Data Protection and Cyber Security
Introduction
Cloudstream is committed to safeguarding the privacy and security of personal data processed through our services. As a provider of software, data processing, and consultancy services, we handle personal data responsibly and in full compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
This policy outlines our approach to data protection and cyber-security to ensure the confidentiality, integrity, and availability of personal data processed through our systems.
Scope of the Policy
This policy applies to all data subjects whose personal data is collected, stored, or processed by Cloudstream, including:
- Clients (data controllers),
- End users of client applications (data subjects), and
- Authorized third-party service providers (sub-processors).
The personal data we process includes names, email addresses, phone numbers, and other content or data shared by end users via our services, transmitted or stored electronically. We do not process any special categories of sensitive personal data or data on minors or vulnerable individuals.
Data Protection Principles
Cloudstream adheres to the following data protection principles:
- Lawfulness, Fairness, and Transparency: We process personal data lawfully and fairly, ensuring transparency regarding how data is collected and processed.
- Purpose Limitation: Data is collected for specified, legitimate purposes, primarily to enable our clients to use our software and services.
- Data Minimization: We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes of processing.
- Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date.
- Storage Limitation: Personal data is retained for no longer than is necessary (currently 3 years) for the purposes for which it was collected.
- Integrity and Confidentiality: We implement technical and organizational measures to ensure that personal data is processed securely, protecting against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Data Collection and Processing
We collect personal data through web applications, customer emails, and other means. Personal data may also be received from third parties, such as APIs or data-sharing systems, with proper consent obtained from the relevant parties. We do not collect data without explicit consent from data subjects or customers.
Cloudstream processes personal data on behalf of our clients, acting as a data processor. We comply with the instructions of our clients (data controllers) in processing personal data and ensure that all data processing activities are in line with GDPR and our Data Processing Agreement (DPA).
Security Controls
Cloudstream employs robust security measures to protect personal data from unauthorized access, loss, or breach:
1. Physical Security
- Access to Cloudstream offices and systems is restricted to authorized personnel only.
- Secure buildings and controlled access points are in place to prevent unauthorized physical access to data.
2. System Access Controls
- Authentication via strong passwords and two-factor authentication (2FA) is required for access to our systems.
- Access to personal data is limited to authorized personnel based on role-based permissions. Database query access is restricted, and only those with specific privileges can access sensitive data.
- Access rights are reviewed regularly to ensure compliance with the principle of least privilege.
3. Data Encryption
- Personal data stored on our systems is encrypted both at rest and in transit using industry-standard encryption protocols.
- All data transfers to and from Cloudstream systems are secured through HTTPS/SSL protocols, ensuring secure transmission.
4. Logging and Monitoring
- All system access and data processing activities are logged to monitor for unauthorized access or suspicious activity.
- Logs are regularly reviewed by our security team to identify and address any potential threats or breaches.
5. Change Management
- We have a documented change management process to ensure that any system updates or changes are implemented securely.
- All changes to critical systems are thoroughly tested before being applied to production environments.
6. Input and Transfer Controls
- Input controls ensure that only authorized personnel can enter, modify, or delete personal data in our systems.
- Data transfers from clients or third parties are managed through secure APIs or encrypted file transfers to ensure data integrity.
Authorized Sub-processors
Cloudstream relies on Amazon Web Services (AWS), a trusted cloud service provider, to store and process personal data. AWS provides secure data hosting in the European region (London), in compliance with GDPR. Our sub-processors are carefully selected and regularly audited to ensure they meet the same high standards of data protection and security.
Contractor Management
Cloudstream work with external contractors to provide software development and consultancy services. All contractors are bound by our Contractor Code of Conduct and Data Protection Policy, which include the following security obligations:
- Contractors are required to maintain the confidentiality of any personal data they handle.
- Contractors are only permitted access to data necessary for their role and are subject to our access control procedures.
- All contractors undergo a data protection briefing to ensure they are aware of their responsibilities under GDPR.
Data Breach Management
In the event of a data breach, Cloudstream has a detailed Data Breach Response Plan in place, which includes the following steps:
- Immediate containment and investigation of the breach.
- Notification to affected clients (data controllers) and, if necessary, the relevant data protection authorities within 72 hours of becoming aware of the breach.
- Remediation actions to prevent future occurrences of similar incidents.
- Full documentation and reporting of the breach, including actions taken and lessons learned.
Data Subject Rights
Cloudstream is committed to supporting data subjects in exercising their rights under GDPR. These rights include:
- Right to Access: Data subjects have the right to request access to the personal data we process about them.
- Right to Rectification: Data subjects may request corrections to inaccurate or incomplete data.
- Right to Erasure: Data subjects may request that their data be deleted when it is no longer necessary for processing.
- Right to Data Portability: Data subjects can request that their data be transferred to another data controller in a machine-readable format.
- Right to Object: Data subjects may object to the processing of their data under certain conditions.
Any requests from data subjects are handled promptly in accordance with GDPR requirements.
Disaster Recovery and Business Continuity
Cloudstream has established Disaster Recovery and Business Continuity Plans to ensure the uninterrupted availability of services and data in the event of an incident. Our disaster recovery strategy includes:
- Data Backups: Regular automated backups of all critical data, stored securely in AWS’s redundant cloud infrastructure.
- High Availability: AWS provides failover capabilities to ensure minimal downtime in the event of hardware or network failures.
- Business Continuity Planning: Our systems are designed to allow for remote work, ensuring that business-critical functions can continue without interruption in case of emergencies.
Review and Updates
This policy is reviewed at least annually or when significant changes occur to our data processing activities or legal obligations. Cloudstream is committed to continuously improving our data protection and cyber-security practices to maintain compliance and protect personal data.
For any questions or concerns regarding this policy or how we handle personal data, please contact us at:
Cloudstream Ltd
Suite 306, 4 Blenheim Court
Peppercorn Close
Peterborough PE1 2DU
Email: [email protected]
Tel.: 0333 050 7546