Privacy Policy & GDPR Guidance

Last review: 2018-08-02
Next review: 2019-01-18
Company name: Server Density Limited.
Company address: 58-64 City Road, London EC1Y 2AL.
Supervisory authority: UK Information Commissioner's Office

Server Density collects a large volume of data about the IT infrastructure we monitor on your behalf, however the majority is non-personal, numeric, system performance data. Server Density does not deliberately collect any personal data as part of our our monitoring product, but does collect data about you if you use our product interfaces.

This guide explains what data we collect and how it is processed in accordance with GDPR and the UK Data Protection guidelines. We have approached this with GDPR in mind even where the regulations do not apply for non-personal data so as to ensure a “Privacy First” approach.

Server Density uses a Data Processing Addendum incorporated into our standard Terms for all customers.

We only collect data directly from users and do not perform any automated decision-making or profiling based on personal data. As we do not do large scale processing of personal data, we do not need to appoint a Data Protection Officer. We have been voluntarily registered under the Data Protection Act since June 2009 (registration number Z1787867).

Customer data we collect

System monitoring data collected through our monitoring agent, built-in official plugins and custom plugins.
Purpose

Core system monitoring data enabled by default e.g. CPU, memory, disk usage is numerical data which is non-personal.

Plugins are enabled on a per-plugin basis to gather numerical data which is non-personal.

Running process names collected through our monitoring agent.
Purpose
Names of processes running on each monitored system which is non-personal.
System IP addresses reported by our monitoring agent or logged through our service monitoring and postback API.
Purpose
For user display purposes and for logging activity for debugging and security.
Custom plugin data collected through our monitoring agent or API.
Purpose
Customer managed and controlled plugins may report data labels/names with personal data. This is entirely under the control of the customer to determine what data is reported in their plugins.
Customer account data e.g. first user name, email, phone number submitted during the signup process.
Purpose
For initially creating the trial account and then maintaining business records for tax purposes if the trial user becomes a customer. E-mail and phone number are used for user-configured alerts and calling the customer in the event of a billing failure.
User accounts e.g. name, email, phone number submitted by admin users when creating new users.
Purpose
E-mail and phone number are used for user-configured alerts and calling the customer in the event of a billing failure.
Account user phone number and email submitted by admin users when managing users or by the user managing their own profile.
Purpose
Admin users may be emailed during their trial to provide setup instructions and notification that their trial is ending. Once a customer, users may be emailed our regular newsletter. All users can unsubscribe from each email.
Support communication.
Purpose
If you contact us via live chat or support ticket (including via hello@serverdensity.com) your personal details and a record of the communication are stored in our support ticket system.
User agent data when using our web interface collected by our analytics suppliers.
Purpose
When using the Server Density web interface, we collect user agent data e.g. browser details, IP address, pages visited as part of monitoring the usage of our product and for debugging purposes.
NPS survey responses submitted by users.
Purpose
Collecting user satisfaction metrics and feedback.

How long we retain data for

Our general rule of thumb is The Limitation Act 1980 which sets a maximum timeframe under which legal proceedings can be brought. For contract based claims e.g. debt recovery or compensation claims in respect of substandard work or negligent advice, the limitation period is 6 years from the date of cause of action. As such, any supporting documentation that may be required as evidence should be retained for this time period.

Exceptions to this are:

  • Non-personal monitoring data is stored for the retention period specified in your account package.
  • Personal data e.g. user login profiles, is kept for the lifetime of the account unless deleted using the relevant product feature. Backups are kept for 1 month.
  • All email sent to us is retained forever.

Security

We have an in-depth security policy which determines how our employees work with all of our systems. This includes compulsory use of 2-factor authentication, strong passwords, password managers and encrypted storage.

All customer personal information where we are the processor is stored with industry standard security provided by Google through Google Cloud Platform and Microsoft through Office365. This specifically includes encryption at rest and locked down infrastructure that has regular updates all managed through automation.

Where we are the data controller but not also the processor, we have contractual agreements in place with the 3rd party supplier to ensure the same level of security is applied to their processing activities.

3rd party data transfers

We work with a number of suppliers where personal data may be transferred to help us run our business.

The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations which include informed consent and being necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request. In providing this list of suppliers we are providing information for users to consent through making use of the service.

For all suppliers, we have contractual agreements in place to ensure the relevant rights are enforceable on our behalf.

Supplier
Amazon Web Services
Purpose
Backup.
Supplier
American Express
Purpose
Payment processing.
Supplier
Atlassian (JIRA & StatusPage)
Purpose
Issue tracking and incident communication.
Supplier
Braintree
Purpose
Payment processing.
Supplier
Box
Purpose
File storage.
Supplier
Bugsnag
Purpose
Web interface error reporting.
Supplier
Cloudflare
Purpose
Infrastructure security.
Supplier
Delighted
Purpose
In-app NPS survey.
Supplier
Fonts.com
Purpose
Website font hosting.
Supplier
Google
Purpose
Google Cloud for our primary infrastructure, including storage of personal data.
Supplier
MailChimp
Purpose
E-mail delivery.
Supplier
Microsoft
Purpose
Business productivity including email.
Supplier
MongoDB
Purpose
Backup.
Supplier
Readme
Purpose
Developer documentation hosting.
Supplier
SendGrid
Purpose
E-mail delivery.
Supplier
Slack
Purpose
Internal discussion.
Supplier
WP Engine
Purpose
Blog hosting.
Supplier
Xero
Purpose
Accounting and invoicing.
Supplier
Zendesk
Purpose
Customer support and live chat.
Supplier
Zoom
Purpose
Video conferencing.

Data rights requests

GDPR provides a range of rights for individuals. You can read about your rights on the ICO website. If you wish to exercise your rights, please email your request to hello@serverdensity.com and we will respond within 30 days.

The right to be informed.
Notes
This document is reproduced in part on our website and fulfills all the requirements for this right.
The right of access.
Notes
  • Product users can request all their information through our API at Viewing a user.
  • We can provide a record of ticket communications through searching for the user identifier e.g. email in Zendesk.
  • Billing information e.g. invoices can be provided on request.
The right to rectification.
Notes

Product users can update all their information through our web UI or API at Updating a user. Changing email address also updates any 3rd party systems.

The right to erasure.
Notes

Product users can ask their admin user to delete their user through our web UI or API at Deleting a user. Removing the user details also removes the user from any 3rd party systems.

  • Backup retention applies but data is deleted within 30 days.
  • We retain user details linked to billing for tax retention purposes (6 years).
The right to restrict processing.
Notes
No specific notes.
The right to data portability.
Notes

The right to data portability only applies:

  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.

Since we do not do any automated processing, this right does not apply. That said, product users can request all their information through our API at Viewing a user.

The right to object.
Notes
No specific notes.
Rights in relation to automated decision making and profiling.
Notes
We do not do any automated decision making or profiling.