The new EU General Data Protection Regulation (GDPR) came into force on 25th May 2018 and will impact every organisation which processes personal data of EU/UK citizens. It introduces new responsibilities, empowers businesses to be accountable for their processing of personal data as well as enabling EU/UK citizens to protect their privacy and control the way their data is processed.
If you are an existing Webfuel customer and your organisation's Data Controller this statement should go some way to explaining our approach to GDPR compliance as a Data Processor and assist you with ensuring you meet your own organisation's obligations under GDPR.
This statement does not provide specific advice on how to meet any other obligations you may have as a Data Controller and we recommend you seek expert legal opinion in relation to these questions.
Personal data is any information that relates to a living individual. It also includes any data that can be used with other sets of data to identify an individual. Typical examples of personal data are: name, identification number, location data, online identifier, email address, etc.
Processing relates to any operation carried out on personal data including collection, recording, organising, structuring, storing, using, etc. Processing also doesn’t have to be by automated means which means that processing includes paper-based, non-digital systems.
A Data Subject is the individual whose personal data is being processed
A Data Controller is the organisation which determines how personal data is processed
A Data Processor is an organisation which processes data on behalf of a Controller. This typically means a third party who is used by the Controller to process their data (e.g. a marketing company used to send out marketing materials)
For detailed information about the GDPR and data protection, visit the Information Commissioner’s Office website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
When you use our services to store or process your personal data (including customer’s or user’s data), you are the Data Controller and we are a Data Processor. This will be true for any personal data you place on our servers either directly, via a hosted website or by use of any of our other services.
The GDPR requires you, as a Data Controller, to ensure that any Data Processor services you use to process personal data are GDPR compliant. This means that when you use any of our services to process your personal data you need to carry out due diligence on our services and ensure certain contractual terms are in place.
This GDPR statement is our way of helping you meet these GDPR regulatory requirements and to offer you assurance that we take GDPR and the security of your personal data as part of the everyday running of our services.
As a UK company, Webfuel Limited are committed to ensuring our business, services and internal processes are GDPR compliant.
As a consequence we have:
Our services are compliant because:
You are the owner of the data you or your customers or users submit to our services (whether they are hosted on your premises or on our servers).
When your data is placed on our servers, you are the Data Controller and Webfuel Limited, the Data Processor. Any processing (as a Data Processor) is only in terms of the hosting services we provide to you. We do not use your data for any processing of our own.
We do not share or provide access to any of your data with third parties unless required to do so by law. Where law enforcement or other authorised parties request access to our servers, we follow strict internal policies for dealing with such requests in line with existing UK law. Furthermore, the third parties are required to demonstrate they have a lawful reason to access the data and under what authority.
Your data is stored on cloud hosted servers which we lease in Microsoft Azure cloud data centres within their European zone. We have contracted with Microsoft on the basis of their standard Azure subscription terms and conditions. We do not enter into any form of bespoke agreements with Microsoft in relation to our work with individual clients.
Our contract with Microsoft is purely for the leasing of hardware (cloud based storage and compute resources). Microsoft have no responsibility for what data is stored, and how that data is processed. These decision are all directed by our Data Controllers.
Microsoft Azure is a top tier data centre which runs a huge number of secure web applications. Azure is the second largest data centre provider in the world (second only to Amazon). Further details on the wide range of security certifications which Azure hold can be found here: https://azure.microsoft.com/en-gb/support/trust-center/
At least once a year Azure data centres are audited for compliance with ISO 27001 and ISO 27018 by an accredited third party certification body. These audits are published on the Microsoft Azure website. We rely upon this formal certification to give us the assurances we need that they are storing your data securely. These audit reports can be found upon this website (https://servicetrust.microsoft.com/). Downloading these audit reports is free however you may need to signup with a Microsoft account to gain access.
All key employees keep up to date with all technical aspects of security and ensure the ongoing security of our servers and systems. This means that any security patches are applied to our systems as a matter of priority and any changes or updates to our own systems are done so, always, with data protection and privacy in mind and where appropriate, in discussion with our customers. Where we have an agreement in place with our customers to do so, we also maintain the security of our customer’s own servers or hosted applications.
Remote admin access to our servers is strictly restricted to key personnel within our Technical Support team.
Strict protocols are in place regarding data centre staff access to Azure servers. The data centres we use hold ISO 27001 certification and have high security access controls.
Other than the data centres which host our servers, Webfuel Limited does not use any third party suppliers or services that would have access to, or process, any data you process on our servers.
This section covers backup of all data which we may hold on your behalf. Not just personal data. We store 3 different types of data and the backup process for each is described below.
Files (e.g. images, documents)
Files are held on Microsoft Azure Storage accounts. Specifically Zone Redundant Storage (ZRS). In summary this means that data is replicated across 3 physically separate storage clusters within the European zone. This ensures data is preserved in the case of normal outage/failures and natural disaster.
You can read more about Azure Storage Backup here:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
Databases (all other structured data)
We use Microsoft Azure SQL databases. Databases are backed up to encrypted backups automatically by Microsoft using Zone Redundant Storage. We augment this using Microsoft's Long Term Backup Retention to keep weekly snapshots for up to 3 months. These snapshots are held on separate ZRS storage accounts (see files).
You can read more about Azure SQL backup here:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-automated-backups
Source Code
The source code that runs your application is held locally at Webfuel and backed up to private source code repositories with GitHub - a leading online source code repository used by millions of developers worldwide. The data held by GitHub is only source code and does not include any personal data.
You can read more about GitHub security here:
https://help.github.com/articles/github-security/
Should our approach to any aspect covered by this statement change we will make sure, where your data is impacted, that we notify you within a reasonable timeframe and in line with any contractual terms in place between us.
In the unlikely event of a breach occurring (as defined in the GDPR) we will notify you within 48 hours of the breach coming to our attention. This will be enough time for you to consider your requirements, under GDPR, for reporting the breach to the ICO and Data Subjects.
Our approach to our own compliance also helps you comply with your own GDPR compliance requirements. This statement should go some way to explain our approach to GDPR compliance.
Furthermore, if required we will assist you or the Information Commissioner’s Office with any query relating to the GDPR compliance of our services.
Any questions, queries or requests for further information regarding our GDPR compliance should be sent to James Gaunt, Webfuel Limited, 13 Woodroffe Way, East Leake, Loughborough, LE12 6AL