Skip to Main Content

Phoenix as a Data Processor

As a software and online services provider, Phoenix Software Ltd will act as a ‘Data Processor’ of our customer’s hosted data under their direct control as the ‘Data Controller’.

As a Data Processor there are several things, we either have in place today or will put in place as part of our agreement with you. We have outlined some of these for your benefit below.

A Data Processing Agreement

As part of our ‘Master Services Agreement’ we have a standard set of data protection terms that outline how we will support you as a Data Controller and meet our obligations as a Data Processor. We’ll share these with you as part of the onboarding process.

Controls with our suppliers as sub-processors

Where we use any third parties to support the services we offer you, we do several things to manage these services.

  1. We will inform you as part of the agreement above who these providers are
  2. We have in place contractual terms that replicate the terms in our Master Services Agreement
  3. We complete due diligence and audits on our suppliers and have processes in place to manage any incidents that may come up

Controls on International Data Transfers

Where we can, we try and avoid any personal data leaving the United Kingdom (UK). Where this is explicitly outlined in our agreement with you, that will take precedence over what we have in place for any other customers.

For example, where we use a supplier outside of the UK we ensure that ‘appropriate safeguards’ are in place under either the UK or EU GDPR requirements in Articles 44-49.

Technical and organisational controls to help protect personal data

As well as the contractual controls in place outlined above, we also have the below in place to help protect your personal data;

  • ISO 27001 framework and certification
  • Data Protection policies and procedures
  • Information and Records Management policies and procedures
  • Data Protection training for all staff
  • Template Data Protection Impact Assessments for our services to support your own DPIA as a Data Controller
  • A ‘Data Protection lead’ to support our compliance programme
  • A dedicated Information Security Committee to support and progress our compliance programme

We cannot reveal everything we do to physically protect personal data for obvious reasons, but we’ll provide you with as much information as possible during the procurement and onboarding processes.

Queries and support

We’ll do our best to answer your Data Protection questions as part of the onboarding/procurement processes. If, however, you have a question or query then you can contact our Data Protection lead at [email protected].

To find out more information about what personal data we collect as a Data Controller, including information through this website, please read our Privacy Notice.

Last revised: 10th January 2024