Pixelwork GDPR Compliance Statement

Posted By: Matt Harris

A background to our systems and hosting:

We are an ICO registered Data Controller (https://ico.org.uk/ESDWebPages/Entry/Z3017212)

If you host your website with us here are some specifications on the server:

1. We have been GDPR Compliant for some time.

2. Our ISP for server hosting is ISO 27001 certified (https://www.iso.org/isoiec-27001-information-security.html)

Provider transparency

Our core infrastructure has always been compliant in terms of ‘provider transparency’ (we do not ship data anywhere and all data resides with us and in one place for operations and offsite encrypted backups).

Technical and organisational security controls

In terms of ‘technical and organisational security controls’ we have full ISO 9001 certification which covers risk assessment and procedures for data handling and security monitoring – many of which are mirrored in ISO 27001.  We would like to also do ISO 27100 and it’s something we are looking to in the future. Technically we have the best firewalls in the business (PaloAlto) which protect not just our customers servers from the outside world, but also each customer from each other, as all customers have their own secure VLAN that is also firewalled. We also have further security (Webroot) for customers who host Windows servers with us. Customers (controllers & processors) should get a daily report of all attempted and potentially malicious activity that has been detected against their public IP addresses.  We are required to report any data breached naturally if they are detected / reported.

Any customers of ours that host customer data – we are recommending that this data be encrypted. This includes not only websites which store shopping / transaction information, but even data such as their IP address and email addresses. Although we have given customers a price to encrypt data on their servers, we can not force them to do so – in which case - if they ‘opt out’ as ‘controllers’ (we are deemed the ‘processor’) then there is an issue, and lack of encryption was found to be a contributing source of data leakage, then it would be the opting out controller (you) and not the processor (us) that would take the heat.

Management of storage assets

The same goes really for data retention, we only control the twice daily backups which are of course encrypted. We cannot control what data goes into those backups as this is dependent upon the site and application that has been developed. As such it is the responsibility of the application creator to ensure that customers can have their data deleted and that data retention rules are compliant within the scope of the application.

Email Subscriptions

if you currently send out email campaigns to subscribers from your site or are collecting their data and wish to continue to send them marketing emails we recommend you send out an email stating something along the lines of :

We’d love to stay in touch by sending you industry news, regulation changes, developments which may affect your website and showcase achievements and our recent work but in order to do that we need you to confirm you’re happy to receive our emails. All you need to do to click the link below and enter your details, it will only take a few seconds.

We would then link to the website form on your page where subscribers can recreate their accounts and confirm they wish to receive emails with a link to the new privacy policy page.

We only use Campaign Monitor for Email Campaigns. With regards to their systems this link acts as  good source of information with regards to their security and GDPR compatibility : https://www.campaignmonitor.com/trust/