Privacy policy

Information Security and Privacy Policy. Reviewed on 15 July 26. Version 1.8.

This policy is authorised by the Board, and it is reviewed and updated when necessary. In this document, Virtual Data Centre Services Ltd (DCS) may be referred to as “we”, “us”, or “our”.

Introduction

To provide and promote our services, we must collect, and process data. To protect this data, we have implemented an Information Security Management System, that has been certified to ISO 27001 and ISO 9001 standards, by BSI. Our management system is mature and has been certified since 2015.

This policy describes our approach to information security and privacy, and acts as a reference document for our staff, customers, and the public.

Our Stakeholders

Our stakeholders include: our staff; contractors; customers (including their customers and staff); our suppliers; our regulatory bodies (including UK and EU law enforcement, and UK administrative bodies); and our appointed auditors.

In addition to our contractual requirements, DCS has a number of legal requirements placed upon it. These include (but are not limited to): Data Protection Act 2018 (including the UK General Data Protection Regulations (UK GDPR)); Computer Misuse Act 1990; Anti-Bribery Act 2010, 2021 Whistleblowing Policy. The board will keep abreast of these regulations and provide updates accordingly.

Our Information Security Management System

We have created an Information Security Management System to structure our approach to security and governance. The scope of our ISMS, which has been certified to ISO 27001 is: The provision of safe and secure Business Continuity and Infrastructure services.

Our ISMS aims to provide a safe and secure environment for customers to host their virtual servers. Included in our scope is: the Virtual Platform Domain (VP); the physical servers it is operating from; both DCS data centre locations (Derby, Leeds); and the back-office technical and administrative functions necessary for the operation of our services.

All DCS staff, contractors and 3rd parties are in scope of the ISMS and receive training appropriate to their role.

Out of the scope of our ISMS are any assets used solely by customers and 3rd parties, such as a customer’s virtual machine.

Where high levels of risk are identified, risk reduction or mitigation actions are documented and employed.

Proactive Security, and Commitment to Improvement

DCS operates a ‘proactive’ security defence model. We have committed to continually improving the security and reliability of our platform: we own, control and when necessary, custom-build systems. We operate multi-zone environments to maximise uptime, redundancy, and response time to customers. Our network architecture is designed to reduce single points of failure and is constantly reviewed for best practice and compliance.

We monitor our platform for availability, reliability, and speed.

Structured Approach to Managing Security

To ensure that we have a consistent approach to security and privacy for our stakeholders, we have created a number of Standard Operating Procedures that provide a formal process for our common tasks. These SOPs cover everything from User Passwords and Staff Vetting, through to Incident Response and Change Management.

Our SOPs are reviewed at least annually and are updated in line with industry standards.

Independent Audit

To ensure that we’re meeting our obligations, and to provide our stakeholders with independent assurance of our performance, BSI performs regular audits on our Information Security Management System. These audits provide us with actionable feedback on our system, and enable us to continually improve our security and privacy.

Responsibility and Accountability

Overall accountability for information security and privacy rests with the company’s Board.

Responsibility for many functions relating to security and privacy has been assigned to operational teams, including:

  • System security: The technical team, led by our CTO, is responsible for ensuring that our systems are secure, and that they are designed and maintained according to our SOPs, and industry best practice.
  • Information governance, compliance, and standards: The DCS information security management team is responsible for governance, standards, and compliance issues. Further to this, we have trained an internal auditor to assist in the monitoring of these areas.
  • Information and document management: The administration team is responsible for managing the company’s documentation library, across its computing and physical estate.

All DCS staff are assigned some responsibility for information security and privacy and each member of our team must ensure they are familiar with their responsibilities, and act accordingly.

Privacy

DCS is committed to protecting the privacy of our website’s visitors, our prospects and users of our services. Please read this privacy policy, as it explains how we collect, use, maintain, process, and disclose your personal data through your access to our website, research and marketing activity, and use of our services.

Except where stated otherwise, this policy only covers processing where DCS is the controller of personal data for the visitors, prospects, partners and service users described above; where we decide why the processing happens and how it's carried out.

Who is the Data Controller?

We are: Virtual Data Centre Services Ltd (DCS).

Registered address: 3rd Floor, 6 Wellington Place, Leeds, LS1 4AP.

Company registration number: 07238621.

Data protection registration number: ZA022881.

What kinds of Personal Data does DCS Process?

DCS collects personal data for various purposes; with that in mind, we have created a list of the types of personal data that we may collect, either directly from you or from other sources, to achieve those purposes. The kinds of personal data we may collect include:

  • information about your computer and your visits to, and use of this website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation)
  • information that you provide to us to subscribe to our website services, email newsletters and webinars
  • any other information that you choose to send to us via our pricing tools, website, email or social media
  • business contact information for potential customers, suppliers and partners
  • Payment information: Credit/debit card details and bank account details you provide so that we can make payments to you or receive payments from you

Our data sources

When we did not obtain personal data directly from you, we gather data from a range of sources to enable us to identify potential customers, suppliers and partners.

These sources include third-party data brokers, our existing customers, partners and suppliers and via our research team, who use public domain, business-focused sources. These include company websites, Companies House or other business networking websites where the information is likely to have been published directly by the individual (or on their behalf by a third party with authority to do so) and where the data is likely to have been published for business purposes or with the expectation that this personal data may be processed by third parties for business purposes, including marketing.

Any personal data gathered by our research relates to adult individuals engaged in business and contains information relating specifically to that business activity; we do not gather any “special category” personal data (for example, data relating to your health, race or religion).

Where we have gathered your business contact details from a third-party source and have not yet contacted you directly, this privacy policy is how we make that information available to you. As soon as we make first contact with you, we will also provide this information to you directly, as described above.

All the data we gather is held in our secure CRM system, which is governed by our own strict data control and management policies.

Using your personal information

Personal information collected by us or submitted to us will be used for the purposes specified in this privacy policy, relevant parts of the website or the terms and conditions download section.

Where you submit personal information for publication on our website, we will publish and otherwise use that information in accordance with the licence you grant to us.

On each marketing communication we send, we include information about why we have made contact with you, offer a mechanism to opt out of further communications and provide a link to this privacy policy, for you to review information on the sources we have used to gather your data.

Purpose

Personal Information Used

Lawful Basis

Administer the virtualdcs.co.uk website.

All the personal information we collect.

We have a legitimate interest in effectively administering our website.

Answer your queries or complaints.

All the personal information we collect.

Where you have submitted a query or complaint, you have consented to us using your personal data to respond to that query or complaint.

We also have a legal obligation to provide complaint handling services.

For internal administration, staff training, quality assurance and legal reporting.

All the personal information we collect.

We have a legitimate interest to administer our business efficiently and improve the services we provide and ensure our team meet our quality standards.

Maintain accurate and up-to-date contact data.

All the personal information we collect

We have a legitimate interest to provide accurate communications to customers and inform prospective new customers about our services.

Inform you about products and services that may be of interest to you.

All personal information we collect or are sent

Where you have signed up to a newsletter or email notifications, you have consented to receive that newsletter or email notifications about the relevant subject.

We also have a legitimate interest to identify new customers and inform them of services that may be of interest to them.

Our team may contact you by telephone to discuss our services that may be relevant to you. We hold contact numbers within our secure CRM and screen the numbers we call against the TPS and CTPS registers before contacting you. If you would rather not hear from us, please let our team member know on the call. You can opt out of these communications at any time.

We may contact you by email with details of our services that may be relevant to you. We only send marketing emails to your business email address, and we hold this data within our secure CRM. If you would rather not hear from us, please follow the unsubscribe link within the email or reply directly asking to be removed. You can opt out of these communications at any time.

We may also contact you through the post. Full unsubscribe and privacy information is provided on each mail piece. You can opt-out of postal communications at any time.

Where we have obtained your details from a third-party source, as described in Our data sources above, we will also provide you with more information about this when we first contact you.

Make payments to you and receive payments from you.

Transaction and payment information.

It is in our legitimate interest to make and receive accurate payments, promptly, using the correct details.

Perform credit checks and anti-money laundering checks.

Contact details and payment information.

We have a legitimate interest and legal obligation to do so.

Making a decision about recruitment or appointment

All the personal information we collect

We have a legitimate interest in making sound employment decisions.


Sharing your information

We share personal information with the following parties:

  • Companies in the same group of companies as us.
  • Other legal or professional advisors: where relevant for a customer service.
  • Any party approved by you or our customers.
  • Credit reference agencies.
  • Credit reference agencies.
  • Other service providers, advisors and suppliers: such as companies that support our business, help us analyse and enhance the data we hold, process payments, send communications to our customers, prospects and partners, provide us with legal or financial advice and generally help us deliver and promote our services to you.
  • Purchasers of our business: buyers or prospective buyers who we sell or negotiate to sell our business to.
  • The Government or our regulators: where we are required to do so by law or to assist with their investigations.
  • Police and law enforcement: to assist with the investigation and prevention of crime.
  • to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.

We do not disclose personal information to anyone else except as set out above.

Security of personal information

Suitable safeguards, both technical and organisational, are maintained to protect your data from being lost, misused or changed without authorisation.

We will store all the personal information you provide on our secure CRM. You acknowledge that transferring information online always carries some risk, particularly if it isn't encrypted or is insufficiently encrypted, and its security in transit can't be guaranteed by us.

Transferring your personal information internationally

Our website and CRM are hosted by HubSpot, Inc., which stores our data primarily in its EU data centre, located in Germany. Due to this, your personal data may be transferred between the UK and the EEA. This is permitted under both UK and EU data protection law, as each of the UK and the EU have determined that the other provides adequate protection for personal data.

HubSpot is headquartered in the United States, however, and some personal data may still be transferred to, or accessed from, the US. This is permitted under UK data protection law: the UK Government has assessed the UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge") as providing adequate protection for personal data transferred to US organisations that have self-certified to it. HubSpot is certified under both the EU-US Data Privacy Framework and the UK Extension and also maintains Standard Contractual Clauses as an additional safeguard.

We may also share personal data with other suppliers and service providers who support our business (see "Sharing your information" above). Where any of these suppliers are located outside the UK or EEA, we will ensure the transfer is covered by one of the following: a UK adequacy regulation; the UK Extension to the EU-US Data Privacy Framework (for certified US-based suppliers); or the UK's International Data Transfer Agreement, or the UK Addendum to the European Commission's Standard Contractual Clauses, as appropriate.

Anything you choose to publish on our site may be publicly visible online, globally, and we are unable to prevent others from using or misusing this personal data.

Policy amendments

This policy may be updated periodically, and we'll republish it here whenever it changes, so it's worth revisiting occasionally to see if you're satisfied with the updates. For any major changes, we may also let you know directly by email.

Your rights

You have the following rights in relation to your personal information:

  • the right to access – request a copy of the personal data we hold about you.
  • the right to rectification – ask us to correct inaccurate data or complete data that's missing.
  • the right to erasure – have personal data we hold about you removed.
  • the right to restrict processing – require us to limit how your data is processed.
  • the right to object to processing – challenge our processing of your data.
  • the right to data portability – receive your data in a usable format, or have it passed directly to another organisation.
  • the right to complain to a supervisory authority – raise a complaint with the ICO, or another relevant regulator, about how we handle your data.
  • the right to withdraw consent – where we rely on your consent to process your data, you can withdraw it at any time.

Each of these rights comes with its own conditions and exceptions under data protection law. Further detail is available from the ICO and the European Data Protection Board. To exercise any of these rights, get in touch with us in writing - our details are set out in the 'Contact details' section of this policy.

Supply of such personal information that we hold about you will be subject to the supply of appropriate evidence of your identity. Where we cannot reasonably confirm your identity or where the requested information is sensitive, we may ask for further evidence before proceeding.

The documentation we request will depend on the nature of your request and may include a copy of your passport or driving licence, together with proof of your current address, such as a utility bill (in some cases, we may ask for these to be certified by a solicitor or bank).

We may withhold such personal information to the extent permitted by law.

You may instruct us not to process your personal information for marketing purposes by sending an email to us (see our Data enquiries and questions section).

Regardless of the marketing communication medium, we will always provide you with an opportunity and mechanism to opt out of the use of your personal information for marketing purposes.

Whilst this privacy policy sets out a general summary of your legal rights in respect of personal information, this is a very complex area of law. More information about your legal rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-the-public/.

How long will DCS keep your Personal Data?

We will keep your personal data only for as long as required to achieve the purposes for which it was collected, in line with this privacy policy.

The following criteria are what determine the period for which we will keep your personal data:

  • Until we are no longer required to do so to comply with regulatory requirements or financial obligations.
  • Until we are no longer required to do so by any law we are subject to.
  • Until all purposes for which the data was originally gathered have become irrelevant or obsolete.

Where we are able to specify more precise periods, the following will typically apply:

  • We will keep your personal data for as long as you wish to continue receiving communications from us. Business contact data will be retained for a minimum of 3 years and a maximum of 6 years from the date of our most recent contact with you.
  • Communication data (the content of enquiries, correspondence and similar exchanges) will be retained for a minimum of 6 months and a maximum of 6 years from the date of the communication in question.
  • Except as otherwise provided in this section, other personal data will be retained for a minimum of 3 years and a maximum of 6 years following the date it was submitted to us.

If a specific period can't be set in advance for a particular purpose, we'll retain the data for a reasonable period, guided by the factors described above.

Where you've given us permission to publish your personal data, for instance, content you've submitted for publication on our site (see 'Sharing your information' section above), we can publish and hold that data for as long as that permission remains, even past the retention periods above, without affecting your rights under this policy. Once we take the content down, the usual rule applies: a minimum of 3 years and a maximum of 6 years from the date it stopped being published.

Regardless of the above, we may retain your personal data for longer where necessary to comply with a legal obligation or to protect your vital interests or those of another person.

Call recording

We record our telephone calls for internal administration, training, quality assurance and to meet our legal reporting obligations.

Recordings are stored within secure cloud infrastructure for no longer than one year unless our engagement extends beyond this time or we are required to do so by law.

Analytics

We use analytical tools to gather information about the use of our website using cookies. The information gathered is used to create anonymous reports about the use of our website. For full information on the cookies we use, and how to opt out, visit our cookies policy.

Third-party websites

You'll find links to other websites, and information about them, in various places on our site. Those third parties set their own privacy policies and practices, which sit outside our control or responsibility.

Data enquiries and questions

DCS is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions about our approach to data protection, would like to request a copy of the data we hold about you or your business, or wish to raise a complaint, you can contact us at enquiries@virtualdcs.co.uk or by using our contact form below:

 

Data Enquiries Form



Requests for a copy of your personal data will be responded to within one month of receipt. Complaints will be acknowledged within 30 days and then resolved without undue delay, with progress updates provided along the way.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection issues, at https://ico.org.uk/make-a-complaint/, or to your local data protection regulator if you are based outside the UK. We would, however, appreciate the opportunity to hear and attempt to resolve your concerns first before you approach the ICO, so please contact us in the first instance.

Data privacy FAQs

In this section, we run through some of the most frequently asked questions about DCS data. How we gather it, why we use it and how you can control the information we hold for you and your business.

1. I’ve received a telephone call, email or direct mail about DCS – where did you get my data and who gave you permission to store and use it?

If you’ve received a call or email from one of our sales development team or a piece of direct mail from our marketing team, we have researched your business contact data online, from public domain business sources such as your company website or Companies House.

We store this information in our secure CRM as we have a legitimate business interest in identifying potential new customers, who may find our services relevant to their businesses.

On each piece of marketing material we send, we will include information about why we have made contact with you, offer a mechanism to opt out of further communications of this type and provide a direct link or details of how to access this privacy policy, for you to review the sources we have used to gather your data.

2. I do not wish to receive further communications from DCS, how do I opt out?

If you would prefer not to receive telephone calls from DCS, you can opt out by informing us on the call or by subscribing to the Telephone Preference Service (TPS) / Corporate Telephone Preference Service (CTPS) to stop receiving any unsolicited commercial calls.

If you would prefer not to receive emails from our team, you can opt out of future messages by following the opt-out link in the email or by replying directly to optout@virtualdcs.co.uk asking to be removed.

If you would like to stop receiving marketing communications via post, please follow the details contained in the mail or email optout@virtualdcs.co.uk, and we will remove you from our mailing list.

Who is the DCS EU Representative?

Ametros Ltd

UK: Fourth Floor, Broadway House, 32-35 Broad Street, Hereford, HR4 9AR

Ireland: Coliemore House, Coliemore Road, Dalkey, Co Dublin

Tel: 0330 223 2246

Email: gdpr@ametrosgroup.com

Contact details

Tel: 03453 888 327

General questions: enquiries@virtualdcs.co.uk

Marketing opt-out: optout@virtualdcs.co.uk

Address: 3rd Floor, 6 Wellington Place, Leeds, LS1 4AP