The UK’s data protection framework changed on 25th May 2018 with the introduction of the EU General Data Protection Regulation (“GDPR”) (2016/679) which was delivered within the UK as the UK Data Protection Act 2018. InfoSaaS Limited (“InfoSaaS”) provides a specialist portfolio of SaaS (software-as-a-service) applications to its customers, and as such is responsible for the secure and compliant processing of personal data related to our customers, as well as the protection of our customers’ information (which may include personal data) whilst it is being processed by one of our software applications. This GDPR statement has been prepared to provide key information about these various personal data processing activities to our customers.
2. Data Protection by Design and Default
Article 25 of GDPR requires that data processing activities (e.g. InfoSaaS software solutions) provide data protection by design and default. InfoSaaS has achieved this requirement by ensuring that its applications have been designed in accordance with industry best practice, using trusted technologies, and are subject to regular ITSHC CHECK tests and security reviews to ensure that vulnerabilities are being properly managed, and configurations remain effective. InfoSaaS is within the scope of our ISO27001-certified Information Security Management System, which is subject to regular external validation by assessors.
InfoSaaS utilises resilient UK data centres which are subject to formal ISO27001 certification and other security validations. Unless we have entered into a specific agreement with a customer to host their instance of InfoSaaS in a non-UK country, we commit that all personal data processing is undertaken within the United Kingdom, under UK data protection legislation.
Article 35 of GDPR requires that formal Data Protection Impact Assessments (“DPIA”) are undertaken by organisation where there is a “high risk to the rights or freedoms of natural person”. Whilst InfoSaaS has assessed that there are no high risks to individuals who may purchase or use our software solutions, we have nonetheless completed formal DPIA reports for our activities to validate that our data processing activities are indeed secure.
3. Legal Basis for Personal Data Processing
Article 6 of GDPR requires that the lawfulness of data processing be advised. InfoSaaS uses “legitimate interests” as the basis for the secure processing and storage of its customer data in order to deliver InfoSaaS solutions to them. This includes the communication of direct marketing information related to the development of and enhancements to our solutions or similar service-related matters. We occasionally communicate with non-customers and will only do so based upon the “explicit consent” which we have been provided with by the data subject, either through a positive confirmation on a web form, or by their communication preferences shared from social media channels such as LinkedIn. We provide clear methods for data subjects to remove or vary their consent if they wish to do so.
4. Customer Documented Processing Instructions
Article 28 of GDPR requires that our customers should formally communicate their data processing requirements to InfoSaaS (as their data processor). In the event that a customer does not provide such written instructions to InfoSaaS (a) this omission does not remove their obligation to do so, and (b) InfoSaaS will deliver the software solutions in accordance with its published service definitions and other related materials.
5. Data Controller and Data Processor
InfoSaaS acts as:
- Data Controller (as per GDPR Article 24) for the (i) personal data relating directly to its customers and necessary for the management, provision and operation of the software solutions, and (ii) for its own employee management purposes, or
- Data Processor (as per GDPR Article 28) in respect of the personal data which may be loaded into the InfoSaaS software solutions by its customers.
In accordance with document 993 (InfoSaaS Terms & Conditions of Use), each customer is responsible for ensuring that they have an appropriate legal basis for processing personal data within an InfoSaaS software solution and will fully indemnify InfoSaaS in the event of any claim of any sort being brought for not having a valid basis.
6. Children’s Personal Data
The InfoSaaS software solutions are not directed towards children under the age of 13. If you learn that a child under the age of 13 has provided their personal information to us without having parental consent, please contact InfoSaaS immediately so that we can take appropriate action. In accordance with Section 5 above, should an InfoSaaS customer select to upload children’s personal data into their deployment of an InfoSaaS software solution then they will be required to evidence that the have a valid legal basis for doing so.
7. Sensitive Personal Data
Article 9 of GDPR specifies a set of personal data categories which are considered to be “sensitive”, and which require special consideration by Data Controllers. The software solutions provided by InfoSaaS do not knowingly collect or process any sensitive personal data. In accordance with Section 5 above, should an InfoSaaS customer select to upload sensitive personal data into their deployment of an InfoSaaS software solution then they will be required to evidence that the have a valid legal basis for doing so.
8. Data Subject Rights
Articles 16-21 of GDPR provide data subjects with several rights in relation to their personal data, including:
- Right of access by the data subject (Article 15)
- Right to rectification (Articles 16,19)
- Right to erasure (Articles 17,19)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object to processing (Article 21)
Where InfoSaaS is acting as Data Controller (see 4(a) above), then it will receive, validate, record, progress and respond to any such data subject requests received.
Should InfoSaaS, acting as Data Processor (see 4(b) above), then it will advise the applicant of the customer’s details that should be used to make their request. As a responsible Data Processor, InfoSaaS will assist its customers with complying with reasonable and valid requests.
Should a data subject decide to exercise their rights, they should contact InfoSaaS as below.
9. Declaration of Sub-Processors
InfoSaaS confirms its use of:
- Secure UK data centres with ISO27001 certifications. Being UK-based, they are subject to prevailing UK data protection legislation. In accordance with our established security operating protocols, details of the providers and specific locations are only made available upon specific request to InfoSaaS.
- Pipedrive, for the purposes of tracking and progressing customer engagement with InfoSaaS, which is based in Estonia and therefore falls under the requirements of the EU General Data Protection Regulation.
- MailChimp (Rocket Science Group LLC), for the purposes of managing and distributing marketing communications for InfoSaaS, which is based in Atlanta, Georgia, United States and has a validated entry under the EU-US Privacy Shield Agreement.
- Stripe Payments Europe, for the purposes of invoicing and receiving payments from customers for our software solutions, which is based in Ireland and therefore falls under the requirements of the EU General Data Protection Regulation.
- Ctrl O Ltd, for the provision of specialist technical support for our software solutions, which is based in London, UK and therefore falls under the requirements of the EU General Data Protection Regulation.
InfoSaaS confirms that:
- It has undertaken applicable due diligence and validation on each of the declared sub-processors to ensure that they are aware of and able to deliver their applicable requirements under the EU General Data Protection Regulation.
- It will not vary or replace any of the declared sub-processors without having first given advanced notice to all applicable customers.
10. Record Keeping & Breach Reporting
InfoSaaS confirms that it securely retains and manages data which records the use of our software solutions, including user credentials and IP addresses. Many features of our software solutions generate read-only audit logs, which are not possible for individual users to reverse. Should a customer require assistance with information contained within our data processing records, please contact InfoSaaS as below.
We actively monitor our software solutions for unusual activities and issues, which includes indications of data breaches. InfoSaaS will promptly act to notify either the customer or the ICO (as applicable to our role) in the event of a data breach being suspected (as per Article 33), and if acting as Data Controller will also inform affected data subjects (as per Article 34).
11. Removal of Personal Data
It remains the customer’s responsibility to remove all personal data prior to terminating their service provision with InfoSaaS. Should the customer not do this, then InfoSaaS will securely purge their data at the point when the resources are to be redeployed – but this does not take place instantly and customers are strongly recommended to (a) remove their own personal data beforehand, or (b) contact InfoSaaS Support if assistance is needed to do this.
12. InfoSaaS Personnel
All InfoSaaS personnel are based within the United Kingdom and receive regular, formal instruction in matters relating to information security and data protection. Those with specific roles relating to the management of risk assessments, data protection impact assessments, data subject rights and incident management receive more focused training. All operational InfoSaaS personnel maintain formal security clearances.
13. Security of Web Links
InfoSaaS software solutions may include relevant hyperlinks to external websites not controlled by us. Whilst all reasonable care has been exercised in selecting and providing any such links, you are advised to exercise caution before clicking any external links. We cannot guarantee the ongoing suitability of external links, nor do we continually verify the safety or security of the contents which may be provided to you. You are advised, therefore, that your use of external links is at your own risk and we cannot be responsible for any damages or consequences caused by your use of them.
InfoSaaS Limited is registered with the Information Commissioner’s Office under the UK Data Protection Act 1998 – registration number ZA083451 applies.
If an InfoSaaS customer or data subject believes that InfoSaaS has not delivered upon its obligations under GDPR, they have a right to make a compliant to the ICO. They can be reached by telephone on 0303 123 1113 or by using the contact form on their website.
15. Contact InfoSaaS
Data Protection Manager
Tel: 0203 474 1290