Devise reserves the right to make changes to this Data Processing Policy at any time, and any changes will be effective immediately upon posting to Devise's web site: www.devisegraphics.co.uk. Devise's Customers are responsible for regularly reviewing the Policy. Continued use of the Services following any changes shall constitute acceptance of the changes.
Definitions can be found in our Terms and Conditions.
If you have any questions about these policies, please contact us.
For the purpose of providing the Services, Devise will process Customer Hosted Data. To the extent that Customer Hosted Data is comprised of Personal Data, the parties acknowledge that Devise acts as a Data Processor for all Customer Hosted Data supplied to Devise by the Customer as well as the Customer’s own customers or agents.
The Services are provided on the basis that either:
By accepting this Policy the Customer indicates their acceptance of the provisions below and warrants that the basis of the Services set out in this Data Processing Policy is accurate.
Devise undertakes a range of Processing as defined by the Services, i.e. the provision of hosting services to the Customer, the choice of which is determined by the Customer. The Customer acknowledges that the scope of the Services explicitly excludes the access to, manipulation, transformation or optimisation of or decision-making based on Customer Hosted Data for the purposes of such Processing by Devise. Devise provides a dedicated and cloud-based hosting infrastructure to support the Customer’s or Customer’s agents’ processing of data to that end.
Devise maintains no visibility of and has no intention to access or manipulate Customer Hosted Data, even in the case where Devise maintains technical access for the purposes of management of the infrastructure of the Customer Hosted Solution. This is due to the Customer’s position as the Primary System Administrator. Further, any processing by Devise of Customer Hosted Data (which may comprise Processing of Personal Data) is determined by the Customer insofar as it is the Customer that ultimately determines what the Services will be and, therefore, what data processing occurs.
Devise classifies all Customer Hosted Data as the same type of data and does not maintain visibility of different types or Customer Hosted Data or categories of Personal Data within this set. Devise applies the same level of generic security controls to all Customer Hosted Solutions.
Devise provides a service which constitutes among other things the provision of hosting services and / or software to Customers. Whilst we will try to ensure the compliance of those underlying services with the applicable Data Protection Laws, we do not maintain reliable access to the applications or data that Customers upload to their Customer Hosted Solution, so the Customer is responsible for all data protection issues.
The Customer is responsible for the duration of the processing of any Personal Data comprising Customer Hosted Data. While the Agreement is in force, Devise will Process all such Personal Data in accordance with the Customer’s written instructions.
Devise has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. A non-exhaustive list of technical and organisational measures are as set out below. By accepting this policy, the Customer confirms that it has reviewed and approved the following measures:
HR & Access Control
Temporary loss of Availability or Integrity related to an Emergency Maintenance or Scheduled Maintenance is not considered to be a loss of Availability under the applicable Data Protection Laws.
As set out in the applicable Service Definitions, Devise cannot guarantee the Availability of individual Customer Hosted Solutions in an Available state at an application or data level, as this availability is primarily a result of decisions taken by the Primary System Administrator. Devise guarantees the availability of data centre services, e.g. availability of core network connection, power and cooling, and the availability of sufficient capacity where Cloud services are procured in line with the provisions of the services’ respective SLAs and Devises’s definition of Availability. In accordance with the Services being provided, Devise is not able to decide how Personal Data comprising Customer Hosted Data is processed. The Customer Hosted Solutions are inevitably Infrastructure-as-a-Service-based and control of the data thereon is with the Customer.
As the Primary System Administrator and / or Data Controller the Customer has the following responsibilities under GDPR:
By accepting this policy, the Customer hereby permits Devise to appoint sub-processors of Personal Data and, for the term that the policy is in force, shall have a general right to appoint sub-processors of Personal Data. Devise shall provide the Customer with prior notification before appointing any sub-processors of any Personal Data that are in addition to those noted in this Policy.
Devise utilises a small number of Data Sub-Processors in order to provide Services to the Customer. The following list of Data Sub Processors used to provide Services will be updated from time to time to reflect the current operational position:
Devise will update the Customer of the use of any new Data Sub-Processor at least two (2) weeks prior to adoption of the Sub-Processor and transfer of Customer Hosted Data or provision of any form of access to Customer Hosted Solutions by support ticket or email, and the Customer must ensure that all necessary Data Protection Consents are obtained or other legitimate grounds for processing the Personal Data are established. The Customer’s continued use of the Services constitutes approval for the use of this new Data Sub-Processor and a repeated warranty by the Customer that the use of all sub-processors is lawful under the applicable Data Protection Laws subject to Devise complying with its obligations under the applicable Data Protection Laws in respect of appointing sub-processors. Devise will perform appropriate due diligence on the Data Sub-Processor, as we will on any security-impacting supplier.
Devise will maintain agreements with all Devise Sub-Processors including any relevant GDPR-related compliance requirements and will conduct regular audits to confirm their continuing conformance with Data Protection Laws.
Devise will not transfer Customer Hosted Data to any Data Sub-Processor located outside of the EEA or to any other third party location not deemed appropriate by Binding Corporate Rules, Privacy Shield or other adequacy decision defined on a continuing basis by the Information Commissioner’s Office without explicit written permission from the Customer.
Devise will only process Customer Hosted Data (which may or may not include data for which the Customer is the Data Controller) in accordance with the Data Controller’s written instructions, which for the purposes of data protection and this policy are taken to be in whole contained within the section ‘Policy on data for which Devise Graphics is the Data Processor’. No other written instructions can be accepted as they will fall outside of the scope of our services.
Although most changes are likely to be minor, Devise Graphics may change its policies from time to time. Devise Graphics encourages visitors to frequently check this page for any changes to its policies. If we make changes, we will notify you by revising the change log below, and, in some cases, we may provide additional notice (such as adding a statement to our homepage or sending you a notification through e-mail or your dashboard). Your continued use of the Services after any change in this policy will constitute your consent to such change.
21st May 2018 Initial version.