Data Processing Policy (DPP)

Overview

This document outlines the scope within which Pipe Ten classifies and handles “customers’ data” on behalf of its customers. It extends but does not replace the generic “Privacy Policy (PP)” and “Terms of Service (ToS)” which underpin all Pipe Ten offerings.

Scope

Any data that a direct customer uploads to a Pipe Ten service, which is not relating to the direct relationship between Pipe Ten and said direct customer, is to be considered to be “customer’s data”.

Therefore “customer’s data” may include but is not limited to:

  • Contents of Mailboxes
  • Contents of Web/File Storage Services
  • Contents of DB/Database Storage Services
  • Generally anything uploaded or stored to the Pipe Ten service, except relating directly to the Pipe Ten<>Customer relationship.

Data

*For “customer’s data”, Pipe Ten typically DOES NOT know:

  • The contents of “customer’s data” beyond “important 0’s and 1’s”.
  • The type of data being stored (eg. personally identifiable information or credit cards).
  • The volume of data (eg. 1 record or 1 billion records).
  • The locality/structure of the information within (eg. you can find this info at this location).

Due to not knowing, Pipe Ten therefore treats all customer data with the same respect and standards of control.

Compliant vs Capable

It is important to define that Pipe Ten does not provide “StandardX Compliant” solutions, Pipe Ten will only provide “StandardX Capable” solutions.

“Capable” solutions will become “Compliant” solutions only when the direct customer configures them as required and includes them within their own compliance scope.

Pipe Ten does not accept liability for ensuring its products are used by the customer in such a way to achieve compliance, but will assist where asked to help the customer to do so.

Storage

While Pipe Ten takes every step reasonably possible to ensure the security of “customer’s data”, it is the direct customer’s responsibility to ensure it stored in a way in which minimises the risk of compromise/disclosure. This includes being on a solution specified with the appropriate level of security (eg. anti-virus, firewalls, etc), placing the data in the correct locations (eg. not in location which has open public access) and having the data in an appropriate format (encrypted or otherwise unreadable where necessary).

Access

Pipe Ten may “access” upon “customer’s data” during the course of its business and service provider obligations. Examples of this include but is not limited to debugging, taking backups, anti-virus scanning, upgrading systems or other general system administration tasks.

Pipe Ten may access “customer’s data” when explicitly requested and authorised to-do so by its direct customers (eg. debugging, taking manual backups, providing support assistance etc).

Pipe Ten will otherwise never access, duplicate or move “customer’s data” outside of the secure environments to which it was uploaded or otherwise agreed locations.

While “Pipe Ten” staff are held to exceptionally high standards, contracts and policy (including background checks and security clearances), it is ultimately the customer’s responsibility to ensure data is encrypted or otherwise rendered unreadable to Pipe Ten staff should there be any compliance need or concern regarding capability to access.

In circumstances where the direct customer provides Pipe Ten with the capability to access or decrypt any protected “customer’s data”; other than Pipe Ten’s reasonable duty of care, this shall be the direct customer’s liability.

Processing

Pipe Ten will never “process” any “customer’s data” without explicit and authorised request.

In any rare circumstances where a direct customer asks Pipe Ten to perform “processing” on the “customer’s data”, this shall be done on a time limited basis and subject to contract.

Data Processor and GDPR

From https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf:

“The DPA draws a distinction between a ‘data controller’ and a ‘data processor’ in order to recognise that not all organisations involved in the processing of personal data have the same
degree of responsibility. It is the data controller that must exercise control over the processing and carry data protection responsibility for it.

  • “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
  • “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
    • a) organisation, adaptation or alteration of the information or data,
    • b) retrieval, consultation or use of the information or data,
    • c) disclosure of the information or data by transmission, dissemination or otherwise making available
    • d) alignment, combination, blocking, erasure or destruction of the information or data

The definition of processing can be useful in determining the sort of activities an organisation can engage in and what decisions it can take within its role as a data processor. The
definition of ‘processing’ suggests that a data processor’s activities must be limited to the more ‘technical’ aspects of an operation, such as data storage, retrieval or erasure.”

“processing” in the scope of Pipe Ten:

  • a) organisation, adaptation or alteration of the information or data,
    • Pipe Ten generally does not provide as service; and/or has insufficient knowledge *(see Data section above) of the customers data for this “processing” criteria.
  • b) retrieval, consultation or use of the information or data,
    • Pipe Ten generally does not provide as service; and/or has insufficient knowledge *(see Data section above) of the customers data for this “processing” criteria.
  • c) disclosure of the information or data by transmission, dissemination or otherwise making available
    • Pipe Ten provides the customer with the services and tools by which this “processing” criteria can occur, but the customer controls if, when and how it occurs.
  • d) alignment, combination, blocking, erasure or destruction of the information or data
    • Pipe Ten is responsible for the erasure and destruction of the logical or physical disks, irrespective of their contents, in line with the Data Destruction Policy (DDP) and Hardware Destruction Policy (HDP).

So in many respects Pipe Ten is not really a data processor for its direct customers data, however customers may list them as such within the scope define above.

Reseller Customer Data

Pipe Ten are aware that, for some customers on legacy reseller hosting packages, Pipe Ten are the Data Processor, with the Reseller being the Data Controller. Pipe Ten will not disclose any Reseller’s Customer data to any third parties, except as necessary to comply with the law or a valid law enforcement agency. Pipe Ten will process Personal Data as necessary to fulfil the specific Reseller Terms of Service for the period the reseller account is within contract. The Reseller may upload Personal Data in the course of its use of the service, the type of and extent to which is determined and controlled by the Reseller in its sole discretion. The Reseller has full access to all their Customer data with the ability retrieve, correct, delete or restrict use of and may use these controls to assist in connection with its obligations under applicable privacy laws, including its obligations relating to responding to requests from Data Subjects. Pipe Ten shall promptly notify the Reseller if Pipe Ten directly receives a request from a Data Subject to exercise such rights under any applicable data privacy laws. The Reseller is responsible for reviewing the information made available by Pipe Ten relating to data security and making an independent determination as to whether the service meets the Reseller’s requirements and legal obligations under applicable privacy laws.

Last modified 24th May 2018 by Gavin Kimpton