Information security, data protection, the GDPR¶
In this section:
- “You” means an organisation (including staff at that organisation) that has chosen to use Libacura to help with running the services you offer to your customers.
- “GDPR” means the EU General Data Protection Regulation which comes into force in May 2018 and replaces the Data Protection Act.
Libacura is a web service run by Ajaia Ltd. Ajaia Ltd is a company registered in England and Wales.
Libacura stores personal data relating to your customers. The personal data can be entered into Libacura by you, and (if you choose to enable it) directly by your customers.
The personal data can be processed by you using the Libacura web service through a web browser. The personal data can also be processed by your customers via the Libacura web service using a web browser (if you enable it).
Occasionally the personal data may be processed by staff at Ajaia Ltd on your behalf under your explicit written instructions, for example if you request us to import personal data into Libacura that you have or have obtained from another system, or when we respond to a support request from you.
Ajaia Ltd acts as a Data Processor under the terms of the EU General Data Protection Regulation (GDPR). You are the Data Controller.
Ajaia Ltd will conform to all its obligations as a Data Processor under the GDPR (and the Data Protection Act).
Enquiries to us relating to data protection issues should initially be made via a Libacura support request.
Your responsibilities as a Data Controller¶
As a Data Controller you have responsibilities under the GDPR to individuals whose personal data you store and process in Libacura. As the Data Controller you are responsible for ensuring that any tools and services you use (such as Libacura) are fit for your purposes and are used in ways that are compatible with your obligations.
If you are not clear about your legal obligations under the GDPR you should seek advice from an expert. We cannot provide such advice.
Libacura can be used to store and process your personal data in ways that are compatible with your obligations under the GDPR. For example:
- If an individual makes a request to you for personal data held in Libacura, you can satisfy the request using the Libacura web service, since all the personal data you hold in Libacura can be accessed by you.
- You have a responsibilty to ensure the data you hold in Libacura remains up-to-date. You can update the information you hold in Libacura at any time using the Libacura web service.
- You can delete personal data held in Libacura at any time using the Libacura web service or by raising a support request.
- Since no processing of the personal data held in Libacura happens other than when performed by you or under your explicit instructions, you can prevent processing of personal data held in Libacura by not processing it or deleting it from Libacura.
- You can move personal data out of Libacura in standard electronic form using the Libacura web service, via the “Reports” which can be exported to CSV (spreadsheet) format.
If you require assistance on how to use Libacura please raise a support request through Libacura or contact our support email address. We will assist you with issues relating to accessing and processing the information you store in Libacura, within the time limits set out in the GDPR. We cannot assist you or advise on issues relating to your obligations under the GDPR.
You need to:
- Understand that you remain in control of, and responsible for, policy decisions relating to the collection, storage and use of the personal data concerning your registered families. You are the Data Controller, in the terminology of the GDPR; we are a Data Processor, providing information storage and processing services according to your instructions.
- Safeguard any usernames and passwords that are assigned to you and your staff.
- Take action immediately if you discover or suspect that a password has become known to someone unauthorized: Change the password using the User settings screen in Libacura AND inform us so that we can terminate any existing unauthorized logins.
- Take extra care if you ever access Libacura from public or open-access computers: Be sure to log out from Libacura explicitly when you have finished, and then close all web browser tabs/windows. Never use “Remember my log-in details” or similar features from public computers.
Our responsibilities as a Data Processor¶
We take very seriously our obligations and responsibilities to protect the data we store and process on your behalf. We will:
- conform to our obligations under the GDPR;
- take appropriate technical and organization security measures to safeguard the personal data entered into Libacura;
- never use the information entered into Libacura other than in accordance with your instructions.
In particular, we:
- never process the information in Libacura without your explicit written approval;
- never disclose the information in Libacura to any third party without your explicit written approval;
- never independently contact any individuals using personal information held in Libacura;
- never view the personal data held in Libacura, other than where necessary to provide support to you or to implement your explicit written instructions to process the data.
Where we identify or are notified of a data breach relating to data we hold on your behalf, we will inform you without undue delay and will assist you in your responsibilities to act on the breach.
To safeguard your data, we:
- use a UK-based third-party server infrastructure to run our software, carefully selected and reviewed for security and reliability;
- implement appropriate technical and organisational measures to ensure an appropriate level of risk;
- always encrypt personal data (using https) when it is transferred over the web between our servers and your computer(s), so it is safe from interception;
- take regular backups, encrypted in transit, and stored at a separate site.
We aim (but can’t guarantee) to ensure the Libacura web service is generally available 24 hours a day, 7 days a week. We occasionally need to take the service down for short periods to perform maintenance and updates. Planned maintenance will occur at evenings or at weekends. As with all web-based services, other service outages can sometimes happen for reasons out of our control.