GDPR Position Statement
We will only process data on a customer’s behalf if authorised to do so, and our standard contract includes the following wording to make it clear who can give such authorisation:
Faelix shall take and follow overall strategic, technical and business directions from your name here or their designee…
Our contract also makes it clear where we stand on the matter of illegal activity, including the misuse of personal information under any relevant data protection legislation:
…subject to the express condition that Faelix shall at all times comply with applicable law.
We’ll be sure to tell you if we think something you are asking us to do might cross that line. We like to go further, though. As our ethical charter suggests we prefer to work with organisations who share our values. We will advise our customers not just to adopt a similar “do no harm” approach to use of personal data, but also to be open and honest with their customers — and we hope that this position statement shows that we are trying to lead by example.
As a data processor we cannot tell you what your responsibilities under data protection laws might be — you might want to contact an excellent law firm specialising in Internet technology and relevant regulations to help you with this — but at Faelix we can provide you with reasonable assistance:
- helping you to prepare data protection impact assessments
- describing what data processing operations we do for you, and why we are doing them
- assessing the necessity and proportionality of that data processing
- helping you to identify risks to the rights and freedoms of the subjects’ and their data
- explaining the measures we take to address those risks
Our standard contract makes another commitment:
Faelix shall, whenever requested by Client, provide evidence for legal proceedings and testify in any legal proceedings which relates to any matters on which Faelix has provided services to Client here-under.
This includes assistance in relation to obligations under data protection legislation. While we expect any subject access requests would normally be directed to the data controller (i.e. you, our customer), we will forward any such notices we receive to the relevant person. This applies to any other requests or complaints from subjects, or communications with regulatory bodies such as the Information Commissioner’s Office.
Going back to the assistance we offer our customers, let’s explain some of the risk management measures we employ as standard. While we do cater to more bespoke requirements, we have a “typical offer” for our hosting services which we believe fills the needs of most of our customers.
Our contract treats personal data (as defined in data protection laws) as confidential information, and we promise to protect and safeguard any such information. This means we will let you know who, from Faelix, might be working with you to help you process your data:
Faelix shall provide Client with a list of all Faelix staff who will have access to Confidential Information. Faelix shall inform Client of any changes to this list of staff within a reasonable time.
Part of this is also to make sure our staff are aware of their duties to you and your confidential information. If necessary they will have been given any special training for the care and handling of personal data to make sure that the processing is reliable, and the integrity of the data is maintained.
We employ a range of technical measures so that we can limit our staff’s access to your data, and we train our staff to use tools to keep a record of what has been done to help in any compliance audits. For example, we prefer to use Teleport when performing any systems administration on customers’ servers because this makes a recording of the session. And internally we use a ticketing system to discuss, agree, and track work performed for our customers.
We believe in strong encryption, and our standard offer uses LetsEncrypt as a certificate authority so that high quality TLS cryptography secures your “data in transit” between server and web browser, email client, etc. In other words you get an SSL “padlock” out of the box.
Our servers are stored within locked cabinets, to which only a small number of staff have access, in secure data-centres. All our hosting facilities are compliant with ISO27001. They are either manned around the clock by security staff who demand to see photo ID before permitting access to our authorised staff; or they have biometric access systems keyed to a select few of our staff, with remote CCTV and alarm monitoring. Trusted third parties may occasionally have physical access to our equipment:
- network suppliers may need to perform cabling installation to our racks
- data-centre staff may need to perform safety inspection of power distribution supplying our equipment
- we may need to temporarily authorise a technician to perform “remote hands” work for us, for example to help diagnose a fault in an emergency
Because our servers are physically secured to a high standard, our standard offer does not encrypt customer data “at rest” — that is to say your server will boot up without you needing to type in a password to unlock the hard disk. We believe that this is an appropriate trade-off for most customers because “data at rest” encryption does little to prevent data loss through hacking: the server has to be able to access the data to perform its function, so the data is already “unlocked”. Compared with hacking the probability of the physical theft of a server is quite low. We can accommodate encryption at rest, but the caveat is somebody would need to remotely login and type a password to unlock the disk every time that server reboots — which might be an appropriate trade-off of security versus availability for customers processing sensitive information.
For most customers we automatically backup their servers as part of our standard installation (read more about this on our page about MOOSE). These backups are encrypted and stored at a different physical location to where your server normally runs. This might be a different country, but our data processing is carried out in countries which are either within the EU or provide the same level of protection for the rights of data subjects. We have written a page about how to retrieve files from these automated backup should you need to recover some data. Note that it is your responsibility to keep a copy of the encryption key for your backups.
The other form of data loss that the legislation is concerned with is that of a breach. We work hard to make sure our customers’ servers and data are protected:
- we use automation to make testing and applying patches as safe as possible and relatively easy
- we use firewalls, we segregate management networks, and use VPNs for high-level access
- we use two factor authentication wherever feasible
- we perform periodic scanning of our network for new and existing vulnerabilities
- we’ve deployed off-the-shelf and written our own bespoke intrusion detection and prevention tools
We are aware of our responsibilities under GDPR (and other legislation) with regards to data breach notification. If we do need to make such a notification, we would expect to work with the affected customer to ensure the right individuals and regulatory bodies are notified in a timely, appropriate, and helpful manner.