faq:gdpr_hosted_vpop3

GDPR for hosted VPOP3 service

Also see GDPR for VPOP3 as most of that applies to the VPOP3 hosting service as well.

This Data Processing Agreement is part of our hosted VPOP3 service terms. You can view the revision history by clicking on the 'clock' icon to the right.

As a hosted service provider, we are classed as a “Data Processor” under the GDPR regulations.

For our hosting services:

  1. Data is held in the UK. Data is not transmitted outside of the EU except at your request or command (for instance VPOP3 supports backing itself up to the Amazon S3 data service. We don't set this up ourselves, but, if you set it up or request us to do so for you, then data will be transferred to Amazon S3 which may be outside of the EU).
  2. The exception to the above statement is for sent or received emails as they are being delivered to the recipient(s). Obviously if you send an email message to a user in the USA, for instance, that email will eventually be transmitted to the USA, otherwise it would not be able to reach the recipient. Similarly, if one of your users is based outside of the EU and downloads email to their email client, that data is being transmitted outside of the EU.
  3. For the hosted VPOP3 service, the data we may hold is usernames & email addresses of your users, contact details of your users and contacts, email addresses & names of your contacts, email message data. All this data is provided by you, we do not add it ourselves except at your explicit request.
  4. Information such as contact lists is only held on your hosted server. So you have full control over it. It is not stored anywhere else, so, for instance, if you delete a contact from the contact list, or a message from the server yourself, it is deleted.
  5. We do not analyse the data we hold in any identifiable way or in any way that would affect personal privacy or confidentiality. For instance, messages are passed through a spam filter which will analyse the message, but not store any extra data about it other than a 'spam score'. The quantity and size of messages are also tracked to handle quota restrictions etc, but this is done on the whole of the data, not on individual messages.
  6. Although we can access message data, we do not do so except at your explicit request. This will only be done to try to identify problems with the service or to assist you at your request. We will not store or record message details beyond what is necessary to assist you, and the data will be destroyed afterwards. These accesses are logged. (Note that we do not log access to your server where data is not accessed, e.g. to reboot your server or similar)
  7. The exception to the above statement is if we have to access data to mitigate a serious problem. The usual circumstance for this is if one of your user's accounts is being used for sending spam, we will proactively check the outgoing message queue on your server to check if messages being sent are spam. We will notify you if this has happened. We do not look at individual message contents except at your request, but may look at the list of subject lines, and sender & recipient email addresses. These are not recorded or stored at all, except at your request. Again, these accesses are logged.
  8. In our company, only the senior technical support person (Paul Smith) has access to any of the data held on your hosted server.
  9. In the case of a data breach due to our fault we will contact the account contact we have for you within 24 hours of discovery of the breach with the details of the breach as known at that time, with follow-up information later, as discovered.
  10. Note that usernames & passwords are set by you, or at your explicit request. If we set passwords we will choose secure passwords, but they may be reset to less secure passwords by you or your users. In this case, there may be a data breach because of a discovered password. We will inform you if we discover this happening, but this is not our fault.
  11. We strongly recommend that you use SSL/TLS in email clients/apps when collecting and sending messages to the hosted service, especially on mobile devices. We have found that most cases of accounts being hacked are due to devices being used on public Wifi networks without using SSL/TLS. In this case, the logins can be eavesdropped on and usernames/passwords discovered.
  12. In the case of passwords being used illicitly and we discover this or are informed of it by you, we will reset the password to a new secure password, and inform you of this (if you don't already know).
  13. The hosted VPOP3 servers run on shared servers. They are protected from being accessed by other users of the same server by Windows access restrictions (each hosted server runs as a different restricted user) and the message store databases and message archives are protected by individual login details, This means that there is no way for one customer to access another customer's data.
  14. We backup the hosted servers daily for disaster recovery purposes. The backups are stored in the UK and are kept for 2 weeks. Weekly backups are stored at an alternate site in the UK and are also kept for 2 weeks. On your request we can delete the backups of your hosted server, as long as you accept the risk of doing so.
  15. We do not have a Data Protection Officer because we are not required to do so under the GDPR regulations. If you want to contact us about data protection issues, contact support@pscs.co.uk
  16. Your data is not transmitted to other organisations/people except at your direct instruction. If you address an email to an external user this is classed as an “direct instruction”. In this case your message data will be transmitted to other mail servers/companies as necessary for the message to reach the addressee. If you log in to your email account to view or send email from another organisation, then that is also classed as an “explicit request”. In these cases, we believe that we have not “engaged” these other organisations as further Data Processors under GDPR Article 28 (2), so there is no need for prior written authorisation or contracts, and no continuation of liability once the data has left our control.
  17. Upon termination of the contract we will delete all your data within one week of termination where the termination was explicitly requested by you, or one month if not (eg on non-payment of an invoice). If you require it to be deleted sooner, please ask. We only store the data for this time after termination as a courtesy in case you need to recover the data or change your mind and decide to continue with our service.
  18. We will provide reasonable assistance to you to help you to meet your GDPR obligations. Note that you have almost as much access to your data as we do (except for backups) so we will not, for instance, search through emails to delete personal data on request, but we will advise/assist you to do so yourselves.
  19. We will allow for audits/inspections by you or an auditor mandated by you. Because we are a data processor for many companies we will, by necessity, have to limit access by the auditor to prevent access to data controlled by other data controllers. We will require reasonable prior notice so that we can ensure that suitable staff are available, and have to limit the on-site time allowed to 2 hours per audit, and one audit per 12 month period. If more audits than that are required then we will charge our standard hourly rate of £50 + VAT per hour.
faq/gdpr_hosted_vpop3.txt · Last modified: 2018/11/14 10:45 by 127.0.0.1