                            company policies

GDPR Statement

Please review our GDPR Statement regularly as it is subject to intermittent amendment.

Compliance Overview

Blue Frontier are registered with the ICO (Z3665248), and are compliant with the requirements of UK GDPR and related regulations and statutory requirements such as PECR, and take privacy and data protection matters seriously.

Sub-Processors

In line with the regulation, we are required to inform you of any other processors involved in the processing of your data. We have sought and have recorded assurances from other processors, where they are used; and they are as follows:

Monday.com: Monday.com Privacy Notice
Amazon AWS (UK and Ireland Regions): Amazon AWS GDPR Policy
Microsoft 365 (UK region): Microsoft DPA

Hosted Services

Where we provide hosting services to our clients we act as data processors on the behalf of our client who are data controllers under the terms of the regulation.

Data Controllers are required to seek assurances from data processors that data processing is being carried out in a manner where “reasonable technical and organisational measures” are being taken to secure the data being processed. Data Processors are required to provide this information on request. To this end, please see below the following series of statements to satisfy this requirement.

Organisational Measures

We have engaged internal consultants who have created a GDPR compliance manual that contains all of the information required to demonstrate compliance to a regulator of Supervisory Authority should we be required to do so in line with the requirements of the regulation. Further to this, this manual acts as a GDPR Addendum to ISO27001:2013 with additional policies and records in line with the requirements of the regulation.

These organisational measures include, but are not limited to:

Business Continuity and Disaster Recovery plans including regular testing
Internal audits of all management systems
Supplier Management taking into account information security
Systems validation taking into account information security
Comprehensive risk assessment and management
Threat Intelligence and threat modelling
User training and awareness programs
Secure Software Development Lifecycle implementation

Technical Measures

Blue Frontier have implemented a number of technical controls as part of maintaining compliance under our ISO management systems as well as implementing industry best practice measures to secure data under our control. These measures include, but are not limited to:

SOC/SIEM with 24x7 human and automated monitoring and intervention.
ZTNA and MFA implemented on all systems where available.
Managed Enterprise grade firewalls and DDoS protections.
Resiliency and redundancy built into all operational systems.
Routine vulnerability management and testing
Routine security assessments

Website Development and Design Services

Where you have contracted Blue Frontier to design or build a website or web application for you, we are neither data controllers nor data processors with respect to the function and data collection that you provide for on your site / application.

In these circumstances the client is acting as a Data Controller and the company hosting the site is acting as a processor and the Controller should seek written assurances from the processor around the measures being taken to secure the data.

Technical IT Services

Where you have contracted Blue Frontier to consult upon, build, and deploy internal IT systems, Blue Frontier is not responsible for the way in which these systems are used and, as Data Controllers it is your responsibility to ensure that your IT systems and the organisational policies and procedures are compliant with the regulation. Blue Frontier is willing to assist with this in whatever way possible.

Third Party Hosted Services

Where you have taken advice from Blue Frontier who have recommended and / or referred you to a third party processing service, Blue Frontier act as neither processors nor controllers with respect to these data processing systems. The Data Controller should seek written assurances from the processor around the measures being taken to secure the data.

Disclaimer

Nothing on this statement constitutes legal advice. Specialist legal advice should be taken in relation to specific circumstances.

The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information in this statement is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.

We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.