Some of the principal documents relating to privacy and data protection are:
- This general advice page
- Our full privacy notice and list of sub-processors
- Data processing agreements (see below)
- Specific to this website, the legal notice and cookie/tracking details
These documents run alongside our terms and conditions of sale.
We run an internal compliance programme for GDPR. Due to the nature of the requirements, this is a ongoing project. Changes to our policies will arise from regular audit, updates to the practices of us and our customers, as well as evolution of data protection guidance and best practice.
Security of Our Staff
We run data protection awareness training for our staff. Our technicians and engineers will be accessing your data, either specifically or incidentally, in order to provide support to you, so it’s important that they treat that data with due respect. We also have a policy of periodic DBS (criminal record) checks on staff who attend or electronically access our clients’ sites.
Security of Your Data
Nexus operations are externally audited to be in compliance with the IS27001:2013 standard for information security. We also hold the Cyber Essentials badge.
We store and process certain data connected with your business, as per our privacy notice. We review the tools we use and take active steps in line with the principles of data protection under GDPR, such as minimising the amount of data and the number of copies held, and minimising the number of people with access. Our software tools are typically industry standards, and we review them to make sure they have appropriately strong attention to information security.
In line with article 32 of the GDPR, we implement, as a minimum, the following technical and organisational requirements for the protection of personal data:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Data Processing Agreements
Data controllers are obliged under GDPR to have a data processing agreement in place with their data processors (which can include Nexus).
For the sake of simplicity and consistency, we provide a standard data processing agreement to our customers, intended to satisfy this obligation. We send these documents out through an e-signing system called Signable.