Contact Us

Data Processing and Protection Policy

May 2018

When we process customer Data that originates from the EEA or that is otherwise subject to EU Data Protection Law we apply the following data processing and protection policy.

GreyRidge Software Limited processes business-related data on behalf of customers only for the purposes set out below and in the context of business software that it supplies to customers and only when acting on their instructions.

About this Policy

As a software supplier we insist that our customers and their staff or related companies, along with ourselves, comply with relevant data law such as GDPR. We collectively have a joint responsibility to process and control data in accordance with EU law and to respect the rights of any third party.

Information about the Data

Subject

The subject our our processing is only our customer’s lawfully acquired data used for business purposes.

Duration

Our processing will be limited to the duration of any software agreement and at the end of this period all data shall be either returned to customers and / or subsequently destroyed.

Purpose of Processing

The purpose of processing is the provision of business services only by our customers.

The Nature of Processing

Is a business management system used by customer to manage their business.

Data Subjects

These may include the clients, prospective clients, associates and employees of our customers so long as the customer has a legal right to ask us to process such data.

Customer Data

Data being processed may include the following types of data: names, telephone numbers, address, email addresses and other information not considered high-risk under the terms of GDPR.

Limit of Processing Scope

We do not knowingly process data except according to the above criteria and we monitor our systems to check that this is the case.

Processor and Controller

For the purposes of data protection law, our customers are data controllers and we are the data processor.

GreyRidge Software as Processor
  • We process personal data only in accordance with the terms of our software agreements and with the customer’s instructions (provided that such instructions are legal and in accordance with this policy).
  • We keep a record of data processing carried out on behalf of customers.
  • We cooperate with supervisory authorities and comply with requests from individuals exercising their rights under data protection legislation.
  • We implement any appropriate security measures required by data protection legislation.
  • We allow and comply with audits of our data protection practices requested by our customers.
  • We have appointed a data protection officer.
  • We comply with rules about data storage being located within the EU.
  • We will tell our customers about any personal data breaches as soon as we know about them.
  • We will let our customers know if they ask us to do something that in our opinion is against data protection law or this policy.
Our Customers as Controllers
  • We insist that all personal data provided by customers shall have been lawfully obtained and retained and that we can legally process it.
  • We insist that in asking us to process data (knowingly or not), the customer is not asking us to contravene any data protection legislation or infringe the rights of the data subject or any third party.
  • We insist that the scope, nature and purpose of processing is always limited to those set out in this policy and any agreement we have with the customer.
  • We insist that customers let us know in advance of submitting sensitive data for processing or data requiring high-risk processing (as defined by data protection legislation) and that they not submit such data for processing until we give explicit written permission to do so.

Sub-processors

We may use sub-processors from time to time and we have listed our current sub-processors below:

  • Rackspace Limited (registered in England company number GB 226496978)
  • Amazon Web Services Inc, Seattle, WA, United States

We will inform and ask permission from our customers if we intend to appoint any third party as a new sub-processor of data not already listed above and we shall always require them to adhere to the standard set out in this policy.