Policies & GDPR Compliance Area

Our commitment to safeguarding personal data

Cleverbox’s GDPR Compliance FAQs

Version date: 1st May 2018

We are committed to protecting your personal data and meeting our GDPR obligations

Cleverbox take our obligation to ensure the security of personal data extremely seriously and we are committed to protecting and preserving the privacy of our clients’ personal data and the data we process on their behalf. We are currently finalising our updated client Terms and Conditions, Service Level Agreement and internal policies in order to meet our obligations under the GDPR, all of which will be made available before the May deadline.

Below are answers to the frequently asked questions we have been receiving about the data we collect, where we store it and what we do in order to keep it secure. We will be regularly adding to and updating this statement with further information as we get closer to the deadline and finalise our documentation.

Cleverbox’s GDPR compliance programme

What are Cleverbox doing to ensure we are GDPR compliant by May 25th 2018?

Building on the technical and organisational security measures we already have in place to comply with the terms of the existing Data Protection Act, we are currently implementing the following measures to meet our obligations under the GDPR before the May deadline.

  • We have been reviewing the data we collect and process and are following guidelines from the ICO and the National Cyber Security Centre to ensure appropriate technical and organisational security measures are in place to keep this data secure.
  • We are in the process of finalising our updated customer terms and conditions. The new version includes a data processor clause that will enable us (and you) to comply with the requirements of Article 28 of the GDPR, which governs controller-processor contracts.
  • We are working with our subcontractors and suppliers to ensure that appropriate security measures and contractual arrangements are in place with them in advance of the deadline.
  • Our other internal procedures relating to personal data are being analysed to ensure that we will comply with the GDPR’s requirements, including those in respect of: (i) privacy by design and default; (ii) data subject consents; (iii) processing records; (iv) data retention and deletion; (v) data subject rights; (vi) impact assessments and (vii) breach notification.
  • We have appointed a team who are responsible for ensuring we comply with our obligations under the GDPR.

Are Cleverbox staff trained in data protection best practice?

We are ensuring our staff are trained in best GDPR day-to-day practice and general knowledge. All staff are bound by an employee contract to maintain confidentiality inline with our company’s data protection and privacy policy. We will ensure that staff are informed of any special data protection requirements relevant to their work. Those with access to any client personal data, in order to support our clients with the on-going management of their websites, undergo relevant training in data protection, including how to obtain appropriate verification from a data controller, when instructed to act on their behalf.

What accreditations are Cleverbox working towards?

We are following guidelines from the ICO and the National Cyber Security Centre to ensure appropriate technical and organisational security measures are in place to protect any personal data we control or process. We are working towards Cyber Essentials certification and ISO 27001 and will keep this page updated with progress on these accreditations.

The personal data we collect and process as a Data Controller

What data do we collect and process?

As a data controller, we collect and process the information regarding our clients’ employees that is supplied to us and/or that is required for us to effectively manage your account. We do not collect or process any sensitive personal data about our clients.

We collect and store the contact details for school staff members and CMS users with whom we need to communicate, comprising of:

  • Name
  • Position
  • Work Email
  • Work Telephone

Where is the data stored?

We store our client contact information in our third party Customer Relationship Management (CRM) system, known as HighRise, our accounting software, QuickBooks and our support ticketing system Zendesk. These are cloud based platforms run by US based companies compliant with the EU-U.S. Privacy Shield Framework.

Any hard copies of paperwork containing our clients’ personal data that we may need to hold will be kept to an absolute minimum and stored securely within the Cleverbox offices in Bromley, UK.

What do we do with the data we collect?

We use the client data we collect to effectively manage your project and ongoing account.

We may, from time to time, contact staff regarding the services we are currently providing to you or to inform you of related services and offers that may be of interest to you.

If we need to share any personal information with any third-party companies not outlined above, in order to facilitate mailings or e-shots for example, the information will be sent securely and will only be shared with trusted third-parties with whom we have GDPR compliant sub-processor contracts. This data will only ever consist of name, position, work address and/or work email address and will never be used by our suppliers for their own marketing purposes.

Cleverbox will never rent, sell or share our clients’ personal information with any other person or non-affiliated company unless we are required to by law.

How long do we keep it?

We only keep your data for as long as we need to in order to fulfil our Terms of Service and/or for as long as we have your permission to keep it. On termination of our contract with you, we will continue to hold the staff contact details we need for our financial records and legitimate business interests only for as long as is necessary, at which point all electronic records will be deleted and any hard copies shredded and disposed of securely.

The Personal data we process on our clients’ behalf

What data do we process on your behalf?

We will only process on your behalf the personal data you instruct us to in order for us to fulfil the design, marketing and website services we provide to you. This could be personal data you supply to us or that of visitors to your website; either supplied via forms or used to manage the performance of your website. As a data processor, it is our responsibility to keep this information secure and confidential and to process it only in the ways agreed by you when you accept our Terms of Service.

The types of information that we may process via your website are outlined below:

Content Management System (CMS) Users

We hold essential data on registered CMS users in the CMS database. This comprises of:

  • Name
  • Email address
  • Username
  • Password (encrypted)

We access this data in order to help recover login details or to contact users regarding website services and at no point can we view current or previous passwords which are fully encrypted within the CMS.

Online Forms

Your website may collect personal data via online forms. This data will either be emailed directly to a contact at the school/Trust or emailed AND stored within the CMS database. The most common form on our clients’ websites is the contact form which consists of:

  • Name
  • Telephone
  • Email Address
  • Message field (this can be any type of information the user decides to disclose)

It is important that you review any existing forms currently on your website to ensure the information you are requesting, how you use it and your retention and deletion procedures comply with your obligations under GDPR as a data controller. Before instructing Cleverbox to create a bespoke form on your behalf or creating any new forms yourself via the the built in form builder, please ensure you have undergone an appropriate data impact assessment for the information you are requesting.

Anonymised data

When someone visits your website, we automatically receive and record information on our server logs from the user’s browser, including IP address, website cookie information, and the page requested. These logs are used for server analysis, security and debugging and are securely kept for 30 days before being erased.

Cookies

Our clients’ websites do not generate any first party Targeting cookies. We use session cookies which are essential to the running of your website and are kept for the duration of a user’s visit. These keep track of things such as the session ID itself and whether the visitor has chosen to view in high visibility mode.

Google Analytics

Our websites use Google Analytics to collect information about visitor behaviour. Google Analytics stores information about what pages have been visited, how long a user is on the site, how they arrived at your site, what was clicked and what documents were downloaded. This Analytics data is collected via a JavaScript tag in the pages of your site and is not tied to personally identifiable information. We do not collect or store personal information such as name or address and so this information cannot be used to identify an individual. You can find out more about Google’s position on privacy as regards its analytics service at www.google.co.uk/intl/en/analytics/privacyoverview.html

Our websites do not serve ads and therefore we have no need to collect our process users’ personal information beyond what is required for the functioning of the website.

Other Third Party Services

Cleverbox are not responsible for any cookies set by or data captured through third party services linked to or integrated with your Cleverbox website such as: social media platforms including Facebook, twitter, instagram, LinkedIn, YouTube and vimeo; payment services such as PayPal, ParentPay, SagePay; VLEs; digital publishing platforms such as Issuu; third party form builders such as Zoho Forms and Machform; or any other third party website or service such as blogs, analytics tools or vacancy managers with which you have a direct contract.

Where is the data we process on your behalf stored?

All data that Cleverbox stores on your behalf is held and processed in one of three physical EU locations. Cleverbox will never process your data outside of the EU or EEA. If Cleverbox requires your data to be processed outside of these zones for any reason, we will only do so with your prior consent.

Hosting Environment: The websites that Cleverbox provide are hosted by Amazon Web Services near Dublin within the Republic of Ireland.

Development Environment: Our development environment, where we may need to store data while we make updates to existing sites, will only store the data that is necessary, is governed by stringent security measures and is located in the UK.

Cleverbox Offices: Any personal data that you may supply to us in order to populate your website or to fulfil other design and marketing services may be kept on our secure servers in the Cleverbox offices in Bromley, UK. We restrict access to any supplied data and only retain it for the life of the project.

You should only supply us with personal data you wish us to process on your behalf that is compliant with your internal data protection policies and necessary for you to share with us in order for us to fulfil our Terms of Service. In the rare instances where personal data is shared with us for these purposes, it usually consists of non-sensitive information such as staff and/or governor names and work email addresses and is used for front-end website population.

What do we do with the data we process on your behalf?

As a data processor, we will only process the personal data you collect in the ways outlined by our Terms of Service (or otherwise instructed by you in writing and in accordance with data protection law). This includes storing and keeping your data secure and confidential.

We will never rent, sell or share personal information that you disclose to us or that is collected through your website with any other person or non-affiliated company for their own marketing purposes. We will only share data with trusted third-party suppliers when necessary to provide products or services you’ve requested as outlined in our Terms of Service or with your prior approval. We will not disclose personal data to regional/national institutions and authorities, unless required to by law or other regulations.

How long do we keep the data we process on your behalf?

Data you collect via forms on your website

Please note: It is the responsibility of the school/Trust as the data controller to manage and delete any data you collect via forms on your website.

You currently have the ability through the CMS to:

  • see what forms are on your website
  • determine whether or not data captured via those forms is stored on the database
  • download any stored data
  • delete any stored submissions

Cleverbox, unless required to by law, may not on our own authority alter, erase or restrict the processing of personal data that we process on behalf of our clients. Cleverbox may however do so by written instruction from you (the data controller) and in accordance with data retention best practice. We are currently looking at ways we can help our clients meet their GDPR obligations with data retention and deletion through the CMS and database storage policies and will inform you of any changes to our Terms of Service before the May deadline.

Termination of  your website contract

On termination of your website contract, we will hold a backup of your website for 30 days before deleting it, including any personal data that may be stored within the website’s database.

How secure are the websites we provide?

The websites that Cleverbox provide are hosted by Amazon Web Services (AWS). With AWS you benefit from a data centre and network architecture built to meet the requirements of the most security-sensitive websites.

Our web developers are appropriately trained in Secure Software Programming techniques and our sites are built with the best security in mind. We always escape variables used in SQL statements and we ensure that PHP and other script files can’t be uploaded to our system.

Our servers run ModSecurity (an Apache security module) which will automatically block users from carrying out malicious attacks on our sites. We log any attacks and block offending IPs to help prevent future attacks.

We regularly check our servers for anything suspicious. In the unlikely event a vulnerability is found we take immediate appropriate steps to harden whatever is applicable.

No new services are ever introduced without thorough testing and security analysis. We regularly update our server software. Any patches and updates are applied and tested promptly.

Subject rights and data breach notification

How do we deal with data requests (subjects’ rights)?

If a Data Subject (a parent or other user of your website) should apply to Cleverbox directly for data erasure, rectification or restriction, then Cleverbox will forward this request without delay onto you (the data controller). We will take all appropriate measures to assist you with fulfilling your obligations to respond to such requests.

What happens if we identify a Personal Data Breach?

In the unlikely event we detect an actual or suspected data breach, Cleverbox will comply with our internal Data Breach Incident Response Plan and follow the ICOs guidance on notifying, when necessary, the affected data controllers, the affected data subjects, the police, the ICO and/or any other affected parties, within the appropriate timeframes as set out by the GDPR.

If you have any further questions, please contact us at [email protected]