On 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into force, replacing the 1995 EU Data Protection Directive. The GDPR both strengthens the rights of individuals regarding personal data relating to them and unifies data protection laws across Europe.
We are committed to ensuring compliance with the GDPR and this will be an ongoing effort with constant reviews to ensure we keep on top of this.
You are the data controller of any personal data you provide to us in relation to your use of our services. This means that you are responsible for determining the reason why data is being processed, how it is processed and when it is processed. You also have other responsibilities, such as maintaining records of the processing activities that are carried out on the personal data.
We are a data processor, which means we are processing personal data on your behalf when you are using our services. The GDPR prohibits us from conducting any processing activities that you have not authorised us to do. As a data processor we will not process any data you provide unless we have received an appropriate instruction from you.
As a data controller, the GDPR requires you to implement appropriate technical and organisational measures to ensure and demonstrate that any processing of personal data is performed in a compliant manner. The principles of the GDPR include topics such as lawfulness, fairness, transparency, purpose, data minimisation and accuracy. The GDPR also gives data subjects various rights with respect to their data, which you are required to fulfil.
Further guidance related to your responsibilities under the GDPR may be available from your national data protection authority, such as the United Kingdom’s Information Commissioner’s Office. Other organisations, such as the International Association of Privacy Professionals, provide guidance that you may also find beneficial.
Nothing on this website should be considered as legal advice and you should seek independent legal advice regarding your obligations under the GDPR.
The GDPR requires that data controllers use data processors that carry out processing in a manner that complies with the GDPR.
Like many small companies we are now getting our head around GDPR and auditing our data flows and looking for any areas where we can improve our processes and workflows to improve security of your data. We are being open and honest about what data we hold and how we use your data as you can read in our Privacy Policy.
As part of GDPR controllers and processors should enter in to an agreement which contains essential legislation on how this relationship should work in terms of processing personal data.
Your can read our Data Processing Addendum and if you are our customer and have not yet signed this contract then please contact us on hello@spicyapple.io for how to do so.
Any data that you and your users put into our systems will only be processed in accordance with your instructions, as described in this Data Processing Addendum.
All of our employees are required to undertake data protection training.
We use many well known third-party vendors to help bring our services (hosting, site management, backups) to you as well as allow us to carry out typical business activities such as accounting, payroll and email marketing. We ensure each vendor is technically capable and can deliver the required levels of security and privacy. Details of our sub-processors are available on the sub-processors tab on this page.
The GDPR requires that data controllers and their processors implement security controls that are appropriate to the level of risk. We operate and partner with organisations who operate state-of-the-art security infrastructures to ensure the safety of customer personal data.
Being a small company with with just a couple of employees then it’s much easier for us to keep on top of security. We keep our OS software and antivirus/malware tools updated daily and store all passwords inside leading password management tools. Our staff are not permitted to share passwords. For some systems, we require use of shared passwords. These are maintained in a secure password management system which uses access controls to restrict access to only those members of staff who are authorised.
We enable two factor authentication on as many systems that allow it and have a policy of strong passwords that are unique to each system.
Our staff are required to lock their systems when not in use, log out of remote sessions when they are complete. We also require staff to operate a clear desk policy and lock any confidential information away when not at their desks.
There’s more to do we know and we’ll keep you posted as things change such as the introduction of a help desk system for your support queries rather than using email.
Sub-Processor Name | Sub-Processor Activity | Location |
| Siteground Hosting Ltd | Web hosting Email Services Backups Domains | UK & USA |
| NameCheap | Domains | USA |
| Godaddy Operating Company LLC | Domains | UK & USA |
| Manage WP (Godaddy inc) | Website management Backups | EU & USA |
| Dropbox | Cloud Storage | UK & USA |
| Email and cloud storage | UK & USA | |
| SendGrid | Email Delivery Services | USA |
| Wordfence | Website Security | USA |
| Dashlane | Password Management | USA |
| Authy | 2FA Two Factor Security | USA |
| Kashflow | Accounting & Bookkeeping | UK |
| Cloudflare | DNS Domain Management & CDN | USA |
| Receipt Bank | Bookkeeping Receipts | UK |
If you need help fixing, hosting or revamping an existing website please get in touch… we’d love to help you!
Reach out today and let’s discuss your web project.
