We are Cracking Media Ltd – UK Reg No: 06557056. We are committed to protecting your personal information and making every effort to ensure that your personal information is processed in an appropriate manner.
We are a “data controller” for the purposes of the Data Protection Act 1998 and (from 25 May 2018) the EU General Data Protection Regulation 2016/679 (“Data Protection Law”). As a supplier of websites and hosting we provide methods for our customers to collect and store data submitted by website visitors, most commonly but not limited to personal data shared through a contact form on the website, and as this includes dealing with personal data on behalf of our customers we should also be considered a data processor.
Open Source Platforms and Hosting
The websites we provide are built predominately on open source software with bespoke design and functionality to match the needs of our customers. Our first choices as a web platform are WordPress and JOOMLA! both of which have modern security features built in.
Where we provide hosting for websites we use UK or EU datacentres for all website customers within UK or EU, unless otherwise requested. We do not host or store our websites on our premises. For customers outside the UK or EU we suggest the purchase of hosting that geographically matches the business or the target market of that business.
One of the main advantages of using Open Source platforms is the constant updating of these platforms including security patches and updating of common website technologies such as PHP, jQuery and other server technologies used in providing website functionality.
We take website security very seriously, so on top of the built in security that come with the platforms we use we take further measures to help secure the websites we provide and any personal data that might be stored within them.
Website hosting is like any other storage of data on a computer, it is possible for data to be corrupted and for hardware to fail making the website no longer functional or reachable via the internet. To protect websites on our hosting from this situation we include, within our hosting packages, the taking of automated regular back-ups of our websites, approximately 3 times a month. Any back-ups that fall outside the schedule for that specific website are deleted. These back-ups give us the opportunity to have a website back up and running in a short amount of time should other support attempts fail.
For sites that are constantly updated or collecting important information such as blogs or ecommerce systems we recommend a more regular back-up regime, possibly even daily for ecommerce sites that have a high turnover of orders per day.
For Customers that move away from our web services an archived back-up is kept for up to 6 months after which it is deleted.
Storage of Back-Up
To protect the back-ups from hardware failure we store them off-site in a secure cloud storage system which may include storage locations outside the UK or EU. However, the secure cloud storage we use is a member of Privacy Shield which is recognised by the UK and EU as being up to the required standard for secure data processing, in this case storage. The data stored is 256-bit encrypted whilst on the storage and 128-bit encrypted during transfer.
We do not keep a physical copy of these back-ups on our work computers or within our premises.
Processing of website data
The data processing through our websites is predominately automated which removes the need for us to take part in processing the data in a physical way. In the most common case of data submission, through a form, a copy is transmitted to our website customer and on more recent websites the message is also stored in the database of the website. The data collected is based on the requirements of our website customer and the data generally includes but is not limited to name, email, telephone and a message or request from the website visitor.
Who has access
Stored personal data in our websites can be accessed, exported or deleted through a secured website admin portal. We will access the website admin portal to perform updates and general maintenance which is key to keeping the website secure and to enhance performance, we will also access the admin portal by the request of our customers. Occasions when this might happen include adding functionality or making design changes. Customers can also access this data themselves if they have asked for the relevant access to do so.
Unless a specific situation arises where we are requested to try and recover this data or a similar support request is made, we have no need to access this data at any other time but it will be included in the website back-ups and transferred to the secure cloud storage for the life of that back-up file, usually 1 month.
When support situations beyond our level of access occur, it becomes necessary to grant access to third parties, such as datacentre staff. This is not access the admin portal of the website but the server where the website is stored. A situation where this might occur is when there is a hardware or server issue that requires local intervention, such as a server reboot or installation of updated software.
It is our policy to only grant access to relevantly skilled people who are capable of achieving a positive outcome.
Customer Data Retention
During the supplier to customer relationship between Cracking Media Ltd and our customers we will retain email and other correspondence for duration of that relationship. Once a supplier to customer relationship is no longer in place we will continue to keep this correspondence for up to 6 months after which the correspondence linked to the relationship be deleted and then removed from our mail system 30 days after that.
Where it has been indicated by the customer that there is a likelihood that the supplier to customer relationship may restart we may keep relevant correspondence for longer.
Customer Usernames and Passwords
On occasion it is necessary for us to access user accounts owned by customers that were not created by Cracking Media Ltd. A common example of this might be the editing of DNS settings of a domain name in an existing account held by the customer, which may prove beyond the capabilities of the customer and as such we would perform this task on their behalf.
Where a management console can be used for us to achieve these tasks without the need for us to request the customer’s username and password, then this is our preferred method.
For the duration of the task these details are stored as encrypted data on a cloud storage system and are also encrypted during transit to and from our computers. Once the task is completed these details are either deleted or stored for further use if that is part of the project remit. When the details are no longer needed by Cracking Media Ltd, we recommend that passwords are changed, this is at the discretion of the customer.
If you have any questions, please email email@example.com