PCI DSS) and is a fully approved Level 1 payment services provider, which is the highest level of compliance. Sage Pay are also active members of the PCI Security Standards Council (SSC) that defines card industry global regulation.

To view our PCI DSS certificate please contact Sage Pay directly.

Links to banks

Sage Pay has multiple private links into the banking network that are completely separate from the Internet and which do not cross any publicly accessible networks. Any cardholder information sent to the banks and any authorisation message coming back is secure and cannot be tampered with.

Internal security

Sage Pay is controlled by Iris Scanners, which are the latest and most precise biometric security devices available for identification. As used by; chemical plants, airports, police stations, prisons and other facilities where security is paramount. No one can enter or leave the building without a valid security pass.

Staff validation

All employees at Sage Pay are Criminal Records Bureau (CRB) checked prior to employment and no unauthorized individual has access to or is able to decrypt transaction information or cardholder data. Sage Pay systems only allow access to our most senior staff and only in extenuating circumstances (such as investigations of Card Fraud by the Police). All transaction information and customer card information is secure even from Sage Pay's own employees.

Disaster recovery

Sage Pay operates on twin data centres to ensure optimal system security and up-time and has a full disaster recovery and business continuation policy.

Online Privacy Policy

We collect various kinds of personal data in the day-to-day running of our business and it is our aim to uphold the absolute highest standards when handling your personal information. For the purposes of this policy Rescue Global is the “Data Controller”, which means we are in a position to make decisions about the processing of data we hold about you, the “Data Subject”.

This is our Privacy Statement for online users: those who visit our site, fill out one of our online contact forms, and those we correspond with.

Our Approach to the GDPR

We follow the principles of the General Data Protection Regulation (GDPR), under which the law requires us to process data fairly; for specified purposes; limited to what is necessary and for as long as necessary; and to ensure data is accurate and secure.

We consider good data protection to be crucial in building positive working relationships, so we never collect data or process any data in a manner which we think would surprise people, and hope to exceed expectations in transparency about our data processing.

We always carefully consider our legal bases for processing under the GDPR for every single item of data we collect, and we make every effort to only process data when we absolutely must to comply with our legal and contractual obligations, and when we are satisfied that it is necessary for our business to function.

We take measures to keep data secure and protect against unauthorised access, and we take particular care before collecting and holding any data that could adversely affect your rights and freedoms or cause you loss or other damage.

General Web Users

Our website uses the following cookies to enable web analytic (held for the stated length of time), so we can monitor the effectiveness of our website.

  • _ga

    • Used to distinguish users.

  • _gid

    • Used to distinguish users.

  • gat

    • Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named dc_gtm_<property-id>.

  • AMP_TOKEN

    • Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.

  • _gac_<property-id>

    • Contains campaign related information for the user. If you have linked your Google Analytics and AdWords accounts, AdWords website conversion tags will read this cookie unless you opt-out. Learn more.

Our websites also make use of ExpressionEngine CMS which sets several cookies for security and performance but no personally identifiable information is stored.

  • exp_csrf_token

    • A security cookie used to identify the user and prevent Cross Site Request Forgery attacks.

  • exp_last_activity

    • Records the time of the last page load.. Used in conjunction with the last_visit cookie.

  • exp_last_visit

    • Date of the user’s last visit.

  • exp_tracker

    • Contains the last 5 pages viewed, encrypted for security. Typically used for form or error message returns. This is mainly for additional security with CMS users but is set for everyone.

 

Security Tools

Our website also makes use of the Google reCAPTCHA API to improve the security of our website by collecting device and application data from our web users, and sending this data to Google for analysis. The information collected in connection with this service will be anonymised and used by Google to improve reCAPTCHA and for general security purposes. Google will not use this data for personalized advertising – to read more about Google’s use of data click here.

We process this data for our legitimate interest in operating an effective website and have performed an adequate legitimate interest assessment.

We do not collect or use any other information about web users to profile or track them for direct marketing purposes.

Mailing List

When users sign up to one of our mailing lists we only record the information that they input into the form.

We use this information to market suitable goods/services to clients or potential clients and do so on the basis of consent.

Email Correspondence

We process names and contact details from emails, together with any other Personal Data provided, for the purposes of our legitimate interest of entering into business correspondence with clients, service users and other individuals who we may contact in our day-to-day operations, and we maintain adequate records of our correspondence with anyone who we may communicate.

Those who email us should refrain from sharing the personal details of others without that person’s permission, and any such information shall be processed under Article 14.5 of the GDPR, absolving our obligation to contact every Data Subject mentioned to us due to the disproportionate effort required.

Who do we share this information with?

We only transfer Personal Data we control to third party Processors for specified purposes, under strict instructions and with the assurance that appropriate measures are in place to protect your information. Our third party processors include:

  • Outsourced IT services who have access to our systems for backup and restore purposes.

  • Services for the operation of our website and email.

We may share your personal information with other entities in our group.

We may also have to share any of the personal information that we hold in the context of a possible sale or restructuring of the business, or when we are required to by a regulator or to comply with the law.

We do not transfer any of the personal information of our web users outside the EU.

Our email servers are cloud hosted in the EU and the US under appropriate GDPR-compliant safeguards.

We will never share the personal data of our contacts with any marketing organisation or any other third party not outlined above. If this ever changes we will seek the express consent of the Data Subjects concerned.

Will the information be used for automated decision making or profiling?

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

How long do we keep this information?

We retain Personal Data in compliance with our Retention Policy and Schedule for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Our Retention Policy & Schedule is available on request by contacting our officer responsible for data protection detailed below.

We retain and process personal data for which we have your consent unless and until you chose to withdraw your consent.

How do we keep this information secure?

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

We ensure all our our third-party service providers take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

What rights do you have?

Data Subjects are entitled to request that we erase, restrict, rectify or provide you with a copy of the data we hold, and may object to processing activities.

If we process Personal Data on the basis of Consent, the Data Subject may withdraw their Consent in respect of the particular processing activity at any time.

It is our policy to fulfil any such request within the statutory period of one month unless there is a compelling legal or contractual obligation which prevents us from doing so.

To make any such request please contact our officer responsible for data protection, whose contact details are Nick Kirkby, nick@rescueglobal.org

You also have the right to lodge a complaint with the UK’s data regulator, the Information Commissioner’s Office. Visit www.ico.org for more information.

Our contact information

Rescue Global
Unit 6, Satellite Business Village,
Fleming Way,
Crawley RH10 9NL
020 3818 0830

Website Accessibility

This website is designed by Rescue Global in order to be accessible to all users, and to comply with the Disability Discrimination Act (DDA) header.

The DDA was passed in 1995 (updated 1999 & 2004) to end the discrimination facing many disabled people, including when using the Internet. The Web Content Accessibility Guidelines (WCAG) were set out by the http://www.w3.org/World Wide Web Consortium (W3C) in 1999 to give checkpoints for accessible web design that complies with the DDA.

This website follows the Priority 1 and 2 guidelines relating to accessibility as set out by the WC3. Please see below for a summary of how the site meets these terms, as well as the Priority 3 guidelines.

All pages on this website have also been validated for XHTML and CSS, with accordance to the web standards set out by the W3C.

Priorities

Priority 1

A Web content developer must satisfy this checkpoint. Otherwise, one or more groups will find it impossible to access information in the document. Satisfying this checkpoint is a basic requirement for some groups to be able to use Web documents.

Priority 2

A Web content developer should satisfy this checkpoint. Otherwise, one or more groups will find it difficult to access information in the document. Satisfying this checkpoint will remove significant barriers to accessing Web documents.

Priority 3

A Web content developer may address this checkpoint. Otherwise, one or more groups will find it somewhat difficult to access information in the document. Satisfying this checkpoint will improve access to Web documents.

Main Guidelines

  1. Provide equivalent alternatives to auditory and visual content

  2. Don't rely on colour alone

  3. Use markup and style sheets and do so properly

  4. Clarify natural language usage

  5. Create tables that transform gracefully

  6. Ensure that pages featuring new technologies transform gracefully

  7. Ensure user control of time-sensitive content changes

  8. Ensure direct accessibility of embedded user interfaces

  9. Design for device-independence (image maps)

  10. Use interim solutions

  11. Use W3C technologies and guidelines

  12. Provide context and orientation information

  13. Provide clear navigation mechanisms

  14. Ensure that documents are clear and simple

Summary of how www.rescueglobal.org follows Priority 1 Guidelines

  • The content on all pages is readable without the style sheets, colour, scripts and applets (1, 6)

  • All images, animations and buttons have alternative "alt" descriptions that can be read by screen readers (1)

  • Any multimedia containing important information has an alternative flat-image or text-only version (1)

  • All tables used for layout have captions to clarify their layout-only use (5)

  • The pages do not rely on colour for navigation (e.g. "click on the green button to proceed") (2)

  • The site uses the simplest and most straight-forward language possible (14)

Summary of how www.sagepay.com follows Priority 2 Guidelines

  • Sage Pay uses style sheets (CSS) to format text and layout (3, 11)

  • Every link has a clear title.

  • Absolute units of size are used, and this is not recommended, however the content is usable without restrictions(3)

  • In a few instances absolute positioning is used, but content is still readable without the positioning (3)

  • All events requiring a mouse are for design purposes only and do not hinder the user's ability to view information (7)

  • The transaction diagram interface requires the use of a mouse, however an alternative is provided. (1, 7)

  • A sitemap is provided (13)

  • The user is aware when a pop-up or new window is opened as all links have an alternative title to clarify this (10)

  • All link phrases make sense when read out (14)

Summary of how www.rescueglobal.org follows Priority 3 Guidelines

  • The primary natural language of the site is identified (4)

  • Separate adjacent links with more than just whitespace. In the top menu, this does not comply, but an alternative menu with separations is provided at the bottom of each page (13)

  • All tables have summaries of their content or their use only for layout purposes (5)

Rescue Global follows all of the Priority Three guidelines.

We strive to make the website accessible to all.

If you are not able to view any crucial content of this site please contact us at information@rescueglobal.org

Professional Conduct

Rescue Global is committed to conducting business in an honest and ethical manner. In particular, we do not tolerate bribery and corruption and we are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate. We are committed to implementing and enforcing effective systems and processes to counter bribery and corruption.

As a UK company, Rescue Global is bound by the laws of the UK, including the Bribery Act 2010, in respect of our conduct both at home and abroad. In addition, we will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate.

As well as ensuring our own conduct is appropriate, we have also put in place procedures to prevent bribery being committed on our behalf by any associated persons, i.e. anyone that performs services for or on our behalf, such as our people, and in some cases, subsidiaries and third parties we work with such as resellers, referrers and business partners.

This is the standard of behaviour customers, suppliers and partners can expect from us and that we expect from them.