Privacy Policy & GDPR Guidance
Server Density collects a large volume of data about the IT infrastructure we monitor on your behalf, however the majority is non-personal, numeric, system performance data. Server Density does not deliberately collect any personal data as part of our our monitoring product, but does collect data about you if you use our product interfaces.
This guide explains what data we collect and how it is processed in accordance with GDPR and the UK Data Protection guidelines. We have approached this with GDPR in mind even where the regulations do not apply for non-personal data so as to ensure a “Privacy First” approach.
Server Density uses a Data Processing Addendum incorporated into our standard Terms for all customers.
We only collect data directly from users and do not perform any automated decision-making or profiling based on personal data. As we do not do large scale processing of personal data, we do not need to appoint a Data Protection Officer. We have been voluntarily registered under the Data Protection Act since June 2009 (registration number Z1787867).
Customer data we collect
Core system monitoring data enabled by default e.g. CPU, memory, disk usage is numerical data which is non-personal.
Plugins are enabled on a per-plugin basis to gather numerical data which is non-personal.
Processor.
Contract.
Custom plugins are a feature provided by the product which the customer may decide to use.
Controller & Processor.
Contract.
Controller & Processor.
Contract.
Controller & Processor.
Legitimate interest.
Server Density has a legitimate interest in emailing users for marketing purposes. As the user has signed up themselves or is using the product, this use is targeted and a reasonable way to reach users. This is balanced because the user would reasonably expect to hear from a service they are using, and can opt-out at any time.
Controller.
Contract.
Either as an existing customer requesting support or a potential customer asking pre-sales questions.
Controller.
Legitimate interest.
Server Density has a legitimate interest in processing usage data for improving our product and understanding how it is used. As the product is provided as a subscription service, the user expects to see ongoing improvements. This is balanced because it does not intrude on the user and allows us to passively detect errors and problems which we can then proactively fix.
Controller.
Legitimate interest.
Server Density has a legitimate interest in processing feedback scores and comments for improving our product. As the product is provided as a subscription service, the user expects to see ongoing improvements. This is balanced because the user can dismiss the survey and choose not to submit it.
How long we retain data for
Our general rule of thumb is The Limitation Act 1980 which sets a maximum timeframe under which legal proceedings can be brought. For contract based claims e.g. debt recovery or compensation claims in respect of substandard work or negligent advice, the limitation period is 6 years from the date of cause of action. As such, any supporting documentation that may be required as evidence should be retained for this time period.
Exceptions to this are:
- Non-personal monitoring data is stored for the retention period specified in your account package.
- Personal data e.g. user login profiles, is kept for the lifetime of the account unless deleted using the relevant product feature. Backups are kept for 1 month.
- All email sent to us is retained forever.
Security
We have an in-depth security policy which determines how our employees work with all of our systems. This includes compulsory use of 2-factor authentication, strong passwords, password managers and encrypted storage.
All customer personal information where we are the processor is stored with industry standard security provided by Google through Google Cloud Platform and Microsoft through Office365. This specifically includes encryption at rest and locked down infrastructure that has regular updates all managed through automation.
Where we are the data controller but not also the processor, we have contractual agreements in place with the 3rd party supplier to ensure the same level of security is applied to their processing activities.
3rd party data transfers
We work with a number of suppliers where personal data may be transferred to help us run our business.
The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations which include informed consent and being necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request. In providing this list of suppliers we are providing information for users to consent through making use of the service.
For all suppliers, we have contractual agreements in place to ensure the relevant rights are enforceable on our behalf.
Data rights requests
GDPR provides a range of rights for individuals. You can read about your rights on the ICO website. If you wish to exercise your rights, please email your request to hello@serverdensity.com and we will respond within 30 days.
- Product users can request all their information through our API at Viewing a user.
- We can provide a record of ticket communications through searching for the user identifier e.g. email in Zendesk.
- Billing information e.g. invoices can be provided on request.
Product users can update all their information through our web UI or API at Updating a user. Changing email address also updates any 3rd party systems.
Product users can ask their admin user to delete their user through our web UI or API at Deleting a user. Removing the user details also removes the user from any 3rd party systems.
- Backup retention applies but data is deleted within 30 days.
- We retain user details linked to billing for tax retention purposes (6 years).
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
Since we do not do any automated processing, this right does not apply. That said, product users can request all their information through our API at Viewing a user.