The UK’s data protection framework is changing on 25th May 2018, when the existing Data Protection Act 1998 will be replaced with the European Union General Data Protection Regulation (“GDPR”) (2016/679). Whilst the UK will soon be leaving the EU, the replacement data protection legislation being progressed through Parliament is very closely aligned to the requirements of GDPR.
InfoSaaS Limited (“InfoSaaS”) provides a specialist portfolio of SaaS (software-as-a-service) applications to its customers, and as such is responsible for the secure and compliant processing of personal data related to our customers, as well as the protection of our customers’ information (which may include personal data) whilst it is being processed by one of our software applications. This GDPR statement has been prepared to provide key information about these various personal data processing activities to our customers.
2. Data Protection by Design and Default
Article 25 of GDPR requires that data processing activities (e.g. InfoSaaS software solutions) provide data protection by design and default. InfoSaaS has achieved this requirement by ensuring that its applications have been designed in accordance with industry best practice, using trusted technologies, and are subject to regular ITSHC CHECK tests to ensure that vulnerabilities are being properly managed, and configurations remain effective.
InfoSaaS Assure and UtopiaR are within the scope of our ISO27001-certified Information Security Management System, which is subject to regular external validation by assessors.
InfoSaaS utilises resilient UK data centres which are subject to formal ISO27001 certification. Unless we have entered into a specific agreement with a customer to host their instance of InfoSaaS in a non-UK country, we commit that all personal data processing is undertaken within the United Kingdom, under the prevailing UK data protection framework.
Article 35 of GDPR requires that formal Data Protection Impact Assessments (“DPIA”) are undertaken by organisation where there is a “high risk to the rights or freedoms of natural person”. Whilst InfoSaaS has assessed that there are no high risks to individuals who may purchase or use our software solutions, we have nonetheless completed formal DPIA reports for our activities to validate that our data processing activities are indeed secure.
3. Legal Basis for Personal Data Processing
Article 6 of GDPR requires that the lawfulness of data processing be advised. InfoSaaS uses “legitimate interests” as the basis for the secure processing and storage of its customer data in order to deliver InfoSaaS solutions to them. This includes the communication of direct marketing information related to our solutions or similar matters. We occasionally communicate with non-customers and will only do so based upon the “explicit consent” which we have been provided with by the data subject, either through a positive confirmation on a web form, or by their communication preferences shared from social media channels. We provide clear methods for data subjects to remove or vary their consent if they wish to do so.
4. Customer Documented Processing Instructions
Article 28 of GDPR requires that our customers should formally communicate their data processing requirements to InfoSaaS (as their data processor). In the event that a customer does not provide such written instructions to InfoSaaS (a) this omission does not remove their obligation to do so, and (b) InfoSaaS will deliver the software solutions in accordance with its published service definitions and other related materials.
5. Data Controller and Data Processor
InfoSaaS acts as:
- Data Controller (as per GDPR Article 24) for the (i) personal data relating directly to its customers and necessary for the management, provision and operation of the software solutions, and (ii) for its own employee management purposes, or
- Data Processor (as per GDPR Article 28) in respect of the personal data which may be loaded into the InfoSaaS software solutions by its customers.
In accordance with Section 5.0 of document 993 (InfoSaaS Terms & Conditions of Use), each customer is responsible for ensuring that they have an appropriate legal basis for processing personal data within an InfoSaaS software solution and will fully indemnify InfoSaaS in the event of any claim of any sort being brought for not having a valid basis.
6. Children’s Personal Data
The InfoSaaS software solutions are not directed towards children under the age of 13. If you learn that a child under the age of 13 has provided their personal information to us without having parental consent, please contact InfoSaaS immediately so that we can take appropriate action. In accordance with Section 5 above, should an InfoSaaS customer select to upload children’s personal data into their deployment of an InfoSaaS software solution then they will be required to evidence that the have a valid legal basis for doing so.
7. Sensitive Personal Data
Article 9 of GDPR specifies a set of personal data categories which are considered to be “sensitive”, and which require special consideration by Data Controllers. The software solutions provided by InfoSaaS do not knowingly collect or process any sensitive personal data. In accordance with Section 5 above, should an InfoSaaS customer select to upload sensitive personal data into their deployment of an InfoSaaS software solution then they will be required to evidence that the have a valid legal basis for doing so.
8. Data Subject Rights
Articles 16-21 of GDPR provide data subjects with several rights in relation to their personal data, including:
- Right of access by the data subject (Art.15)
- Right to rectification (Art.16,19)
- Right to erasure (Art.17,19)
- Right to restriction of processing (Art.18)
- Right to data portability (Art.20)
- Right to object to processing (Art.21)
Where InfoSaaS is acting as Data Controller (see 4(a) above), then it will receive, validate, record, progress and respond to any such data subject requests received.
Should InfoSaaS, acting as Data Processor (see 4(b) above), then it will advise the applicant of the customer’s details that should be used to make their request. As a responsible Data Processor, InfoSaaS will assist its customers with complying with valid requests.
Should a data subject decide to exercise their rights, they should contact InfoSaaS as below.
9. Declaration of Sub-Processors
InfoSaaS confirms its use of:
- Secure UK data centres with ISO27001 certification. Being UK-based, they are subject to prevailing UK data protection legislation. In accordance with our security operating protocols, details of the providers and locations are only made available upon specific request to InfoSaaS.
- Pipedrive, for the purposes of tracking and progressing customer engagement with InfoSaaS, which is based in Estonia and therefore falls under the requirements of the EU General Data Protection Regulation.
- MailChimp (Rocket Science Group LLC), for the purposes of managing and distributing marketing communications for InfoSaaS, which is based in Atlanta, Georgia, United States and has a validated entry under the EU-US Privacy Shield Agreement.
- Stripe Payments Europe, or the purposes of invoicing and receiving payments from customers for our software solutions, which is based in Ireland and therefore falls under the requirements of the EU General Data Protection Regulation.
- Ctrl O Ltd, for the provision of specialist technical support for our software solutions, which is based in London, UK and therefore falls under the requirements of the EU General Data Protection Regulation.
InfoSaaS confirms that:
- It has undertaken applicable due diligence and validation on each of the declared sub-processors to ensure that they are aware of and able to deliver their applicable requirements under the EU General Data Protection Regulation.
- It will not vary or replace any of the declared sub-processors without having first given advanced notice to all applicable customers.
10. Record Keeping & Breach Reporting
InfoSaaS confirms that it securely retains and managed data which records the use of our software solutions, including user credentials and IP addresses. Many features of our software solutions generate read-only audit logs, which are not possible for individual users to reverse. Should a customer require assistance with information contained within our data processing records, please contact InfoSaaS as below.
We actively monitor our software solutions for unusual activities and issues, which includes indications of data breaches. InfoSaaS will promptly act to notify either the customer or the ICO (as applicable to our role) in the event of a data breach being suspected (as per Article 33), and if acting as Data Controller will also inform affected data subjects (as per Article 34).
11. Removal of Personal Data
It remains the customer’s responsibility to remove all personal data prior to terminating their service provision with InfoSaaS. Should the customer not do this, then InfoSaaS will securely purge their data at the point when the resources are to be redeployed – but this does not take place instantly and customers are strongly recommended to (a) remove their own personal data beforehand, or (b) contact InfoSaaS Support if assistance is needed to do this.
12. InfoSaaS Personnel
All InfoSaaS personnel are based within the United Kingdom and receive regular, formal instruction in matters relating to information security and data protection. Those with specific roles relating to the management of risk assessments, data protection impact assessments, data subject rights and incident management receive more focused training.
All operational InfoSaaS personnel maintain formal security clearances.
13. Security of Web Links
InfoSaaS software solutions may include relevant hyperlinks to external websites not controlled by us. Whilst all reasonable care has been exercised in selecting and providing any such links, you are advised to exercise caution before clicking any external links. We cannot guarantee the ongoing suitability of external links, nor do we continually verify the safety or security of the contents which may be provided to you. You are advised, therefore, that your use of external links is at your own risk and we cannot be responsible for any damages or consequences caused by your use of them.
InfoSaaS Limited is registered with the Information Commissioner’s Office under the UK Data Protection Act 1998 – registration number ZA083451 applies.
If an InfoSaaS customer or data subject believes that InfoSaaS has not delivered upon its obligations under GDPR, they have a right to make a compliant to the ICO. They can be reached by telephone on 0303 123 1113 or by using the contact form on their website.
15. Contact InfoSaaS
Data Protection Manager
Tel: 0203 474 1290