Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
Access to PII is restricted to authorised personnel, individually attributable, and reviewed at intervals appropriate to the sensitivity of the data.
Access to customer PII requires JIT elevation through an approved workflow; no shared accounts touch PII; access is reviewed quarterly.
PII transmitted over public networks is protected by cryptography. Keys used to protect PII are managed under documented procedures.
All customer PII in transit uses TLS 1.2+; at rest uses AES-256 with keys held in a managed KMS with documented rotation and access logging.
Physical access to facilities processing PII is restricted to authorised personnel and is audited.
Production PII is processed only in tier-1 cloud facilities (UK/EU regions) whose physical controls are independently audited under ISO 27001 / SOC 2.
Logs of activities affecting PII are maintained, protected and reviewable on request.
All access to customer PII generates an audit event captured by our SIEM. Logs are tamper-evident and retained for at least 1 year.
Transfers of PII between systems and to PII controllers are encrypted and authenticated.
PII transfers to or from customers occur via authenticated, encrypted APIs. PII is never transferred to a third party except an approved sub-processor under DPA.
Sub-processors that process PII are bound by equivalent or stricter PII-protection obligations and are disclosed to the PII controller.
Sub-processors are listed on this Trust Centre. New or replaced sub-processors are announced with 30 days notice to allow controllers to object.
Incidents affecting PII are reported to the PII controller within agreed timescales and include sufficient information for the controller to fulfil its own obligations.
Confirmed PII incidents are reported to affected customers within 72 hours, in line with UK GDPR Article 33, with the information required for them to notify their data subjects.
The processor identifies the legal and regulatory obligations applicable to PII it processes and demonstrates compliance.
We maintain a compliance register covering UK GDPR, DPA 2018, ICO codes of practice, and customer DPAs. Compliance is reviewed annually and on regulatory change.
The PII processor processes PII only on documented instructions from the PII controller; the processor does not use PII for any other purpose without controller authorisation.
We act on documented controller instructions only. We do not use customer PII for marketing, profiling, training models or any purpose outside the contracted service.
PII is processed only for the purposes specified by the PII controller.
Our DPA enumerates the purposes for which we process PII. Any new purpose requires written controller instruction.
The processor does not collect PII beyond what is necessary for the processing instructed by the controller.
We collect only what the customer's use of the platform requires. Optional fields are clearly marked as optional in the product and the API.
Temporary files and outputs that include PII are minimised and the PII is erased as soon as it is no longer needed.
Temporary files containing PII are written to ephemeral, encrypted volumes and erased on job completion. Diagnostic dumps are scrubbed of PII.
PII is retained no longer than necessary for the agreed purpose and is not disclosed except as instructed by the controller or required by law.
Retention defaults are documented per data type and overrideable by the controller. Disclosure to authorities is permitted only with legal compulsion and, where lawful, with prior notice to the controller.
Tools exist for the controller to keep PII accurate, complete and up to date.
Admin tooling lets controllers (club administrators) correct PII directly. API endpoints provide the same capability programmatically.
The processor provides clear information about its PII handling practices, including sub-processors.
This Trust Centre and our DPA describe how we handle PII, the sub-processors we use, the regions in which we process, and our retention defaults.
The processor supports the controller in fulfilling data subject rights, including access, correction and erasure.
Controllers can fulfil access, correction and erasure requests directly via the admin console. Where they need our help, we respond within 30 days of a written request.
The processor demonstrates accountability for its PII obligations through evidence, audits and breach notification.
Accountability is demonstrated through ISO/IEC 27001 + 27018 certification, independent pen-testing, audit logs, and our published incident-response SLAs.
The processor implements appropriate technical and organisational measures to protect PII against unauthorised access, alteration, disclosure or destruction.
Our ISO 27001-aligned ISMS, encryption-in-transit-and-at-rest, key management, JIT access, EDR, SIEM monitoring and quarterly DR testing all serve this control.
The processor demonstrates compliance with applicable PII protection legislation and regulation in the jurisdictions where PII is processed.
PII is processed only in UK and EU regions. Where transfers occur outside the UK/EEA, we rely on UK and EU SCCs and supplementary measures, documented per transfer.