GDPR Compliance

Version 1.0: This statement was produced on 31st March 2018, any updates to our policies in relation to GDPR will be posted on this page.

Overview

In terms of compliance with the Data Protection Act, GDPR and the Data Protection Bill (2017), PracticeFlow functions as a data processor providing services to accounting professionals (who are the controller with respect to the data of their clients). Our lead supervisory authority as a UK company is the ICO.

Storage of Personal Data

We store the personal information that you submit to us for the purposes of:

  • Managing your login details
  • Performing security verifications when assisting you with your account
  • Addressing emails to you and your staff (users)

We do not share this information with any 3rd parties, and do not undertake any further processing of this data.

Your Client Data

As a practice management system, a core function of the system is to accept, store and provide processing of the data of your customers/clients, as submitted to the system by you and your staff (users).

Any and all processing of this data is for the express purpose of providing functionality to you and your users—PracticeFlow does not use this information for any other purpose and this information is never shared with 3rd parties.

As the controller of this data on behalf of your clients, you are responsible for acquiring the appropriate consent from your client to hold and process their data. When it is necessary to update or delete this data, you can do so in PracticeFlow via the system directly.

Security

Hosting of the Service

PracticeFlow is hosted on Amazon Web Services, via the service Heroku. Email sent to you is sent via the service Mailgun. GoSquared is used to provide monitoring and system usability statistics. For the latest information regarding the GDPR and security standards compliance of these services please see:

We are hosted in the EU region of Heroku (and so AWS). All data is therefore stored within the EU, encrypted at rest.

Data retention via backups

All data is backed up on a daily basis, and currently 25 backups are kept on a rolling basis. When data is deleted from the system then it will cease to be available immediately. A copy of the data may however be stored in one or more backups—this data will become fully unrecoverable after the last backup containing this data has rotated out, which will take a maximum of 26 days.

Please note that is is not feasible to retroactively erase data from backups.

Right to be forgotten

If you close your PracticeFlow account (which you can do via the account management view, or by contacting support) then your data will be completely erased from the system.

Once the last data backup which contains your data has been rotated out (after 26 days) then your data will have been completely erased from our records and cannot be recovered.