What we do with the data collected on your website
1. Processing the data
Any form entries submitted through forms we have added to your site are processed by one of the following plugins
- Gravity Forms*
- Ninja Forms
Please note that as admins on your WordPress site, we have direct access to all stored data, however, under our hosting terms, Toast staff will not edit or remove any of the data unless you instruct us to do so.
*This is the plugin we use on 99% of our websites as it’s a premium (paid-for) plugin and is professionally developed and supported.
All the data collected via your site is processed automatically via the plugins installed on your site, there is no manual processing by Toast staff.
The plugin developers have no access to data collected via their plugins.
Compulsory terms for data processing – what we do
- We will only act on your written (email is acceptable) instructions to process your data unless required to do so by law (GDPR Article 29)
- Our team are trained correctly in regard to safeguarding your data. Most data we process via websites is machine-processed and not manually processed by staff
- We take seriously the security of your data at hosting level. However, all your data is available to persons with authorised access to your website, in this regard, we strongly suggest you use strong passwords to secure your site (GDPR Article 32)
- We do not generally engage sub-processors. Should a sub-processor be required, we will seek your content prior to any processing (GDPR Article 28.2). Should you engage your own third-party processors, such as HubSpot or SalesForce then these third-parties are also your Data Processors
- We will help you to provide access to any data requested by a data subject (please note fees will apply to carry out any such requests) and record all processing activity (this information is stored on your website, should you delete such information, we will be unable to provide records) (GDPR Article 30.2)
- We will assist you in ensuring your website and any forms are GDPR compliant and that your hosting is secure (please note that fees will apply)
- We will notify you of any known data breaches via your hosting with Toast (GDPR Article 33)
- We have a designated DPO (GDPR Article 37)
- We will delete from your site any data that you instruct us to delete unless required not to do so by law
- We will make your hosting available for audits to ensure we meet the obligations of Article 28 of the GDPR
Toast’s general activities do not include the processing of data. We are a design and web agency, and the processing of all data as a processor is limited to the machine-processing of data submitted via forms on the websites that we host for our clients.
Read more about this here on the ICO website.
Storing the data
When someone completes a form on your site, you are sent an email containing the form data.
This data is also stored in your sites MySQL database.
Please note that while this information is hosted securely in your database, it is available to view when you log into your site.
If you use a weak password or give other people access to your site’s admin section this data can be at risk.
No data collected through your website is stored offline by Toast.
Toast has no control over to whom you give access to the site, so cannot be held responsible for privacy breaches by authorised users of the site.
2. Where your data is hosted
We use several hosting companies.
- WP Engine
- Heart Internet
- Media Temple
These companies provide hosting environments in which we host websites.
All our hosting is secure and meets guidelines set out for security.
All hosting data centres are in the UK except for Media Temples’, which are hosted in the U.S.A. We are actively working to host all our sites within Europe. If you are hosted outside the EU, we will notify you.
If you use a CRM system such as HubSpot or SalesForce, we are not responsible for data held by these third-parties, even if the site we host for you passes data (at your request) to the third-party.
01/05/18 – We are currently awaiting finalised GDPR policies from these hosting providers
WordPress & Security
If we host your website, it will be built using the WordPress CMS.
WordPress has a continual development and improvement cycle and strives to be the most secure CMS available (more information here ).
It is important to remember that WordPress is only as secure as the passwords you choose to secure access.
As your data processor, we advise using a strong and secure password that is at least 12 characters long and uses upper and lowercase letters, numbers and one symbol.
3. Protecting your website and complying with the GDPR
Our terms and conditions state that once our fees for designing and building your website are paid, the website is yours.
Toast hold no on-going ownership of the sites we create.
For any website that we host for clients, you are free to install plugins and add custom code and functions to your site.
To this end, you must ensure that anything you add to your site is GDPR compliant.
If you have a support contract with us, you can use this time to ask us to check whether any planned development on your site is GDPR compliant.
However, if you choose to make additions and alterations to a site that we host for you, it is your responsibility maintain compliance, and to notify us of any changes that may affect our role as your data processor.
Please see our hosting terms and conditions for more information.
Is all this a little GDPRrrrrrgh!
We can audit your website for GDPR compliance.
We’ll check your plugins, add the right consent checkboxes to your forms and make sure everything is ready for 25th May 2018 (or as soon after as possible).
If you’d like us to audit your site, please call Dave on 01295 266644 or get in touch below.