GDPR Compliance

Overview

In terms of compliance with the Data Protection Act, GDPR and the Data Protection Bill (2017), Practice Flow functions as a data processor providing services to accounting professionals (who are the controller with respect to the data of their clients). Our lead supervisory authority as a UK company is the ICO.

Storage of Personal Data

We store the personal information that you submit to us for the purposes of:

• Managing your login details
• Performing security verifications when assisting you with your account
• Addressing emails to you and your staff (users)

We do not share this information with any 3rd parties, and do not undertake any further processing of this data.

Your Client Data

As a practice management system, a core function of the system is to accept, store and provide processing of the data of your customers/clients, as submitted to the system by you and your staff (users).

Any and all processing of this data is for the express purpose of providing functionality to you and your users — Practice Flow does not use this information for any other purpose and this information is never shared with 3rd parties.

As the controller of this data on behalf of your clients, you are responsible for acquiring the appropriate consent from your client to hold and process their data. When it is necessary to update or delete this data, you can do so in Practice Flow via the system directly.

Security

Hosting of the Service

Practice Flow is hosted on Render Services. Email sent to you is sent via the service Postmark. Fathom is used to provide anonymous GDPR compliant website usage analytics. For the latest information regarding the GDPR and security standards compliance of these services please see:

• Render Services - Privacy Policy
• Postmark - EU Data Protection
• Fathom - GDPR Compliance

We are hosted in the EU region of Render Services. All data is therefore stored within the EU, encrypted at rest.

Data retention via backups

All data is backed up on a daily basis, and currently 25 backups are kept on a rolling basis. When data is deleted from the system then it will cease to be available immediately. A copy of the data may however be stored in one or more backups - this data will become fully unrecoverable after the last backup containing this data has rotated out, which will take a maximum of 26 days.

Please note that is is not feasible to retroactively erase data from backups.

Right to be forgotten

If you close your Practice Flow account (which you can do via the account management view, or by contacting support) then your data will be completely erased from the system.

Once the last data backup which contains your data has been rotated out (after 26 days) then your data will have been completely erased from our records and cannot be recovered.