We are an ICO registered Data Controller (https://ico.org.uk/ESDWebPages/Entry/Z3017212)
If you host your website with us here are some specifications on the server:
1. We have been GDPR Compliant for some time.
2. Our ISP for server hosting is ISO 27001 certified (https://www.iso.org/isoiec-27001-information-security.html)
Our core infrastructure has always been compliant in terms of ‘provider transparency’ (we do not ship data anywhere and all data resides with us and in one place for operations and offsite encrypted backups).
Technical and organisational security controls
In terms of ‘technical and organisational security controls’ we have full ISO 9001 certification which covers risk assessment and procedures for data handling and security monitoring – many of which are mirrored in ISO 27001. We would like to also do ISO 27100 and it’s something we are looking to in the future. Technically we have the best firewalls in the business (PaloAlto) which protect not just our customers servers from the outside world, but also each customer from each other, as all customers have their own secure VLAN that is also firewalled. We also have further security (Webroot) for customers who host Windows servers with us. Customers (controllers & processors) should get a daily report of all attempted and potentially malicious activity that has been detected against their public IP addresses. We are required to report any data breached naturally if they are detected / reported.
Any customers of ours that host customer data – we are recommending that this data be encrypted. This includes not only websites which store shopping / transaction information, but even data such as their IP address and email addresses. Although we have given customers a price to encrypt data on their servers, we can not force them to do so – in which case - if they ‘opt out’ as ‘controllers’ (we are deemed the ‘processor’) then there is an issue, and lack of encryption was found to be a contributing source of data leakage, then it would be the opting out controller (you) and not the processor (us) that would take the heat.
Management of storage assets
The same goes really for data retention, we only control the twice daily backups which are of course encrypted. We cannot control what data goes into those backups as this is dependent upon the site and application that has been developed. As such it is the responsibility of the application creator to ensure that customers can have their data deleted and that data retention rules are compliant within the scope of the application.
if you currently send out email campaigns to subscribers from your site or are collecting their data and wish to continue to send them marketing emails we recommend you send out an email stating something along the lines of :
We’d love to stay in touch by sending you industry news, regulation changes, developments which may affect your website and showcase achievements and our recent work but in order to do that we need you to confirm you’re happy to receive our emails. All you need to do to click the link below and enter your details, it will only take a few seconds.
We only use Campaign Monitor for Email Campaigns. With regards to their systems this link acts as good source of information with regards to their security and GDPR compatibility : https://www.campaignmonitor.com/trust/