The Customer’s Compliance with GDPR
The Customer agrees that they are a Data Controller and that IDEASANVIL LIMITED is a Data Processor for the purposes of processing Personal Data. The Customer shall at all times comply with the GDPR in connection with the processing of Personal Data. The Customer shall ensure all instructions given by it to IDEASANVIL LIMITED in respect of Personal Data shall at all times be in accordance with the GDPR.
IDEASANVIL LIMITED’s Compliance with GDPR
2.1 IDEASANVIL LIMITED, acting as the Data Processor, shall process Personal Data in compliance with the obligations placed under it under the GDPR. IDEASANVIL LIMITED shall:
(a) Act only on instructions from the Customer or the Regulator in respect of any Personal Data processed by IDEASANVIL LIMITED;
(b) Have technical and organisational measures in place, having regard to the state of technological development and the cost of implementing any measures, against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or processed by it, appropriate to the harm that might result from such unauthorised or unlawful processing or loss, destruction or damage to Personal Data and the nature of the Personal Data;
(c) Take reasonable steps, having regard to the state of technological development and the cost of implementing any measures, to ensure the reliability of any of its staff who have access to Personal Data processed in connection with the Terms and Conditions
(d) Not transfer the Personal Data provided by the Customer to a country or territory outside the EEA without ensuring the Personal Data is afforded adequate protection within the meaning of the GDPR.
Data Ownership
3.1 The customer data held within IDEASANVIL LIMITED systems remains the property of the Customer.
Data Sovereignty and Integrations
4.1 Personal Data may be shared with Trusted Third-Party service providers in order for IDEASANVIL LIMITED to provide their services to the customer.
4.2 No Personal Data is shared with other service providers, applications or individuals without the written consent of the Customer excluding Trusted Third-Party service providers.
Data Encryption
5.1 All data stored by IDEASANVIL LIMITED is encrypted at rest, using AES-256 encryption. This is done to protect data in the event a IDEASANVIL LIMITED server or other device is compromised by an unauthorised party.
Security
Taking into account the state of technical development and the nature of processing, IDEASANVIL LIMITED shall implement and maintain the technical and organisational measures set out in Appendix 3 to protect the data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
Audits
IDEASANVIL LIMITED shall, in accordance with GDPR, make available to the Customer such information that is in its possession or control as is necessary to demonstrate IDEASANVIL LIMITED’s compliance with the obligations on each party imposed by Article 28 of the GDPR, and allow for and contribute to audits, by IDEASANVIL LIMITED’s Third Party Auditor (subject to a maximum of one audit request in any 36 month period).
Staff
All staff and contractors employed by IDEASANVIL LIMITED are required to undergo data protection training and sign data protection and non-disclosure agreements before being allowed to work with customer data.
Backup Policy and System Monitoring
IDEASANVIL LIMITED servers are backed up daily, weekly and monthly, and are monitored 24 hours a day, 7 days a week, 365 days a year.
Data Breaches
IDEASANVIL LIMITED shall notify the Customer without undue delay and in writing on becoming aware of any Data Breach in respect of any Personal Data.
If a vulnerability is identified or data is available publicly outside of the IDEASANVIL LIMITED systems, please contact IDEASANVIL LIMITED immediately via dataprotection@ideasanvil.com.
Appendix 1: Definitions
Unless otherwise defined in this policy, all terms in bold will have the meanings given them to them below:
Data Breach has the meaning defined in the GDPR
Data Controller has the meaning defined in the GDPR
Data means all data entered into IDEASANVIL LIMITEDs systems
Data Processor has the meaning defined in the GDPR
EEA means the European Economic Area
GDPR means the General Data Protection Regulation (EU) 2016/679
ISO 27001 certification means an ISO/IEC 27001:2013 certification or a comparable certification for the Audited Services
IDEASANVIL LIMITED means IDEASANVIL LIMITED Invision House, Wilbury Way, Hitchin, Hertfordshire, SG4 0TY
IDEASANVIL LIMITED’s Third Party Auditor means a IDEASANVIL LIMITED-appointed, qualified and independent third party auditor, whose then-current identity IDEASANVIL LIMITED will disclose to Customer
Personal Data has the meaning defined in the GDPR
Customer means a business, person or organisation who pays IDEASANVIL LIMITED for services
Term means the period from the start date until the end of IDEASANVIL LIMITED’s provision of the Services, including, if applicable, any period during which provision of the IDEASANVIL LIMITED Services may be suspended and any post-termination period during which IDEASANVIL LIMITED may continue providing the Services for transitional purposes
Trusted Third Parties means Microsoft 365 Services EU, Microsoft Azure Services EU, Zendesk Inc., LogMeIn Inc., IOMart Group PLC
Appendix 2: Subject Matter and Details of the Data Processing
Subject Matter
IDEASANVIL LIMITED’s provision of the Services to The Customer.
Nature and Purpose of the Processing
IDEASANVIL LIMITED will process Personal Data for the purposes of providing the Services to the Customer in accordance with the Security Policy.
Categories of Data
Data relating to individuals provided to IDEASANVIL LIMITED via the Services, by (or at the direction of) the Customer.
Data Subjects
Data subjects include the individuals about whom data is provided to IDEASANVIL LIMITED via the Services by (or at the direction of) the Customer.
Appendix 3: Security Measures
IDEASANVIL LIMITED utilises multiple layers of security controls (software, physical and process based) to protect data. This includes, but not limited to;
Training
Audits and inspections
Local & Network Firewalls
Web Application Firewalls
Intrusion Detection & Prevention Systems
Whole disk encryption
Removable media encryption
Multivendor Anti-Virus and Endpoint protection systems
Application White Listing
Access Control Lists
Security Patch Management
Identity and Access Management
Centralised Log Management
Symmetric and Asymmetric Encryption systems for data storage
Two Factor Authentication
Separation of Duties
Data Loss Prevention
Vulnerability Assessment
Remote Monitoring & Alerting