Introduction

ESP Projects Ltd provide GDPR compliant hosting services. We are ISO9001 and ISO27001 certified to provide additional evidence of our compliance. Our compliance includes the following:

  • Data audit and mapping
  • Ongoing analysis of technical and procedural security controls
  • Customer and supplier contractual management
  • Documentation and records management
  • Public points of contact for data protection concerns
  • Engagement with external expertise

Who has Access to Customer Data?

People that have potential access (physical or remote) to customer hosting infrastructure and could potentially access the hosted data, include the following:

  • ESP Engineers
  • ESP Hosting Support Team
  • ESP System Administrators
  • HA Hosting Data Centre Technicians

Where is Customer Data Hosted?

Customer data is hosted on physical servers owned by ESP Projects ltd, located in a data centre run by HA Hosting Ltd in Sheffield, UK.

Backups of the data are stored on our backup systems located at our Sheffield, UK office. Backups have a maximum retention period of 30 days and are automatically deleted after that.

Temporary copies of the data may also be created for development and testing purposes. For example, when troubleshooting issues or developing new features. In these cases, it would be at the request of the customer for technical support or development. The data would be stored on our development systems at our Sheffield, UK office and would be deleted when no longer required.

Who are HA Hosting Ltd?

HA Hosting Ltd own and operate a data centre in Sheffield. This is where we locate our servers and they are responsible for providing a safe physical location and internet connectivity. Under the terms of our contractual agreement they would not access customer data, but they do have physical access to the servers.

ISO27001: https://www.hahosting.com/Accreditations

GDPR: https://www.hahosting.com/privacy-policy

How is Customer Data Secured?

Physical Security

Our web hosting services are provided from a data centre with excellent physical security. Located in a fenced and gated compound with full interior and exterior CCTV coverage. CCTV is recorded via motion-activated cameras and monitored off-site with priority police response. Access is controlled by two-factor authentication and access to shared racks is controlled by data centre staff and monitored by CCTV.

Human Security

All our staff are based and employed from within the UK, they are all DBS checked and work within our customer confidentiality and data security policies.  These policies ensure that staff have access only to the system areas they need to provide the excellent quality of service our customers expect. Staff receive comprehensive training in these areas and fully understand the importance of secure hosting.

Network Security

We offer a wide range of network security options according to need. From direct IP connectivity for clients wishing to manage their own firewall policies. Through to fully managed security solutions providing firewall, IP NAT and VPN’s

Our hosting platform benefits from a sophisticated firewall configuration that not only controls access to network ports. But also monitors login attempts and can recognise & automatically block repeated attempts to gain unauthorised access.

Server Security

All our hosting services are based on security hardened installations and the lessons we have learned in this area are handed on for the benefit of our clients, whether on shared web hosting or their own dedicated VPS.

What is the Formal procedure for Reporting on Unauthorised Access?

As a Data Processor, ESP is committed to informing customers of incidents that have or may reasonably be thought to have affected the confidentiality, integrity or availability of personal data ‘without undue delay.’

In practice we interpret this as meaning customers will receive appropriate notification within the 72 hour time window to allow them to comply with their responsibilities as Data Controller.

As a Data Controller, ESP will report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. We will, where appropriate, also directly contact those individuals potentially impacted.

When reporting a breach, we will provide:

  • A description of the nature of the personal data breach including, where possible:
    • Categories and approximate number of individuals concerned; and
    • Categories and approximate number of personal data records concerned;
  • The name and contact details of a senior member of staff where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.