Data Processor Statement - Xendica Limited
Xendica Limited (Xendica) is a company registered in England and Wales. The registered address is 727-729 High Road, London, England, N12 0BP and the company registration number is 05160920.
Xendica processes personal data contained in business data transmitted to it on behalf of its customers, only to the extent necessary for provision of the required services and only accordance with the customers' instructions. Xendica's customers choose what business data they share with Xendica based on the services they use, and own all rights in and to all their business data.
In legal terms, Xendica is a data processor and its customers are data controllers. As data controllers, Xendica's customers are accountable for compliance with personal data protection requirements that apply to their operations.
As a data processor, Xendica's obligations under the EU General Data Protection Regulation (GDPR) are:
- To have adequate information security in place: Xendica holds its customers' confidential business data in strict confidence and limit disclosure of it only to authorised employees on a need-to-know basis, or upon the customers' authorisation. These employees are bound by contractual confidentiality agreements. Xendica also maintains appropriate information security procedures (see 'More on Security', below).
- Not to use sub Processors without consent of the data controller: Any use of sub Processor is first discussed and agreed with customers (see 'More on 3rd Parties, below).
- To co-operate with the relevant Data Protection Authorities in the event of an enquiry: In the UK, this is the Information Commissioner's Office or ICO, and Xendica is fully committed to cooperation should the need ever arise.
- To report data breaches to the data controller without delay: Xendica's commitment to its customers is to report any breaches as soon as it becomes aware of them.
- To keep records of all processing activities: All instructions from Xendica's customers are received or confirmed in archivable written form, and all data processing activities that arise therefrom are logged.
- To comply with EU trans-border data transfer rules: Xendica's servers and the data they contain are all held within the UK and no data is accessed outside of the EU by any unauthorised parties (see also 'More on 3rd Parties, below).
- To help the data controller to comply with data subjects rights: Xendica assists its customers to respond to legitimate requests from individuals, mainly to rectify, block or erase their personal data.
- To assist the data controller in managing the consequences of data breaches: In addition to immediately notifying customers when Xendica becomes aware of any breaches, Xendica assists its customers in performing security and data protection assessments, security incident notifications or in replying to consultations of supervisory authorities that relate to services provided.
- To delete or return all personal data at the end of the contract at the choice of the data controller: After expiry of any service, Xendica will return any requested business data to its customers, and delete all such data from its systems, unless otherwise required by law.
- To inform the data controller if a customer's processing instructions infringe the GDPR: If Xendica receives instructions from a customer that is believed to contravene the directions of the GDPR Xendica will work with the customer to correct this before executing the instructions.
More on Security
Xendica's information security program maintains appropriate technical and organisational security measures designed to protect the security and integrity of the data under management. Xendica's security measures are based on globally accepted standards and may be summarized as:
- Site Access Control (unauthorized persons are prevented from physical access to data processing sites)
- System Access Control (data processing systems cannot be used without authorization)
- Data Access Control (data cannot be read, copied, modified, or removed without authorization during processing, use and storage)
- Transfer Control (data cannot be read, copied, modified, or removed without authorization during electronic transfer, or when saving to data storage media)
- Disclosure Control (confirming where and to whom data can be transferred by means of data transmission facilities)
- Input Control (tracking whether and by whom data has been entered, modified, or removed in data processing systems)
- Order Control (personal data processed on behalf of a customer is processed in strict accordance with the customer's instructions)
- Availability Control (protecting data against accidental destruction or loss)
- Separation Control (data collected for different purposes is processed separately)
- Notification Control (in the event of a material breach of any of the controls above, the customer is alerted promptly)
Xendica regularly audits the application of its security measures. Xendica will notify its related customers in the unlikely event of a security breach on its systems of which it becomes aware, as soon as Xendica becomes aware of the breach and has assessed its impact.
More on 3rd Parties
In order to provide its services, Xendica makes use of trusted 3rd parties. Trusted 3rd parties are companies or individuals that are engaged to provide technical solutions as part of Xendica's operations. For example, in order to provide data storage services or IT services. Xendica remains responsible for the handling of business information per its customer's instructions.
There is no intention that the data will be accessed or manipulated by these trusted 3rd parties. All business data is transmitted securely and the trusted 3rd parties are governed by agreements and policies to prevent their access to the data.
Trusted 3rd parties at thus time include:
- Amazon Web Service (data storage services) See https://aws.amazon.com/compliance/data-privacy-faq/
- Bytemark Limited (IT services). See https://www.bytemark.co.uk/privacy-statement/
- APM Internet (IT services). See https://www.verygoodemail.com
For any queries relating to our data processing, please contact privacy at xendica.com