IntroductionRade is committed to ensuring the security of the data we hold. With the introduction of the General Data Protection Regulation (GDPR), we welcome the opportunity to highlight the measures we have put in place to ensure compliance where we hold or process personal data on your behalf.
Principles of GDPRThe main aim of GDPR is to safeguard personal data under this set of principles:
- Process data lawfully, fairly and transparently
- Only process data for explicit and legitimate purposes
- Keep data up-to-date and accurate
- Keep data only if required and for no longer than necessary
- Keep data secure
Your GDPR responsibilitiesThe GDPR requires you, as a Data Controller, to ensure that any Data Processor services you use are GDPR compliant. This means that when you use any of our services to process personal data you need to carry out due diligence on our services and ensure certain contractual terms are in place.
This GDPR Statement is our way of helping you meet the GDPR regulatory requirements and to offer you assurance that the security of your personal data is part of the everyday running of our business.
Our role as a data processorWhen you use our services to store or process your personal data (including your customers’ and users’ data), you are the Data Controller and we are a Data Processor. This will be true for any personal data you place on our servers or by use of any of our other services.
You are the owner of the data you submit to our services; we do not use your data for any processing of our own. You retain responsibility for setting standards and managing security of all data you upload and share.
We will not provide access to any of your data unless required to do so by law. Third parties will be required to demonstrate they have a lawful reason to access data and under what authority.
Your role as data controllerWhen you use our hosting and email services to host, transmit or process data, you define the process and policies by which data is collected and processed.
You retain responsibility for setting standards and managing security of all data uploaded to our platforms. Special emphasis must be placed on the confidentiality of account access. You must safeguard account passwords to prevent unauthorised access.
Rade services may only be used for lawful purposes. Transmission, distribution or storage of any material in violation of UK regulation or law is prohibited.
You should familiarise yourself with the new regulations and consider what changes to your working practices may need to be implemented.
Working togetherThe GDPR sets out how we should work together. This means we will:
- only act on your written instructions as the Data Controller
- ensure that people processing the data are subject to a duty of confidence
- take appropriate measures to ensure the security of processing
- only engage new sub-processors with your prior consent
- assist you in meeting your GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
- delete or return all personal data to you as requested at the end of the contract
Our GDPR commitmentRade is committed to ensuring our business, services and internal processes are GDPR compliant. In response to the new regulations we have:
- taken advice and undertaken training on how GDPR may impact our services
- assessed our internal processes and the services we offer to our customers
- carried out due diligence on our sub-processors
- made sure staff understand their responsibilities for the processing of your data
- reviewed our technical and personnel protocols
- updated internal policies to ensure on-going compliance
- prepared a Data Processing addendum to help you meet the contractual requirements of GDPR in the ‘Data Controller – Data Processor’ relationship
Data locationWe know technology is business critical. Therefore we have close working relationships with the specialist sub-processors we use, for hosting your website, managing your domain names and filtering your email, for example.
Where your data is stored on our hosting servers, these are located at well connected, highly secure data centres. Servers include 24/7 hardware support and monitoring with daily backups and benefit from powerful network connections, generators, air conditioning systems and fire detection and suppression systems.
Your data may be transferred outside the EEA in order to carry out certain services offered to you. We take steps to ensure that appropriate security measures are taken and the companies we deal with are based in countries that the EU has determined have an adequate level of data protection and, in the case of US companies, are part of the Privacy Shield scheme.
Data sharingIn the main the data you share with us is kept private but there are circumstances where we need to share information with others. For domain registrations, we are guided by ICANN and Nominet rules and regulations. If you purchase a SSL certificate, we will need to provide information for the vetting process. Our newsletter and service announcement lists, while initiated and managed by ourselves, use the Campaign Monitor platform. We use the courier services of UK Mail and naturally need to share your details to arrange delivery of goods; likewise when we drop ship from distributors.
Data protection agreementThis addendum to our Terms of Business is a further document you can provide to auditors. Simply download the pre-signed form, complete and return it to firstname.lastname@example.org for the document to be legally binding.