Privacy & Cookie Policy
Your privacy is important to StokBox Limited (“StokBox”). This Privacy Policy covers what we collect and how we use, disclose, transfer and store your information.
1. Identity of StokBox
If there are any questions regarding this Privacy Policy you may contact us using the information below.
StokBox Limited
71-75 Shelton Street,
London.
WC2H 9JQ
Phone: + 44 20 3603 2506
Company registration number: 13542226
Our customers may submit inquiries regarding personal data protection, privacy and security matters to our Data Protection Officer: dpo@stokbox.co.uk
2. What information do we collect?
You may visit our site anonymously.
If you choose to interact with our website, four categories of data to and on behalf of you will be processed:
“Contact Us”
When you complete our contact us webform to get in touch, or respond to a survey, basic contact details are collected such as the e-mail address and name of your contact person, company name. This information is stored securely in our encrypted platforms.
“Cookie data”
This website uses cookies to help the performance of the website and your online experience.
A cookie is a piece of information that is saved to the hard drive of your computer or mobile device. It remembers information about the configuration of your computer or mobile device and will remember that you’ve visited before. This improves your website browsing experience by storing information so that you don’t have to give it several times.
A cookie typically doesn’t contain personal information, but other browsing details such as the domain from which the cookie has come from, a random unique identifier code and also the lifetime (expiry) of the cookie.
3. What do we use your information for?
Any of the information we collect from you may be used for one or more of the following purposes:
3.1.
To personalise your experience (the information will help StokBox better respond to your individual needs);
3.2.
We use the information gathered by cookies to measure information about our website usage. This information helps us assess how useful the site is to our visitors and improve the usability of the website on an ongoing basis.
3.3.
To identify you as a contracting party;
3.4.
To enable automated handling of the subscriptions.
3.5
To send periodic e-mails, you may occasionally receive company news (if accepted), updates, related product or service information, etc.
If at any time you would like to unsubscribe from receiving future e-mails, you will be given an option to unsubscribe.
.
4. Legal basis
4.1. EU General Data Protection Regulation (GDPR)
The processing of your data is either based on your consent or in case the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract, cf. GDPR art. 6(1)(a)-(b).
If the processing is based on your consent, you may at any time withdraw your consent by contacting us using the contact information in clause 1.
In order to enter into a contract with StokBox, you must provide us with personal data.
5. How do we protect your information?
StokBox implements the following technical, physical and organisational measures to maintain the safety of your personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized use, unauthorized modification, disclosure or access and against all other unlawful forms of processing.
5.1. Availability
The Service utilises the extensive features of the cloud environment to ensure high availability, like full redundancy, load balancing, automatic capacity scaling, continuous data backup and geo-replication along with a traffic manager for automatic geographical failover on datacentre level disasters. All failover mechanisms are fully automated.
No personal data is stored permanently outside StokBox cloud platforms. The physical security is thereby maintained by StokBox subcontractors, see clause 7. Microsoft’s datacenters comply with industry standards such as ISO 27001 for physical security and availability, e.g. by using security staff around the clock, two-factor access control using biometric and card readers, barriers, fencing, security cameras and other measures.
5.2. Integrity
To ensure integrity, all data transits are encrypted to align with best practices for protecting confidentiality and data integrity. E.g. all supplied credit card information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway provider’s database only to be accessible by those who are authorized to access such systems and who are required to keep the information confidential.
For data in transit, the Service uses industry-standard transport protocols between devices and Microsoft datacentres and within datacentres themselves.
5.3. Confidentiality
All personnel are subject to full confidentiality and any subcontractors and sub processors are required to sign a confidentiality agreement if not full confidentiality is part of the main agreement between the parties.
Whenever personal data is accessed by authorised personnel the access is only possible over an encrypted connection. When accessing the data in a database, the IP number of the person accessing the data must also be pre-authorized to obtain access.
Any device being used to access personal data is login protected by StokBox Azure Active Directory (AAD), Microsoft’s cloud based identity and access management service, and has StokBox corporate antivirus solution installed. If any personal data are temporarily stored on a device, the storage unit on the device will also be strongly encrypted.
On premise devices storing personal data temporarily is always, except when not being actively used or relocated under uninterrupted supervision, locked in a safe. Personal data are never stored on mobile media like USB sticks and DVD’s.
5.4. Transparency
StokBox will at all times keep you informed about changes to the processes to protect data privacy and security, including practices and policies. You may at any time request information on where and how data is stored, secured and used. StokBox will also provide the summaries of any independent audits.
5.5. Isolation
All access to personal data is blocked by default, using a zero privileges policy. Access to personal data is restricted to individually authorised personnel. StokBox DPO issues authorisations and maintains a log of granted authorisations. Authorised personnel are granted a minimum access on a need-to-have basis through our AAD.
5.6. The ability to intervene
StokBox enables your rights of access, rectification, erasure, blocking and objection, by offering the option to send instructions email to dpo@stokbox.co.uk.
The overall responsibility for data security lies with StokBox’s Data Protection Officer who educates and updates all personnel on the data security measures outlined in StokBox’s security handbook and this Privacy Policy.
5.7. Monitoring
StokBox uses security reports to monitor access patterns and to proactively identify and mitigate potential threats. Administrative operations, including system access, are logged to provide an audit trail if unauthorized or accidental changes are made.
System performance and availability is monitored from both internal and external monitoring services.
5.8. Personal Data breach notification
In the event that your data is compromised, StokBox will notify you and the https://ico.org.uk/ within 72 hours by e-mail with information about the extent of the breach, affected data, any impact on the Service and StokBox’s action plan for measures to secure the data and limit any possible detrimental effect on the data subjects.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of the Service.
6. Do we disclose any information to outside parties?
StokBox does not sell, trade or otherwise transfer to outside parties any personally identifiable information.
This does not include trusted third parties, collaborators or subcontractors who assist us in operating our website, conducting our business. Such trusted parties may have access to personally identifiable information on a need-to-know basis and will be contractually obliged to keep your information confidential.
We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect our or others’ rights, property, or safety. Furthermore, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
6.1. Subcontractors/trusted third parties
The subcontractors Microsoft Ireland Operations Ltd, Dublin, Ireland are audited against the standards of ISO/IEC 27001. The main subcontractor Microsoft has also adopted the international code of practice for cloud privacy, ISO/IEC 27018. The sub processor E-conomic International A/S is certified in “International Standards on Assurance Engagements 3000” (ISAE 3000).
StokBox will monitor subcontractors’ and sub processors’ maintenance of these standards and audits to ensure that data protection requirements are fulfilled.
Any intended changes concerning the addition or replacement of subcontractors or sub processors handling personal data will be announced to you with at least 3 months’ notice. You always retain the possibility to object to such changes.
7. Where do we store the information?
No stored data will be transferred, backed up and/or recovered by StokBox outside of the European Union.
7.1. Personal data location
All data are stored in databases and file repositories hosted in an Azure data centre at StokBox’s cloud vendor, Microsoft Ireland Operations Ltd in Dublin. All data are automatically replicated in real time to secondary hot failover databases and file repositories in Microsoft’s data centre in Amsterdam, Netherlands.
Databases are continuously backed up to enable restore to any point in time within a retention period of 35 days. Backups are stored on file storage at the same geographical location as the database.
A copy of the Account Data is also stored in StokBox’s cloud accounting system.
8. Access, data portability, migration, and transfer back assistance
You may at any time obtain confirmation from StokBox as to whether personal data concerning you is being processed.
You may at any time order a complete data copy. Your data will be delivered within 25 working days by StokBox. Logical relations between datasets will be preserved in form of unique identifiers.
9. Request for rectification, restriction or erasure of the personal data
9.1. Rectification
You may at any time obtain without undue delay rectification of inaccurate personal data concerning you, cf. clause 5.6.
9.2. Restriction of processing personal data
You may at any time request StokBox to restrict the processing of personal data when one of the following applies:
a.
if you contest the accuracy of the personal data, for a period enabling StokBox to verify the accuracy of the personal data;
b.
if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; or
c.
if StokBox no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.
9.3. Erasure
You may without undue delay request the erasure of personal data concerning you, and StokBox shall erase the personal data without undue delay when one of the following applies:
a.
if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
b.
if you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing.
c.
if you object to the processing in case the processing is for direct marketing purposes.
d.
if the personal data have been unlawfully processed; or
e.
if the personal data have to be erased for compliance with a legal obligation in EU or national law.
10. Data retention
10.1. Data retention policy
Data will be retained for up to 7 full fiscal years, this is required for tax purposes.
10.2. Data retention for compliance with legal requirements
StokBox cannot makes changes any of the default retention periods.
11. Accountability
StokBox uses the extensive range of built-in logging features and audits trails provided by Microsoft on its Azure cloud platform. StokBox also logs all system updates, configuration changes and access to provide an audit-trail if unauthorised or accidental changes are made.
You may request a data protection audit performed by an independent third party who is also accepted by StokBox. Any costs related to the audit, including the auditor will be paid for by the requesting party.
12. Cooperation
StokBox will cooperate with you in order to ensure compliance with applicable data protection provisions, e.g. to enable you to effectively guarantee the exercise of data subjects’ rights (right of access, rectification, erasure, blocking, opposition), to manage incidents including forensic analysis in case of security breach.
13. Your consent
By using our site, you consent to this Privacy Policy.
14. Changes to our Privacy Policy
If we decide to change our Privacy Policy, we will post those changes on this page, and/or update the Privacy Policy modification date below.
This Privacy Policy was last modified on 24th August 2021
15. Complaint
You may at any time lodge a complaint with the Information Commissioners Office regarding StokBox’s collection and processing of your personal data.