Data8 would like to act as your Data Processor. We can only do this if we can persuade you to trust us with processing your data. On this basis, we ensure that we follow industry best practises in terms of Data Security and compliance with all relevant Data Protection legislation.
Our main approach to ensuring Data Protection is through our ISO27001 system.
Data8 operate an ISO27001 certified system that controls data security across the organisation. The scope of our system is defined as:
Management of Information Security in the provision of data solutions involving data cleansing services, real-time data capture and validation, database hosting, and advanced deduplication software.
The system covers all aspects of data security including:
- Human Resources
- Asset Management
- Access Control
- Physical Security
- Operations Security
- Communications Security
- Systems Development
- Supplier Relationships
- Incident Management
- Business Continuity
Data8 have policies and working practices documented on all of these areas. We have an annual external surveillance audit in accordance with the ISO27001 standard. We are happy to share with you our latest certificate, our policies and the results of our latest surveillance audit.
Disaster Recovery and Business Continuity
Data8 have built a high availability solution following industry best practice for both disaster recovery and business continuity. We have replicated our data centres, having two independent data centres that are corporately and geographically diverse. We monitor and publish the availability of our services.
Our procedures are driven by our ISO27001 system. We have policies on change management, capacity management, and redundancy planning. We have fully documented and tested business continuity plans. All of these are continually reviewed and subject to continual improvement through the ISO27001 program.
We perform regular penetration testing on our website and network infrastructure, along with any news developments or projects.
Our Terms and Conditions, created by a lawyer competent in Data Protection law, sets out all of the conditions that GDPR requires, including:
- We must only act on your documented instructions unless required by law to act without such instructions;
- We must ensure that people processing the data are subject to a duty of confidence;
- We must take appropriate measures to ensure the security of processing;
- We must only engage a sub-processor with your prior authorisation and under a written contract;
- We must take appropriate measures to help you respond to requests from individuals to exercise their rights;
- Taking into account the nature of processing and the information available, we must assist you in meeting your UK GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- We must delete or return all personal data to you (at your choice) at the end of the contract, and we must also delete existing personal data unless the law requires its storage; and
- We must submit to audits and inspections. We must also give you whatever information you need to ensure you are meeting your Article 28 obligations.
Our systems have been created with a full audited trail of customer data within our systems.
- Data files are fully audited, including justified access from all of our staff
- Data files are encrypted at rest and in transit
- Clients can see all data accesses to your data
- Retention durations are specified per client
- Data files are not backed up
- Data Validation requests are not stored (unless debugging has been requested to be switched on by you)