Please also read our Privacy Policy to learn how we handle situations where we are acting as the Data Controller.

Devise reserves the right to make changes to this Data Processing Policy at any time, and any changes will be effective immediately upon posting to Devise's web site: www.devisegraphics.co.uk. Devise's Customers are responsible for regularly reviewing the Policy. Continued use of the Services following any changes shall constitute acceptance of the changes.

Definitions can be found in our Terms and Conditions.

If you have any questions about these policies, please contact us.

The purpose and scope of Devise's Data Processing on behalf of Data Controllers

For the purpose of providing the Services, Devise will process Customer Hosted Data. To the extent that Customer Hosted Data is comprised of Personal Data, the parties acknowledge that Devise acts as a Data Processor for all Customer Hosted Data supplied to Devise by the Customer as well as the Customer’s own customers or agents.

The Services are provided on the basis that either:

1. the Customer is the Data Controller for all Customer Hosted Data supplied to Devise under the Services and has complied with its obligations under the applicable Data Protection Laws, including but not limited to obtaining the required consents (“Data Protection Consents”); or
2. where the Customer is a Data Processor on behalf of a Data Controller, that Devise is a sub-Data Processor and that the Customer has:
   • ensured that all necessary Data Protection Consents have been obtained or other lawful grounds for Processing have been correctly established;
   • entered into the required contractual arrangements, including arrangements with the relevant Data Controller for Devise to act as sub-processor legally;
   • has complied with its obligations as Data Processor under the applicable Data Protection Laws; and
   • shall be liable to the Data Controller for Devise’s acts and omissions and a sub-Data Processor.

By accepting this Policy the Customer indicates their acceptance of the provisions below and warrants that the basis of the Services set out in this Data Processing Policy is accurate.

Nature of the Processing

Devise undertakes a range of Processing as defined by the Services, i.e. the provision of hosting services to the Customer, the choice of which is determined by the Customer. The Customer acknowledges that the scope of the Services explicitly excludes the access to, manipulation, transformation or optimisation of or decision-making based on Customer Hosted Data for the purposes of such Processing by Devise. Devise provides a dedicated and cloud-based hosting infrastructure to support the Customer’s or Customer’s agents’ processing of data to that end.

Devise maintains no visibility of and has no intention to access or manipulate Customer Hosted Data, even in the case where Devise maintains technical access for the purposes of management of the infrastructure of the Customer Hosted Solution. This is due to the Customer’s position as the Primary System Administrator. Further, any processing by Devise of Customer Hosted Data (which may comprise Processing of Personal Data) is determined by the Customer insofar as it is the Customer that ultimately determines what the Services will be and, therefore, what data processing occurs.

Devise classifies all Customer Hosted Data as the same type of data and does not maintain visibility of different types or Customer Hosted Data or categories of Personal Data within this set. Devise applies the same level of generic security controls to all Customer Hosted Solutions.

Devise provides a service which constitutes among other things the provision of hosting services and / or software to Customers. Whilst we will try to ensure the compliance of those underlying services with the applicable Data Protection Laws, we do not maintain reliable access to the applications or data that Customers upload to their Customer Hosted Solution, so the Customer is responsible for all data protection issues.

Duration of Processing

The Customer is responsible for the duration of the processing of any Personal Data comprising Customer Hosted Data. While the Agreement is in force, Devise will Process all such Personal Data in accordance with the Customer’s written instructions.

Devise's Responsibilities

Devise has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. A non-exhaustive list of technical and organisational measures are as set out below. By accepting this policy, the Customer confirms that it has reviewed and approved the following measures:

HR & Access Control

• Appropriate on-hire, role change and termination activities related to Devise access and asset management
• Use of a role-based access control system and restriction of all
• Devise access to customer data or Customer Hosted Solutions to those personnel with a business need for access
• The ability to audit all Devise personnel access to Customer Hosted Solutions and/or Customer Hosted Data

Operational Security

• Appropriate availability, performance and security logging, monitoring and audit controls for the underlying infrastructure
• Vulnerability management systems to help ensure the patch and configuration levels of the underlying infrastructure
• Hardening of underlying infrastructure devices to levels that are materially in accordance with good industry practice
• Backups and infrastructure redundancy within the underlying hosting infrastructure
• Appropriate security of all Devise end-user devices used by Devise to access the underlying hosting infrastructure, Customer Hosted Data and Customer Hosted Solutions

Incident Management

• Sufficient internal incident management procedures including the commitment to escalate relevant security incident to impacted Customers without undue delay

Service Availability

Temporary loss of Availability or Integrity related to an Emergency Maintenance or Scheduled Maintenance is not considered to be a loss of Availability under the applicable Data Protection Laws.

As set out in the applicable Service Definitions, Devise cannot guarantee the Availability of individual Customer Hosted Solutions in an Available state at an application or data level, as this availability is primarily a result of decisions taken by the Primary System Administrator. Devise guarantees the availability of data centre services, e.g. availability of core network connection, power and cooling, and the availability of sufficient capacity where Cloud services are procured in line with the provisions of the services’ respective SLAs and Devises’s definition of Availability. In accordance with the Services being provided, Devise is not able to decide how Personal Data comprising Customer Hosted Data is processed. The Customer Hosted Solutions are inevitably Infrastructure-as-a-Service-based and control of the data thereon is with the Customer.

Customer data protection responsibilities

As the Primary System Administrator and / or Data Controller the Customer has the following responsibilities under GDPR:

1. Maintain appropriate technical controls to secure and monitor for security:
   • the Applications
   • logical data stores (data bases, or storage structures built by or on behalf of the Customer)
   • Monitoring of the Customer Hosted Solution for signs of security incident or intrusion
   • all non-Devise user access
   • Ongoing management of any anti-malware controls residing on Customer accounts
   • Undertake any required third party testing or certification of their Customer Hosted Solution
2. Where the above is included within the scope of a Customer SLA, Devise will undertake the work based on instructions from the Customer in ticket form, but the Customer remains responsible for the efficacy of the controls implemented.
3. Undertaking all organisational measures required to ensure compliance with the basic principles for processing (articles 5, 6, 7 and 9 of the GDPR) and Subject’s rights (Articles 12-22 of the GDPR) at point of collection of data, and be aware of the technical and organisational security controls put in place by Devise, maintain additional technical and organisational controls to ensure compliance during processing, storage, any transfer not undertaken solely by Devise and at point of destruction, if not reliant on Devise’s underlying solution-level data destruction processes.
4. Undertake and manage all communication with Data Subjects
5. Maintain any required relationship with the Information Commissioner’s Office on behalf of the Data Controller

Devise's use of Data Sub-Processors

By accepting this policy, the Customer hereby permits Devise to appoint sub-processors of Personal Data and, for the term that the policy is in force, shall have a general right to appoint sub-processors of Personal Data. Devise shall provide the Customer with prior notification before appointing any sub-processors of any Personal Data that are in addition to those noted in this Policy.

Devise utilises a small number of Data Sub-Processors in order to provide Services to the Customer. The following list of Data Sub Processors used to provide Services will be updated from time to time to reflect the current operational position:

• Digital Ocean Inc – Hosting Infrastructure
• Amazon Web Services, Inc – Hosting Infrastructure
• Tucows Inc - Domain Name Registration & SSL Certificate Issuing
• Microsoft Ltd – Email Infrastructure
• Mailchimp Inc – Provision of bulk emailing services

Devise will update the Customer of the use of any new Data Sub-Processor at least two (2) weeks prior to adoption of the Sub-Processor and transfer of Customer Hosted Data or provision of any form of access to Customer Hosted Solutions by support ticket or email, and the Customer must ensure that all necessary Data Protection Consents are obtained or other legitimate grounds for processing the Personal Data are established. The Customer’s continued use of the Services constitutes approval for the use of this new Data Sub-Processor and a repeated warranty by the Customer that the use of all sub-processors is lawful under the applicable Data Protection Laws subject to Devise complying with its obligations under the applicable Data Protection Laws in respect of appointing sub-processors. Devise will perform appropriate due diligence on the Data Sub-Processor, as we will on any security-impacting supplier.

Devise will maintain agreements with all Devise Sub-Processors including any relevant GDPR-related compliance requirements and will conduct regular audits to confirm their continuing conformance with Data Protection Laws.

Transfer to non GDPR-aligned locations or Sub-Processors

Devise will not transfer Customer Hosted Data to any Data Sub-Processor located outside of the EEA or to any other third party location not deemed appropriate by Binding Corporate Rules, Privacy Shield or other adequacy decision defined on a continuing basis by the Information Commissioner’s Office without explicit written permission from the Customer.

Processing in accordance with written instructions

Devise will only process Customer Hosted Data (which may or may not include data for which the Customer is the Data Controller) in accordance with the Data Controller’s written instructions, which for the purposes of data protection and this policy are taken to be in whole contained within the section ‘Policy on data for which Devise Graphics is the Data Processor’. No other written instructions can be accepted as they will fall outside of the scope of our services.

Policy Changes

Although most changes are likely to be minor, Devise Graphics may change its policies from time to time. Devise Graphics encourages visitors to frequently check this page for any changes to its policies. If we make changes, we will notify you by revising the change log below, and, in some cases, we may provide additional notice (such as adding a statement to our homepage or sending you a notification through e-mail or your dashboard). Your continued use of the Services after any change in this policy will constitute your consent to such change.

Change Log

21st May 2018 Initial version.