Introduction
This Data Processing Policy ("Policy") describes how Cloudignyte Limited ("we", "us", "our", or "Processor") processes personal data on behalf of our clients ("Data Controllers") when providing cloud consulting and infrastructure services.
This Policy is designed to ensure compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection legislation.
Scope
This Policy applies to all personal data processing activities undertaken by Cloudignyte on behalf of our clients, including:
- Cloud infrastructure design and implementation
- Application modernisation and migration services
- Data analytics and AI-powered insights services
- Security and compliance consulting
Our Role as Data Processor
When providing services to our clients, Cloudignyte typically acts as a Data Processor. This means we process personal data only on behalf of and under the instructions of our clients (the Data Controllers).
Data Controller Responsibilities
Our clients, as Data Controllers, are responsible for:
- Determining the purposes and means of processing personal data
- Ensuring a lawful basis exists for processing
- Providing appropriate privacy notices to data subjects
- Responding to data subject rights requests
- Ensuring compliance with applicable data protection laws
Data Processor Responsibilities
As a Data Processor, Cloudignyte is responsible for:
- Processing personal data only on documented instructions from the Data Controller
- Ensuring personnel are bound by confidentiality obligations
- Implementing appropriate technical and organisational security measures
- Assisting the Data Controller with data subject rights requests
- Notifying the Data Controller of any personal data breaches
- Deleting or returning personal data upon termination of services
Data Processing Agreement
Before processing any personal data on behalf of a client, Cloudignyte enters into a Data Processing Agreement (DPA) that includes:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data processed
- Categories of data subjects
- Rights and obligations of both parties
- Security measures to be implemented
- Sub-processor arrangements
- Data transfer mechanisms (where applicable)
Security Measures
Cloudignyte implements comprehensive technical and organisational measures to protect personal data, including:
Technical Measures
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: Role-based access control with multi-factor authentication
- Network Security: Firewalls, intrusion detection, and network segmentation
- Monitoring: Continuous security monitoring and logging
- Backup: Regular encrypted backups with tested recovery procedures
Organisational Measures
- Staff Training: Regular data protection and security awareness training
- Policies: Comprehensive information security policies and procedures
- Vetting: Background checks for personnel with access to personal data
- Incident Response: Documented incident response and breach notification procedures
- Audits: Regular security assessments and compliance audits
Sub-Processors
Cloudignyte may engage sub-processors to assist in providing services. We maintain a list of approved sub-processors and ensure:
- Prior written authorisation from the Data Controller
- Sub-processors are bound by equivalent data protection obligations
- Regular assessment of sub-processor compliance
- Notification of any changes to sub-processor arrangements
Current Sub-Processors
Our primary sub-processors include:
- Amazon Web Services (AWS): Cloud infrastructure services
- Microsoft Azure: Cloud infrastructure services (where applicable)
- Google Cloud Platform: Cloud infrastructure services (where applicable)
A complete list of sub-processors is available upon request.
International Data Transfers
Where personal data is transferred outside the UK, Cloudignyte ensures appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO
- Adequacy decisions where applicable
- Binding Corporate Rules where appropriate
- Additional technical and organisational measures as required
Data Subject Rights
Cloudignyte assists Data Controllers in responding to data subject rights requests, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
We will promptly notify the Data Controller of any requests received directly from data subjects.
Data Breach Notification
In the event of a personal data breach, Cloudignyte will:
- Notify the Data Controller without undue delay (and within 24 hours where feasible)
- Provide all necessary information to enable the Data Controller to meet their notification obligations
- Assist with investigation and remediation efforts
- Document the breach and actions taken
Data Retention and Deletion
Upon termination of services or at the Data Controller's request, Cloudignyte will:
- Return all personal data in a commonly used format
- Securely delete all copies of personal data
- Provide written confirmation of deletion
- Retain only data required by law, with appropriate safeguards
Audits and Compliance
Cloudignyte supports Data Controller audit rights by:
- Providing relevant documentation and evidence of compliance
- Allowing on-site audits with reasonable notice
- Cooperating with regulatory authorities as required
- Maintaining certifications and compliance attestations
Changes to This Policy
We may update this Policy periodically to reflect changes in our practices or legal requirements. Material changes will be communicated to affected clients.
Contact Information
For questions about this Data Processing Policy or our data processing practices, please contact:
Cloudignyte Limited Jubilee House Third Avenue, Globe Park Marlow, England SL7 1EY
Email: info@cloudignyte.com
Data Protection Contact: dpo@cloudignyte.com