After the 25 May 2018, we'll need your express permission to process data from your site.

PLEASE NOTE. This article only applies to you if Toast hosts your website on one of our servers.

Please complete the form below to give your consent to Toast processing form submission data from the website(s) you host with us.


  • We currently host one or more websites for you (or your company)
  • The vast majority of sites we host have one or more contact forms where visitors can enter their information and send you a message via the website
  • When a visitor submits a form on your site, this form data is processed by your site and the information is sent to you via email
  • These entries are also stored in your site’s database
  • As we host your website and your site’s database, we are considered your Data Processor

Your Permission

In order to continue processing the form and other data on your behalf, you’ll need to complete the form below.

If you do not give us your consent to process data on your website, we reserve the right to remove data collection forms on your website after 25 May 2018.

Permission to process data from your website

In order that we can continue to process data collected on your website, we need your permission.

Please complete this form to consent to Toast acting as a Data Processor on your behalf.

Unless you revoke this consent in the future, this permission will be seen to apply as long as we host your website(s) for you.

Do you need help with GDPR?

There are both practical and legal aspects related to GDPR. 

We can help you with the practical stuff – making sure your site forms and other functions are compliant.

In regard to the legal stuff, you’ll need a privacy and cookies policy.

Again, we can help with the Cookies element, but you’d best take professional legal advice on your Privacy Policy.

  • Click the + symbol to add more website addresses
  • Click here to read our Terms & Conditions

What we do with the data collected on your website

1. Processing the data

Any form entries submitted through forms we have added to your site are processed by one of the following plugins

  • Gravity Forms*
  • Ninja Forms

Please note that as admins on your WordPress site, we have direct access to all stored data, however, under our hosting terms, Toast staff will not edit or remove any of the data unless you instruct us to do so.

If you use an embedded form (via an iFrame, Javascript of other API), we are not processing your data, the third-party providing the embedded form is providing the processing.

*This is the plugin we use on 99% of our websites as it’s a premium (paid-for) plugin and is professionally developed and supported.

All the data collected via your site is processed automatically via the plugins installed on your site, there is no manual processing by Toast staff.

The plugin developers have no access to data collected via their plugins.

Compulsory terms for data processing – what we do

  1. We will only act on your written (email is acceptable) instructions to process your data unless required to do so by law (GDPR Article 29)
  2. Our team are trained correctly in regard to safeguarding your data. Most data we process via websites is machine-processed and not manually processed by staff
  3. We take seriously the security of your data at hosting level. However, all your data is available to persons with authorised access to your website, in this regard, we strongly suggest you use strong passwords to secure your site (GDPR Article 32)
  4. We do not generally engage sub-processors. Should a sub-processor be required, we will seek your content prior to any processing (GDPR Article 28.2). Should you engage your own third-party processors, such as HubSpot or SalesForce then these third-parties are also your Data Processors
  5. We will help you to provide access to any data requested by a data subject (please note fees will apply to carry out any such requests) and record all processing activity (this information is stored on your website, should you delete such information, we will be unable to provide records) (GDPR Article 30.2)
  6. We will assist you in ensuring your website and any forms are GDPR compliant and that your hosting is secure  (please note that fees will apply)
  7. We will notify you of any known data breaches via your hosting with Toast (GDPR Article 33)
  8. We have a designated DPO (GDPR Article 37)
  9. We will delete from your site any data that you instruct us to delete unless required not to do so by law
  10. We will make your hosting available for audits to ensure we meet the obligations of Article 28 of the GDPR

Toast’s general activities do not include the processing of data. We are a design and web agency, and the processing of all data as a processor is limited to the machine-processing of data submitted via forms on the websites that we host for our clients.

Read more about this here  on the ICO website.

Storing the data

When someone completes a form on your site, you are sent an email containing the form data.

This data is also stored in your sites MySQL database.

Please note that while this information is hosted securely in your database, it is available to view when you log into your site.

If you use a weak password or give other people access to your site’s admin section this data can be at risk.

No data collected through your website is stored offline by Toast.

Toast has no control over to whom you give access to the site, so cannot be held responsible for privacy breaches by authorised users of the site.

2. Where your data is hosted

We use several hosting companies.

  • WP Engine
  • Heart Internet
  • Siteground
  • Media Temple

These companies provide hosting environments in which we host websites.

Hosting security

All our hosting is secure and meets guidelines set out for security. 

All hosting data centres are in the UK except for Media Temples’, which are hosted in the U.S.A. We are actively working to host all our sites within Europe. If you are hosted outside the EU, we will notify you.

If you use a CRM system such as HubSpot or SalesForce, we are not responsible for data held by these third-parties, even if the site we host for you passes data (at your request) to the third-party.

01/05/18 – We are currently awaiting finalised GDPR policies from these hosting providers

WordPress & Security

If we host your website, it will be built using the WordPress CMS.

WordPress has a continual development and improvement cycle and strives to be the most secure CMS available (more information here ). 

It is important to remember that WordPress is only as secure as the passwords you choose to secure access. 

As your data processor, we advise using a strong and secure password that is at least 12 characters long and uses upper and lowercase letters, numbers and one symbol.

3. Protecting your website and complying with the GDPR

Our terms and conditions state that once our fees for designing and building your website are paid, the website is yours. 

Toast hold no on-going ownership of the sites we create.

For any website that we host for clients, you are free to install plugins and add custom code and functions to your site.

To this end, you must ensure that anything you add to your site is GDPR compliant.

If you have a support contract with us, you can use this time to ask us to check whether any planned development on your site is GDPR compliant.

However, if you choose to make additions and alterations to a site that we host for you, it is your responsibility maintain compliance, and to notify us of any changes that may affect our role as your data processor.

Please see our hosting terms and conditions for more information.

Is all this a little GDPRrrrrrgh!

We can audit your website for GDPR compliance.

We’ll check your plugins, add the right consent checkboxes to your forms and make sure everything is ready for 25th May 2018 (or as soon after as possible).

We are not able to provide legal advice on your privacy policy or other legal requirements of the GDPR, but we can advise on best-practice and how you can make sure your website is compliant.


If you’d like us to audit your site, please call Dave on 01295 266644 or get in touch below.

Contact Toast