Compliance

We believe it is important to keep you informed about compliance activities within Spicyapple. As a business, we are required to comply with various legislation, such as the General Data Protection Regulation. By providing you with this information, our aim is to be open and transparent about how we operate. In doing so, we hope to give you confidence in the quality of our services and the surrounding processes and procedures we have in place to provide them. This information is also available to help you make an informed decision about the suitability of our services.

General Data Protection Regulation (GDPR)

On 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into force, replacing the 1995 EU Data Protection Directive. The GDPR both strengthens the rights of individuals regarding personal data relating to them and unifies data protection laws across Europe.

We are committed to ensuring compliance with the GDPR and this will be an ongoing effort with constant reviews to ensure we keep on top of this.

What are your responsibilities as our customer?

You are the data controller of any personal data you provide to us in relation to your use of our services. This means that you are responsible for determining the reason why data is being processed, how it is processed and when it is processed. You also have other responsibilities, such as maintaining records of the processing activities that are carried out on the personal data.

We are a data processor, which means we are processing personal data on your behalf when you are using our services. The GDPR prohibits us from conducting any processing activities that you have not authorised us to do. As a data processor we will not process any data you provide unless we have received an appropriate instruction from you.

As a data controller, the GDPR requires you to implement appropriate technical and organisational measures to ensure and demonstrate that any processing of personal data is performed in a compliant manner. The principles of the GDPR include topics such as lawfulness, fairness, transparency, purpose, data minimisation and accuracy. The GDPR also gives data subjects various rights with respect to their data, which you are required to fulfil.

Further guidance related to your responsibilities under the GDPR may be available from your national data protection authority, such as the United Kingdom’s Information Commissioner’s Office. Other organisations, such as the International Association of Privacy Professionals, provide guidance that you may also find beneficial.

Nothing on this website should be considered as legal advice and you should seek independent legal advice regarding your obligations under the GDPR.

What are we doing in preparation for the GDPR?

The GDPR requires that data controllers use data processors that carry out processing in a manner that complies with the GDPR.

Like many small companies we are now getting our head around GDPR and auditing our data flows and looking for any areas where we can improve our processes and workflows to improve security of your data. We are being open and honest about what data we hold and how we use your data as you can read in our Privacy Policy.

Data Protection Agreement

As part of GDPR controllers and processors should enter in to an agreement which contains essential legislation on how this relationship should work in terms of processing personal data.

Your can read our Data Processing Addendum and if you are our customer and have not yet signed this contract then please contact us on [email protected] for how to do so.

Processing Instructions

Any data that you and your users put into our systems will only be processed in accordance with your instructions, as described in this Data Processing Addendum.

Employees being GDPR aware

All of our employees are required to undertake data protection training.

Sub-processors

We use many well known third-party vendors to help bring our services (hosting, site management, backups) to you as well as allow us to carry out typical business activities such as accounting, payroll and email marketing. We ensure each vendor is technically capable and can deliver the required levels of security and privacy. Details of our sub-processors are available on the sub-processors tab on this page.

Security

The GDPR requires that data controllers and their processors implement security controls that are appropriate to the level of risk. We operate and partner with organisations who operate state-of-the-art security infrastructures to ensure the safety of customer personal data.

Being a small company with with just a couple of employees then it’s much easier for us to keep on top of security.  We keep our OS software and antivirus/malware tools updated daily and store all passwords inside leading password management tools. Our staff are not permitted to share passwords. For some systems, we require use of shared passwords. These are maintained in a secure password management system which uses access controls to restrict access to only those members of staff who are authorised.

We enable two factor authentication on as many systems that allow it and have a policy of strong passwords that are unique to each system.

Our staff are required to lock their systems when not in use, log out of remote sessions when they are complete. We also require staff to operate a clear desk policy and lock any confidential information away when not at their desks.

There’s more to do we know and we’ll keep you posted as things change such as the introduction of a help desk system for your support queries rather than using email.

Third Party Sub-Processors

We use many well known third-party vendors to help bring our services (hosting, site management, backups) to you as well as allow us to carry out typical business activities such as accounting, payroll and email marketing. We ensure each vendor is technically capable and can deliver the required levels of security and privacy.

Sub-Processor Name

Sub-Processor Activity

Location

Siteground Hosting LtdWeb hosting Email Services Backups Domains UK & USA
NameCheapDomainsUSA
Godaddy Operating Company LLCDomainsUK & USA
Manage WP (Godaddy inc)Website management BackupsEU & USA
DropboxCloud Storage UK & USA
GoogleEmail and cloud storageUK & USA
SendGridEmail Delivery ServicesUSA
WordfenceWebsite SecurityUSA
DashlanePassword ManagementUSA
Authy2FA Two Factor SecurityUSA
KashflowAccounting & BookkeepingUK
CloudflareDNS Domain Management & CDNUSA
Receipt BankBookkeeping ReceiptsUK

Need Help?

If you need help fixing, hosting or revamping an existing website please get in touch… we’d love to help you!

Reach out today and let’s discuss your web project.