We collect personal information from you, including information about your:
We collect your personal information in order to:
You have the right to ask for a copy of any personal information we hold about you, and to ask for it to be corrected if you think it is wrong. If you’d like to ask for a copy of your information, or to have it corrected, please contact us at firstname.lastname@example.org.
In its relationships with its clients, InsuredHQ is a data processor for the purposes of the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018. Each client which is in the EU or UK, or which collects data from any UK or EU resident, is a data controller under the GDPR and each therefore is obliged to ensure that processors meet the GDPR’s requirements.
InsuredHQ is hosted on Amazon Web Services virtual servers in Frankfurt, North Carolina and Sydney. Going forwards, the use of AWS servers will be specified in InsuredHQ’s contracts. Clients in the EU and the UK will be automatically hosted on the Frankfurt servers and data originating from those clients will therefore not be transferred out of the EU except in extreme circumstances, which will be contractually provided for. Any transfer will be only to another AWS data centre.
AWS has announced that it is fully GDPR compliant (https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/), and its website lists the rigorous international standards which AWS applies to ensure data privacy.
InsuredHQ’s contracts with its clients specify that all data is owned by those clients, although ultimately personal information is owned by the natural person from whom it originated. InsuredHQ does not assert any ownership rights over that data. In the event that the relationship between a client and InsuredHQ comes to an end, all data is returned to the client. InsuredHQ does not mine, sell or otherwise use the data for any of its own purposes. Data is processed strictly in accordance with the instructions of the client.
Although multiple clients may have their data hosted on the same server, every controller has a separate database. Data from two or more clients is never co-mingled.
InsuredHQ’s contracts also record that any data breaches will be promptly notified to any affected clients.
So far as requests by individuals for erasure of data are concerned, agreement by the client is not automatic and it will be for the client in each case to determine whether grounds for erasure exist under GDPR Article 17, and as to the application of any exceptions or limitations. InsuredHQ will respond to a request by a client to delete data after the client has made the necessary determinations.
InsuredHQ maintains stringent security processes. In addition to its in-house controls InsuredHQ is tested annually by a third party security agency which audits all aspects of SaaS-based security. This includes, but is not limited to, penetration testing and reviewing code procedures to make sure that any vulnerabilities are identified and guarded against.
InsuredHQ has deployed CloudFlare as an extra layer of protection, including against DDoS attacks. CloudFlare is GDPR-compliant (https://www.cloudflare.com/gdpr/introduction/).