GDPR for other hosting services (eg web hosting)

As a hosted service provider, we are classed as a “Data Processor” under the GDPR regulations.

For our hosting services:

  1. Data is held in the UK. Data is not transmitted outside of the EU except at your explicit request or command.
  2. The exception to the above statement is for sent or received emails as they are being delivered to the recipient(s). Obviously if you send an email message to a user in the USA, for instance, that email will eventually be transmitted to the USA, otherwise it would not be able to reach the recipient. Similarly, if one of your users is based outside of the EU and downloads email to their email client, that data is being transmitted outside of the EU.
  3. The data we may hold is anything you have uploaded to your website (or added using a content-management system). All this data is provided by you, we do not add it ourselves except at your explicit request.
  4. We do not analyse the data we hold in any identifiable way or in any way that would affect personal privacy or confidentiality. For instance, we look at the total size of your website or database to handle quota restrictions etc, but this is done on the whole of the data, not on individual messages.
  5. Although we can access your data, we do not do so except at your explicit request. This will only be done to try to identify problems with the service or to assist you at your request. We will not store or record data beyond what is necessary to assist you, and the data will be destroyed afterwards. These accesses are logged. (Note that we do not log access to your server where data is not accessed, e.g. to reboot your server or similar).
  6. The exception to the above statement is if we have to access data to mitigate a serious problem. For instance, if we discover that your website is being used to host malware. This is only done in exceptional circumstances and we will notify you afterwards. Any data seen this way is not recorded or stored at all, except at your request or as required legally. Again, these accesses are logged.
  7. In our company, only the senior technical support person (Paul Smith) has access to any of the data held on your hosted server.
  8. In the case of a data breach due to our fault we will contact the account contact we have for you with the details of the breach.
  9. Note that usernames & passwords are set by you, or at your explicit request. If we set passwords we will choose secure passwords, but they may be reset to less secure passwords by you or your users. In this case, there may be a data breach because of a discovered password. We will inform you if we discover this happening, but this is not our fault.
  10. We strongly recommend that you use SSL/TLS where possible when connecting to our servers, eg for uploading data using FTP. This is especially the case if using a public Wifi network to do so.
  11. In the case of passwords being used illicitly and we discover this or are informed of it by you, we will reset the password to a new secure password, and inform you of this (if you don't already know).
  12. Websites are hosted on shared servers. They are protected from being accessed by other users of the same server by access restrictions (each website runs as a different restricted user). This means that there is no way for one customer to access another customer's data.
  13. We backup websites daily for disaster recovery purposes. The backups are stored in the UK and are kept for 2 weeks. Weekly backups are stored at an alternate site in the UK and are also kept for 2 weeks. On your request we can delete the backups of your website, as long as you accept the risk of doing so.
  14. We do not have a Data Protection Officer because we are not required to do so under the GDPR regulations. If you want to contact us about data protection issues, contact support@pscs.co.uk