Also see GDPR for VPOP3 as most of that applies to the VPOP3 hosting service as well.

As a hosted service provider, we are classed as a “Data Processor” under the GDPR regulations.

For our hosting services:

1. Data is held in the UK. Data is not transmitted outside of the EU except at your request or command (for instance VPOP3 supports backing itself up to the Amazon S3 data service. We don't set this up ourselves, but, if you set it up or request us to do so for you, then data will be transferred to Amazon S3 which may be outside of the EU).
2. The exception to the above statement is for sent or received emails as they are being delivered to the recipient(s). Obviously if you send an email message to a user in the USA, for instance, that email will eventually be transmitted to the USA, otherwise it would not be able to reach the recipient. Similarly, if one of your users is based outside of the EU and downloads email to their email client, that data is being transmitted outside of the EU.
3. For the hosted VPOP3 service, the data we may hold is usernames & email addresses of your users, contact details of your users and contacts, email addresses & names of your contacts, email message data. All this data is provided by you, we do not add it ourselves except at your explicit request.
4. Information such as contact lists is only held on your hosted server. So you have full control over it. It is not stored anywhere else, so if you delete a contact from the contact list on the server yourself, it is deleted.
5. We do not analyse the data we hold in any identifiable way or in any way that would affect personal privacy or confidentiality. For instance, messages are passed through a spam filter which will analyse the message, but not store any extra data about it other than a 'spam score'. The quantity and size of messages are also tracked to handle quota restrictions etc, but this is done on the whole of the data, not on individual messages.
6. Although we can access message data, we do not do so except at your explicit request. This will only be done to try to identify problems with the service or to assist you at your request. We will not store or record message details beyond what is necessary to assist you, and the data will be destroyed afterwards. These accesses are logged. (Note that we do not log access to your server where data is not accessed, e.g. to reboot your server or similar)
7. The exception to the above statement is if we have to access data to mitigate a serious problem. The usual circumstance for this is if one of your user's accounts is being used for sending spam, we will proactively check the outgoing message queue on your server to check if messages being sent are spam. We will notify you if this has happened. We do not look at individual message contents except at your request, but may look at the list of subject lines, and sender & recipient email addresses. These are not recorded or stored at all, except at your request. Again, these accesses are logged.
8. In our company, only the senior technical support person (Paul Smith) has access to any of the data held on your hosted server.
9. In the case of a data breach due to our fault we will contact the account contact we have for you with the details of the breach.
10. Note that usernames & passwords are set by you, or at your explicit request. If we set passwords we will choose secure passwords, but they may be reset to less secure passwords by you or your users. In this case, there may be a data breach because of a discovered password. We will inform you if we discover this happening, but this is not our fault.
11. We strongly recommend that you use SSL/TLS in email clients/apps when collecting and sending messages to the hosted service, especially on mobile devices. We have found that most cases of accounts being hacked are due to devices being used on public Wifi networks without using SSL/TLS. In this case, the logins can be eavesdropped on and usernames/passwords discovered.
12. In the case of passwords being used illicitly and we discover this or are informed of it by you, we will reset the password to a new secure password, and inform you of this (if you don't already know).
13. The hosted VPOP3 servers run on shared servers. They are protected from being accessed by other users of the same server by Windows access restrictions (each hosted server runs as a different restricted user) and the message store databases and message archives are protected by individual login details, This means that there is no way for one customer to access another customer's data.
14. We backup the hosted servers daily for disaster recovery purposes. The backups are stored in the UK and are kept for 2 weeks. Weekly backups are stored at an alternate site in the UK and are also kept for 2 weeks. On your request we can delete the backups of your hosted server, as long as you accept the risk of doing so.
15. We do not have a Data Protection Officer because we are not required to do so under the GDPR regulations. If you want to contact us about data protection issues, contact support@pscs.co.uk