Privacy Policy and GDPR Compliance
Introduction
ESP Projects Ltd provide GDPR compliant hosting services. We are ISO9001 and ISO27001 certified to provide additional evidence of our compliance. Our compliance includes the following:
- Data audit and mapping
- Ongoing analysis of technical and procedural security controls
- Customer and supplier contractual management
- Documentation and records management
- Public points of contact for data protection concerns
- Engagement with external expertise
Who has Potential Access to Customer Data?
People that have potential access (physical or remote) to customer hosting infrastructure and could potentially access the hosted data, include the following:
- ESP Technical Support Engineers
- ESP System Administrators (Senior Technical Staff)
- Hosting Partner Technicians (See Below)
Whilst staff in the categories above could potentially access customer data through their access credentials at either the software, virtualisation or hardware level, all their activity is covered by contractual and policy arrangements which restrict this access to the minimum necessary to deliver our services.
Where is Customer Data Hosted?
Customer data is hosted on physical servers owned by ESP Projects Ltd located in a secure data centre run by HA Hosting Ltd in Sheffield UK, or on virtual servers managed by ESP Projects Ltd and hosted by one of our accredited Cloud Hosting partners:
- Microsoft (Azure Cloud Services), UK South
- Vultr Holdings Corporation, London UK
- HA Hosting Ltd, Sheffield, UK.
Backups of customer data are stored on our backup systems located at our Sheffield, UK office. Backups have a maximum retention period of 30 days and are automatically deleted after that.
Temporary copies of customer data may also be created for development and testing purposes. For example, when troubleshooting issues or developing new features. In these cases, it would only be at the request of the customer for technical support or development. The data would be stored on our development systems at our Sheffield, UK office and would be deleted when no longer required.
Accredited Hosting Partners
All our hosting partners are ISO27001 accredited and GDPR compliant. Some of our hosting partners are global corporations but all our customer data is stored only in the UK.
Under the terms of our contractual agreements Hosting Partner staff will not actively monitor customer data, but they do have physical access to the servers and will comply with their requirements under relevant laws and regulations and where necessary to cooperate with law enforcement authorities.
For full details of any specific hosting partners for your customer data please contact us.
Microsoft (Azure Cloud Services)
Microsoft are a global company offering enterprise level cloud hosting services. They have a team of more than 3,500 global cybersecurity experts that work together to help safeguard your business assets and data in Azure.
ISO27001: https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-iso-27001
GDPR: https://www.microsoft.com/en-gb/trust-center/privacy/gdpr-faqs
Vultr Holdings Corporation
Vultr are a global company offering high performance cloud hosting services. Vultr are responsible for providing the underlying hardware for many of our shared hosting and VM services.
ISO27001: https://www.vultr.com/resources/faq/#datacenter_compliance
GDPR: https://www.vultr.com/legal/gdpr/
HA Hosting Ltd
HA Hosting Ltd own and operate a data centre in Sheffield. This is where we locate our physical servers. HA Hosting are responsible for providing a safe physical location and internet connectivity.
ISO27001: https://www.hahosting.com/Accreditations
GDPR: https://www.hahosting.com/privacy-policy
How is Customer Data Secured?
Physical Security
Our web hosting services are provided from data centres with excellent physical security. Located in fenced and gated compounds with full interior and exterior CCTV coverage. CCTV is recorded via motion-activated cameras and monitored off-site with priority police response. Access is controlled by two-factor authentication and access to shared racks is controlled by data centre staff and monitored by CCTV.
Human Security
All our staff are based and employed from within the UK, they are all DBS checked and work within our customer confidentiality and data security policies. These policies ensure that staff have access only to the system areas they need to provide the excellent quality of service our customers expect. Staff receive comprehensive training in these areas and fully understand the importance of secure hosting.
Network Security
We offer a wide range of network security options according to need. From direct IP connectivity for clients wishing to manage their own firewall policies. Through to fully managed security solutions providing firewall, IP NAT and VPN’s
Our hosting platform benefits from a sophisticated firewall configuration that not only controls access to network ports. But also monitors login attempts and can recognise & automatically block repeated attempts to gain unauthorised access.
Server Security
All our hosting services are based on security hardened installations and the lessons we have learned in this area are handed on for the benefit of our clients, whether on shared web hosting or their own virtual private servers.
What is the Formal procedure for Reporting on Unauthorised Access?
As a Data Processor, ESP is committed to informing customers of incidents that have or may reasonably be thought to have affected the confidentiality, integrity or availability of personal data ‘without undue delay.’
In practice we interpret this as meaning customers will receive appropriate notification within the 72 hour time window to allow them to comply with their responsibilities as Data Controller.
As a Data Controller, ESP will report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. We will, where appropriate, also directly contact those individuals potentially impacted.
When reporting a breach, we will provide:
- A description of the nature of the personal data breach including, where possible:
- Categories and approximate number of individuals concerned; and
- Categories and approximate number of personal data records concerned;
- The name and contact details of a senior member of staff where more information can be obtained;
- A description of the likely consequences of the personal data breach; and
A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.