At HT2 Labs (HT2 Ltd., and HT2 Inc., (“HT2”) we are committed to protecting your privacy.
HT2 and GDPR
As a business concerned with Software, processing and analysis of Data within our SaaS solutions, Data privacy and security has always been key to our business success and one of our top priorities. The European Union endeavoured to bring Data privacy and security more in line with today’s industry practices and requirements which is why we have seen an overhaul of legislations that govern these practices. The General Data Protection Regulation (GDPR) will replace the Data Protection Act as of 25th May 2018. This policy outlines how we comply and ensure compliance to its standards. For more information on GDPR please see www.eugdpr.org. Depending on your relationship with us and how we come to hold your data HT2 is either a data processor within the definition of GDPR or a data controller.
GDPR defines a data controller as “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” In other words, if your organisation processes personal data for your own organisation’s purposes and needs—not merely as a service provider acting on behalf of another organisation—then you are likely to be a data controller. HT2 is a Data Controller for our direct customers.
Businesses or organizations that process personal data solely on behalf of, and as directed by, data controllers are data processors. In other words, when a data controller outsources a data processing function to another entity, that other entity is generally a data processor. For purposes of the GDPR, HT2 is also considered a Data Processor for our customers’ end-users.
Legal Basis For Processing
The legal basis on which we process data is that of contractual necessity where data is processed for the data controllers that have subscribed to our services. We do however also process data to comply with our legal obligations and on the basis of legitimate business interests.
The steps we are taking to ensure GDPR compliance
We have addressed GDPR data protection requirements that are applicable to data processors and will continue to be vigilant, to ensure we handle any developing requirements. Data processing Our ability to fulfill our commitments as a data processor to our customers, the data controllers, is a part of our compliance with GDPR where data controllers are using our products to process personal data. Because of this requirement, HT2 will continue to ensure we’re doing the maximum to protect data and improve our processes and procedures where we identify the opportunity.
We regularly review our Information Security Policy and related work plans to ensure that they take into account all requirements, confirming we’re fulfilling our obligations to GDPR as a data processor. Our customers depend on us to manage and protect their data. Only a limited number of roles within HT2 are authorised to access customer environments and then only when necessary, according to strict guidelines and documented actions. We comply with information security best practices including multiple-factor authentication and encryption.
HT2 commits to conforming to information security best practices. In line with GDPR, appropriate measures are assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, state of the art technologies, and the nature of the processing. These measures include data anonymisation in problem investigation/resolution and encryption. Regular testing of the effectiveness of all security measures is a continuous process.
HT2’s cloud offering runs on Web services. This is why we have appointed the following sub-processors for User Data which includes links the respective data processing agreements (under GDPR) in parentheses:
a. Google (https://cloud.google.com/security/gdpr/)
b. Amazon (https://aws.amazon.com/compliance/gdpr-center/)
c. Rackspace (https://www.rackspace.com/en-gb/gdpr)
d. Capsule (https://capsulecrm.com/new-privacy/)
e. MailChimp (https://mailchimp.com/legal/privacy/)