Privacy Policy

1.0 - Our core beliefs regarding user privacy and data protection

Ivy Rock Solutions is committed to safeguarding the privacy of our Customers and is registered with the ICO. This policy sets out and explains Ivy Rock Solutions policies and procedures and how we will treat your personal information. Ivy Rock Solutions understands:

• User privacy and data protection are human rights.
• We have a duty of care to the people whose data we collect and process.
• We understand that as we work with you we are likely to obtain confidential information and details about how your business works.
• We put in place Non-Disclosure Agreements (NDAs) to protect the clients with which we do business.
• We hate spam as much as you do!
• We will never sell or rent your data or otherwise distribute or make public your personal information, unless required to do so by a Court of law or any regulatory body.

2.0 - Relevant Legislation

Within our business and internal computer systems, our website / new systems are designed to comply with the following national and international legislation with regards to data protection and user privacy:

UK Data Protection Act 1998 (DPA)
EU Data Protection Directive 1995 (DPD)
EU General Data Protection Regulation 2018 (GDPR)

3.0 - Information we may collect when acting as Data Controllers

3.1 - Contact form on this website

Should you choose to contact Ivy Rock Solutions using the form on our website Contact us page, none of the data that you supply will be stored by this website or passed to / be processed by any of the third party data processors defined in section 6.0. Instead the data will be collated into an email and sent to Ivy Rock Solutions over Simple Mail Transfer Protocol(SMTP). Within the email all personal or identifiable information is encrypted using secure 2048-bit encryption and remains so until it reaches Ivy Rock Solutions' network. The email content is then decrypted by our local computers and devices. Your data is not transmitted unencrypted over any network outside of our direct control. Once we have received your enquiry we will begin to communicate with you via standard channels (i.e. unencrypted email) unless you express a preference to be contacted by other means.

3.2 - How we may use this data

• To respond to your enquiries and engage with you to collect requirements to build bespoke software.
• To advise you of new releases / delivery of software.
• To send administrative information to you, for example, information regarding our terms, services and policies and of course invoices.
• In the unfortunate event that you have a complaint we will respond using the information provided.
• On instruction to arrange a visit to your premises to carry out Electrical PAT Testing
• To send you PAT Registers on completion of electrical safety work.

4.0 - Information we may collect when acting as Data Processors

As our business is the development, maintenance and support of bespoke software systems we may act as Data Processors for third parties (The Data Controllers). Systems developed and maintained by us may store and process information relevant to those third parties' core business processes, including personal information relevant to their customers, suppliers, employees or other business partners.

We endeavour to ensure that the systems developed and maintained for our clients are:

• Built using robust security practices.
• Stored on and delivered from trusted, GDPR-compliant, secure hosted platforms.

4.1 - How we may use this data

When we enter into a relationship to process data on behalf of a third party Data Controller we ensure there is an agreement between us (Data Processing Contract) which:

• strictly limits our access to and use of such data
• puts in place expectations and liabilities on the Data Controller to use the equipment and systems that we provide in a compliant manner.

In general, Ivy Rock Solutions will process such data only in accordance with the specific instruction of the Data Controller. Our access to such data is limited by the Data Processing Contract to only providing those services requested by the Data Controller. In addition, some access to the data may be authorised for the purposes of investigating issues which may arise with systems provided by us.

If we are requested by the Data Controller to access any information for support or investigation, we agree that we will:

• Audit (record) dates and times of such access.
• Not store or copy any of the information outside of the system in which it is kept for the purposes of the Data Controller.
• Not attempt to use, monetise, sell or otherwise profit by access to the information.
• Not attempt to identify, contact or otherwise engage with any person(s) identifiable from the information.

We may be requested by the Data Controller to keep backups of the information to satisfy their own Data Retention and Backup policies. Our access to these backups will be governed by the same agreements as above.

5.0 - How we store your personal information

As detailed in Section 3.1 above, if you submit an enquiry to our website, it will be routed via our email provider and may be stored encrypted on their servers. Our secure mail form encrypts your mail enquiries and they will remain encrypted during transit until they arrive on our network.

We take measures to ensure the security of our network i.e. up-to-date firewalls and anti-virus, up-to-date operating systems on our computers, staff training and awareness.

If we receive your information in our capacity as Data Processors (suppliers of software and services to other parties), this information will be stored on trusted, compliant platforms (please see section 6.0 - Third Parties)

Children

As a supplier of software services and products Ivy Rock Solutions does not offer its services to, nor collect information from children or minors.

If any of our clients or partners (Data Controllers) for whom we act as Data Processors collect data from children, then this should be made clear in the privacy policies of those parties. Our own policy on the treatment of this data in the role of Data Processors is set out in section 4.0.

6.0 - Third Parties

We use several third parties to process personal data on our behalf. These third parties have been carefully chosen and all of them comply with the legislation set out in section 2.0
FastHosts
Microsoft Products

7.0 - Lawful Basis for processing information

The ICO describes six lawful bases for processing information. Ivy Rock Solutions processes information under the following lawful bases:

• Consent - processing activity that we perform with your explicit consent.
• Contractual - processing activity agreed upon in a lawful contract.
• Legal - processing activity required by law or regulation i.e. financial record keeping.
• Legitimate Interest - activity required to carry out the normal operation of our business.

8.0 - Data Retention Period

We keep a Data Retention policy which details the retention of a range of types of data both internal and external, private and public. This policy instructs us how long to retain personal information.

In general, we will keep information that our customers provide to us for the duration of our working relationship, plus an additional 7 years after the termination of this relationship, unless a longer retention period is required or permitted by law.

If requested by a client or individual we may delete the information sooner, providing this is not in conflict with any legal or contractual obligation to retain the data.

9.0 - Breaches

Ivy Rock Solutions are required by law to report any security breaches involving any personal data to the ICO via their online form. It will be investigated, and all relevant persons notified within 72 hours of detection of the breach if it is apparent that personal data stored in an identifiable manner has been compromised.

9.1 - Reporting breaches and ethical disclosure

We greatly appreciate the efforts of security researchers and are committed to the concept of ethical disclosure. If you are aware of a potential breach or vulnerability which might affect Ivy Rock Solutions or its clients or partners, we invite you to contact us via the contact details section 14.0 to disclose details of the issue.

We will investigate the issue with priority, including disclosure to the ICO where necessary and where possible work with the reporting person or body to help correct any vulnerability and minimise the impact to our clients and partners.

We will attempt to respond to your report within 3 working days

We encourage ethical responsible reporting, and we will not take any legal action or request investigation by law enforcement against you if you comply with the following responsible disclosure guidelines

• Assist us by providing details of the vulnerability or data, including where possible steps to reproduce.
• Make every effort to avoid further privacy violations.
• Make no further attempt to leverage any vulnerability beyond that which was required to gather the initial information for the ethical disclosure.
• Do not modify, access, distribute, monetise or otherwise use data that does not belong to you.
• Allow us to work towards correcting the issue, allowing a reasonable time to achieve this before making any information public.

10.0 - Complaints

People who make a complaint to us can do so by contacting the Data Protection Officer see section 14.0.
When we receive a complaint we collate the detail into a folder which will have the identity of the complainant(s) involved.
This information is only used whilst dealing with the complaint whilst the matter is being investigated and to the point of resolution and is then kept upon the network in line with our Data Retention policy.

Individuals have a right to complain to the ICO if they believe there is a problem with the way their data is being handled.

11.0 - Your Rights

Ivy Rock Solutions likes to be as open as we can to provide people with access to the information we hold about them. Under the Data Protection acts listed in section 2.0, you have rights as an individual which you can exercise in relation to the information we hold about you. You can read more about these rights here.

11.1 - Subject Access Request (SAR)

You have the right to receive a copy of the Personal information we hold on you (Subject Access Rights) along with details of processing and other parties with whom the information has been shared (if any). Please use our secure web contact form to send us a GDPR Subject Access Request.

Please note that there may be a £10 administration fee for requests deemed to be unfounded or excessive, in line with ICO guidance on charging for requests.

11.2 - Amendment / Correction

We are required to keep the information we hold accurate. If you feel that we hold incorrect information, please use our secure web contact form to send us a GDPR Data Alteration Request.

11.3 - Erasure - "the right to be forgotten"

GDPR grants individuals the right to have their data removed from our systems, so long as this is in compliance with regulation and law. To request erasure of your data please use our secure web contact form to send us a GDPR Data Erasure Request.

11.4 - Change of Consent

Individuals also have the right to change or revoke their consent to types of data processing. To request a change to your consent for processing please use our secure web contact form to send us a GDPR Change of Consent Request.

With all the above GDPR requests there will be a requirement to provide proof of identity in a timely fashion. This will be requested when we begin to process your request.

If you would like to exercise these rights please use the contact form described above, otherwise put the request in writing and use the contact options listed in section 14.0 below and the request will be dealt with as per our GDPR request procedures.

12.0 - Disclosure of Personal Information

In most cases we do not disclose any personal data without consent. However, when we investigate a complaint, for example, we may need to share personal information with our hosting / storage providers to allow them to assist in the investigation and resolution of the complaint. In some cases there may be a legal requirement to disclose personal information to relevant law enforcement and other authorities.

13.0 - Disclaimer

This site is intended to clarify the policies of Ivy Rock Solutions and the rights of its clients and individuals whose data are processed by us. The information above is to assist and inform, and is not a definitive statement of law.

We are not responsible for the content of any linked site or any link in a linked site.

14.0 - Contact Information

Who we are:

Ivy Rock Solutions Ltd, a UK private limited Company with company No 10258593
Whose registered office is:

15 Commercial Road,
Paddock Wood
Kent
TN12 6EN

How to contact us:

Please don't send any correspondence to the above address, instead if you want to request information about our privacy policy / have a Subject Access Request you can use our secure web contact form or contact us as below:

Ivy Rock Solutions - Data Protection Officer
Telephone: 07958 262 543
Email: privacy@ivyrock.co.uk

15.0 - Continuous Improvement

We are working with our clients to find any improvements / enhancements to existing systems to help them comply with the new laws and to process information in a compliant way. For example:

• Anonymised Data - data for processing purposes, from which it is impossible to uniquely identify an individual.
• Pseudonymised Data - the practice of making some data available for processing whilst physically separating it from other, uniquely identifying information. This practice makes unique identification more difficult (not impossible) but is considered a good practice to reduce risk to data subjects under GDPR.
• Certification & Qualification - we are working towards getting our Cyber Essentials / Cyber Essential Plus shortly.
• Contribution to the security community - pending membership of CiSP.
• Training - we continue to train and learn cyber security and data protection practices.

16.0 - Changes to our Privacy Policy

This privacy policy may change from time to time in line with legislation or technical developments.
We keep our privacy notice under regular review. We may not explicitly inform our clients or website users of these changes. Instead, we recommend that you check this page occasionally for any policy changes. Specific policy changes and updates are mentioned in the change log below.

17.0 - Change log

10/05/2018 - Official publication of this policy
07/05/2018 - Addition of Rights and Complaints procedures
24/04/2018 - Creation of privacy policy (updates for GDPR)