GDPR Statement & Terms of Business
The following Terms and Conditions layout our relationship with you, as a customer of mtstudios, and your business data, which we often store on your behalf using a number of third-party services.
We suggest that you read this document, to ensure you understand your obligations and responsibilities as well as mtstudios’ in order to comply with GDPR.
mtstudios Customer Data Processing Terms & Conditions
This document clarifies the formal role of mtstudios and its customer relationships within the framework of the GDPR.
Purpose and scope of mtstudios Data Processing on behalf of Data Controllers
For the purpose of providing the Services, mtstudios will process Customer Hosted Data. To the extent that Customer Hosted Data is comprised of Personal Data, the parties acknowledge that mtstudios acts as a Data Processor for all Customer Hosted Data supplied to mtstudios by the Customer as well as the Customer’s own customers or agents.
The Services are provided on the basis that either:
- the Customer is the Data Controller for all Customer Hosted Data supplied to mtstudios under the Services and has complied with its obligations under the applicable Data Protection Laws, including but not limited to obtaining the required consents (“Data Protection Consents”); or
- where the Customer is a Data Processor on behalf of a Data Controller, that mtstudios are a sub-Data Processor and that the Customer has:
- ensured that all necessary Data Protection Consents have been obtained or other lawful grounds for Processing have been correctly established;
- entered into the required contractual arrangements, including arrangements with the relevant Data Controller for mtstudios to act as sub-processor legally;
- has complied with its obligations as Data Processor under the applicable Data Protection Laws; and
- shall be liable to the Data Controller for mtstudios’ acts and omissions as a sub-Data Processor.
By accepting the Terms herein, the Customer indicates their acceptance of the provisions below and warrants that the basis of the Services set out in this Data Processing Addendum is accurate.
Nature of the processing
mtstudios undertakes a range of Processing as defined by the Services, i.e. the provision of hosting services to the Customer or the supply of Content Management Systems, the choice of which is determined by the Customer. The Customer acknowledges that the scope of the Services explicitly excludes the access to, manipulation, transformation or optimisation of or decision-making based on Customer Hosted Data for the purposes of such Processing by mtstudios.
mtstudios utilises a dedicated and cloud-based hosting infrastructure to support the Customer’s or Customer’s agents’ processing of data to that end.
mtstudios maintains no visibility of and has no intention to access or manipulate Customer Hosted Data, even in the case where mtstudios maintains technical access for the purposes of management of the infrastructure of the Customer Hosted Solution. This is due to theCustomer’s position as the Primary System Administrator. mtstudios interacts with the Customer Hosted Solution at an infrastructure level only, not at the level of Customer Hosted Data or the Customer Hosted Applications.
Further, any processing by mtstudios of Customer Hosted Data (which may comprise Processing of Personal Data) is determined by the Customer insofar as it is the Customer that ultimately determines what the Services will be and, therefore, what data processing occurs.
mtstudios classifies all Customer Hosted Data as the same type of data and does not maintain visibility of different types or Customer Hosted Data or categories of Personal Data within this set. mtstudios applies the same level of generic security controls to all Customer Hosted Solutions.
mtstudios provides a service which constitutes among other things the provision of VMs, storage, networking and dedicated servers to Customers. Whilst we will try to ensure the compliance of those underlying services with the applicable Data Protection Laws, we do not maintain reliable access to the Operating Systems, applications or data that Customers upload to their Customer Hosted Solution, so the Customer is responsible for all data protection issues not related to the underlying services.
Duration of processing
The Customer is responsible for the duration of the processing of any Personal Data comprising Customer Hosted Data. While the Agreement is in force, mtstudios will Process all such Personal Data in accordance with the Customer’s written instructions.
Availability of Customer Hosted Solutions and Services
Temporary loss of Availability or Integrity related to an Emergency Maintenance or Scheduled Maintenance is not considered to be a loss of Availability under the applicable Data Protection Laws.
As set out in the applicable Service Definitions, mtstudios cannot guarantee the Availability of individual Customer Hosted Solutions in an Available state at an application or data level, as this availability is primarily a result of decisions taken by the Primary System Administrator.
mtstudios, or it’s Sub-Processors, guarantee the availability of data centre services, e.g. availability of core network connection, power and cooling, and the availability of sufficient hypervisor capacity where Cloud services are procured in line with the provisions of the services’ respective SLAs and mtstudios’ definition of Availability.
In accordance with the Services being provided, mtstudios is not able to decide how Personal Data comprising Customer Hosted Data is processed. The Customer Hosted Solutions are inevitably Infrastructure-as-a-Service-based and control of the data thereon is with the Customer.
mtstudios use of Data Sub-Processors
By entering into this Data Protection Addendum, the Customer hereby permits mtstudios to appoint sub-processors of Personal Data and, for the term that the Data Protection Addendum is in force, shall have a general right to appoint sub-processors of Personal Data.
mtstudios shall provide the Customer with prior notification before appointing any sub-processors of any Personal Data that are in addition to those noted in this Data Processing Addendum.
mtstudios utilises a small number of Data Sub-Processors in order to provide Services to the Customer. The following list of Data Sub Processors used to provide Services will be updated from time to time to reflect the current operational position:
- Google UK Ltd, company number 03977902 – provision of email services
- Rackspace Ltd, Company number 03897010 - provision of email services
- Paragon Internet Group Ltd, Company number 07573953 - provision of website hosting and email services
- WPEngine Inc, - provision of website hosting, see https://wpengine.com/legal/
- Memset Ltd, Company number 04504980 - provision of website hosting and server co-location services
- WPX Hosting - provision of website hosting, see https://wpxhosting.co.uk/page/privacy-policy/
mtstudios will update the Customer of the use of any new Data Sub-Processor at least one month prior to adoption of the Sub-Processor and transfer of Customer Hosted Data or provision of any form of access to Customer Hosted Solutions by support ticket or email, and the Customer must ensure that all necessary Data Protection Consents are obtained or other legitimate grounds for processing the Personal Data are established.
The Customer’s continued use of the Services constitutes approval for the use of this new Data Sub-Processor and a repeated warranty by the Customer that the use of all sub-processors is lawful under the applicable Data Protection Laws subject to mtstudios complying with its obligations under the applicable Data Protection Laws in respect of appointing sub-processors. mtstudios will perform appropriate due diligence on the Data Sub-Processor, as we will on any security impacting supplier.
mtstudios will maintain written contracts with all mtstudios Sub-Processors including any relevant GDPR-related compliance requirements and will conduct regular audits to confirm their continuing conformance with Data Protection Laws.
Transfer to non GDPR-aligned locations or Sub-Processors
mtstudios will not transfer Customer Hosted Data to any Data Sub-Processor located outside of the EEA or to any other third party location not deemed appropriate by Binding Corporate Rules, Privacy Shield or other adequacy decision defined on a continuing basis by the Information Commissioner’s Office without explicit written permission from the Customer.
Processing in accordance with written instructions
mtstudios will only processes Customer Hosted Data (which may or may not include data for which the Customer is the Data Controller) in accordance with the Data Controller’s written instructions, which for the purposes of data protection and this addendum are taken to be in whole contained within the section ‘Purpose and scope of mtstudios Data Processing on behalf of Data Controllers.’ No other written instructions can be accepted as they will fall outside of the scope of our services.
Effective date: 25th April 2018