Page tree
Skip to end of metadata
Go to start of metadata

Ds Websites & Your Data

Managing your data

All contact preferences in line with GDPR can be managed at https://clients.dswebsites.co.uk

What data is stored, why and how is it used?

Ds Websites stores a small set of data about you that includes: your name (and/or company name), address, phone number(s) and email address(es). This is used to provide invoicing, service registration and to contact you which covers multiple legal basis in line with the guidance from the ICO.

Account & Financial

Legal basis: LEGAL OBLIGATION

The purpose for storing your data is for the purposes of account and financial management (sending you invoices, and maintaining account records). The lawful basis for this purpose is under 'Legal Obligation', as Ds Websites is legally obliged by HMRC to keep accounting records for 5 years in line with the guidance provided.

The information given under this basis is used where appropriate and consented to - to feed into other basis' covered below, and this data forms the 'gold/master' copy of your data. If data is updated here, then it is updated elsewhere in other services as appropriate and consented to as required to facilitate those services/basis.

Domain Name Registration

Legal basis: LEGAL OBLIGATION

The purpose for storing your data is to provide you with domain name registration services. The information is required by domain name registrars and forms part of Ds Websites' legal obligation to provide them accurate information on who is the legal registrant (you) registering that domain name.

Domain name registrations require name and address information and Nominet (*.uk domains) have the following information on how this is changing for GDPR: https://registrars.nominet.uk/namespace/uk/gdpr-changes, and ICANN (*.com, *.org domains): https://www.icann.org/dataprotectionprivacy. Ds Websites is therefore also required to hold your information to register domain names on your behalf.

Additional contact details may be acquired under this basis as domain name registrations can have up to three different contacts stored against them (Administrative, Technical, Billing) - usually all three are the same, and are either Ds Websites, or the data provided to register the domain name.

Website Hosting

Legal Basis: CONTRACT

The purpose for storing your data in this case is to provide the service to you, and to maintain contact with you regarding your purchased services throughout the contractual/serviced period you maintain products with Ds Websites.

This should not be confused with "Service Status Updates" which are mentioned below and do not directly concern 'your' contract or product, but an effect on your product. Contact under this basis would be directly in relation to your hosting account, things like: exceeding usage allowances, upgrade notifications and management of your hosting account that do not usually concern anyone else than you.

Service Status Updates

Legal basis: CONTRACT

Due to the nature of the products/services that are provided by Ds Websites, scheduled or unscheduled downtime may occur. To keep you informed, and knowledgable on what is happening, unannounced service notification communications may be sent out via the methods that you have provided. This will usually be via email, however if the email system is effected, a text message may be sent to a provided mobile phone number.

To keep you updated, Ds Websites may send out updates by either email or text, these preferences can be set as required.

Marketing

Legal basis: CONSENT

Ds Websites does not pro-actively market products or services, however may from time to time send an email out to all current customers informing of important changes to the services and products offered.

As the legal basis for this data processing is 'consent' Ds Websites must gain clear consent to send you these types of communications.


How is this data stored?

Your data could be held in multiple locations, and also shared with multiple third parties due to the providers used to manage the business - an online accounting package (Kashflow), an online hosting platform (20i), an online support ticketing system (Atlassian Service Desk) and a cloud storage provider (Dropbox). Data may also be sent (shared) to communication providers to facilitate the sending of that communication (Email and Text Messaging). Data is also physically stored on PC's and/or laptops that are used to operate the business.

Kashflow

The accounting package 'Kashflow' retains the records of your details for accounting and invoicing purposes. They have released the following information on their approach to GDPR: https://www.kashflow.com/wp-content/uploads/2018/04/KF-Small-Business-Guide-to-GDPR.pdf which covers data security as follows.

Data security is central to GDPR-compliance, so it’s essential that you take all necessary steps to keep your data safe. Data encryption is a highly-recommended way of keeping your data safe, KashFlow’s cloud software offers the same level of security as internet banking, with data stored on a central server and supported with secure backup servers. This leaves no trace of financial data on company computers, so if your device gets misplaced or stolen, your data remains safe.

Data is deleted from this system 5 years after account termination in line with HMRC requirements.

Access to this service is secured by username, strong password and private secret (like bank accounts) where random characters are requested from a known secure passphrase.

20i

20i are the hosting provider that is used to provide hosting and domain name services to you. Your details are stored here when domain name registrations are concerned as part of the Nominet or ICANN requirements (covered above) or control panel access to administer your own account (if required) where name, address, email and phone number is stored for access and contact if needed.

Data is deleted from this system upon account termination.

Access to this service is by username and strong password.

Atlassian Service Desk

If you have raised a support ticket via https://support.dswebsites.co.uk and signed up for a free account, the details you have provided will be stored on this system to allow contact and updates on the support tickets you have raised.

Data is deleted from this system upon account termination.

Access to this service is by username and strong password.

Dropbox

Dropbox is used as the 'file storage' for Kashflow - PDF copies of invoices, quotes and statements are sent to the Dropbox account where they can be forwarded onto you. It is also used as the backup engine for accounting data where archived (zipped) data is stored as a backup.

They have released the following information on GDPR: https://www.dropbox.com/en_GB/security/GDPR.

Data is deleted from this system 5 years after account termination in line with HMRC requirements.

Note: Ds Website's Dropbox account has a 30 day deleted file retention period where a deleted file could be retrieved if accidentally deleted, therefore complete deletion of data from Dropbox is 30 days AFTER the deletion.

Access to this service is by username and strong password.

TextMarketer

Text Marketer are the current provider of Ds Websites' outbound text messaging services. This is only usually used for sending passwords or other sensitive information where dual methods are required (Username by email, password by text for example) it may also be used for service status updates where the email system is effected.

Only your mobile phone number is ever provided to TextMarketer, and possibly your first name if the message contains it.

TextMarketer store the sent message for a period of 6 months for auditing and reporting, upon which they are then deleted from the system. Manual requests may be made to remove details prior to this period if required.

Access to this service is by username and strong password.

MailGun and/or MailChimp

Both of these services are email sending providers, however their purpose and usage differs slightly.

MailGun sends emails from more automated sources, things like websites, contact forms or scripts and is used within Ds Websites mainly in the back office processes of administering your account. Your email address, name and possibly address if the email content contains it are sent to MailGun when communication via this method is used.

Ds Websites' account with MailGun has a 30 day retention period for auditing sending success/failure information. After this time MailGun automatically deletes the audit information containing your data.


MailChimp is used as a front end to send campaigns to a bulk list of users - it may be used to administer the bulk sending of communications to all parties for the purposes of service announcements or global updates.

Data is deleted from this system upon account termination.

Physical devices

As Dropbox is linked to physical devices, the data stored in Dropbox are synchronised to them automatically.

Access to these devices is secured by username and strong password. No offsite backups are taken of this data as the physical nodes are already a backup of the cloud data (Dropbox) which is a backup of the raw data (Kashflow).

Data is deleted from these system upon account termination automatically when DropBox marks a deletion.


How this data is shared between business services

Ds Websites does not pro-actively share any data stored with any 3rd parties other than outside the operation of the business, this is summarised above.

The following diagram shows how any data held is shared between these parties.

The accounting data (Kashflow) is the 'master source' of data for services provided to Ds Websites. The only case where data may differ from this is where alternative information has been given when using https://support.dswebsites.co.uk as this is driven by user sign up, and not data transfer/migration.

GDPR-Data-Sharing-Diagram



Retention

Ds Websites does not store any details that it is not required to keep for an active relationship with yourself. Ds Websites is required to keep information relating to accounting for a period of 5 years in line with guidance from HMRC.

Access to data

The GPDR regulations state that you as an individual can request the data Ds Websites hold about you free of charge, to request this, please contact enquiries@dswebsites.co.uk.