Your GDPR Questions Answered

Where is the data located?
Surf Accounts customer’s data is stored in Microsoft Azure Data Centre, in Grange Castle, Dublin, Ireland.

How is it stored?
Your customer’s data is securely stored in a segregated section of the Microsoft SQL Azure Databases that is unique to each of our Surf Accounts customers.

Who can access it?
Access to Surf Accounts customers’ data is restricted to licensed Surf Accounts customers (you) and to Authorised Surf Accounts Personnel only. Authorised Surf Accounts personnel can only access Surf Accounts customers’ data to the extent necessary to fulfil their function as a data processor in respect of the Surf Accounts service.

How is it protected?
Access to the data is secured using a combination of a 48 digit password and usage of Microsoft Azure Key Vault Technology. Microsoft’s facility is designed to run 24x7x365 and employs various measures to help protect operations from power failure, physical intrusion, and network outages. These data centres comply with industry standards (such as ISO 27001) for physical security and availability. They are managed, monitored and administered by Microsoft operations personnel.

What if there’s a service disruption, a breach, or permanent data loss?
Microsoft guarantee that service disruption will be minimal as the Databases in their Azure Data Centres have an availability of 99.99%. They also guarantee that access to these Data Centres through their Internet gateways are fully secure and available 99.99% of the time. The risk of permanent data is practically non-existent as the Surf Accounts customer’s data is backed up in both a core and secondary Microsoft database and, separately, in an Amazon AWS Data Centres to ensure data security. The Amazon Data Centre also complies with industry standards (such as ISO 27001) for physical security and availability.

Where’s the back-up? Is it within the EU or in an adequate country?
Surf Accounts Data is backed up to both a secondary Microsoft Azure site and the Amazon AWS centres. All backup sites are located in the EU.

How easily can a data controller respond to data subject rights requests for personal data processed in the cloud?
The Data Controller can easily use the Surf Accounts Reporting facilities to Print or Export the full amount of Personal Data being held

When the service ends or a data controller switches to a different cloud service provider, will the personal data be truly erased, or will it persist, leaving a data controller and the personal data of the data subject exposed?
Surf Accounts customer’s data is permanently removed 3 months after a contract has elapsed. Backups are also removed after a further 28 calendar days.