Cookies, information control and processing (GDPR), general terms and conditions

Netuxo Ltd holds a limited amount of data about our customers and website visitors and we have mechanisms in place to store and use that data securely.

This page documents what we capture and why, and how you can get access to that information, or ask for it to be deleted. It also outlines the general terms and conditions of service.

WEBSITE VISITORS

1. Cookies

When you visit this website we set the following cookies for the stated reasons. You can find out more about cookies generally here: https://ico.org.uk/for-the-public/online/cookies/ and here: https://ssd.eff.org/en/glossary/cookies

  • to determine whether or not your browser uses Javascript and serve appropriate content;
  • to set a session ID when logged in;
  • to gather anonymised statistical information about page views and visits (Matomo), or to opt-out of the collection of statistical information
  • to present the cookie control information itself;
  • to hide the cookie control information when accepted;

2. Newsletter subscribers

We publish and distribute a periodic newsletter by email 2-3 times each year. This is sent to our customers and anyone else who would like to receive a copy. You can subscribe via a form submission from the website, by actively asking us to add you or by accepting the general terms and conditions and confirming your subscription when you become a Netuxo customer.

We operate a double opt-in system to reduce spam or malicious submissions via the web form and any subscriber can either use the “unsubscribe” link (on every newsletter), or by simply contacting us (LINK) and asking us to remove their name and email address from the subscription list. That list is held within the this website’s database, hosted in Germany and backed up to a secure backup box within the same datacentre and is never taken off-site. See the section below for additional information about newsletter subscriptions.

3. Contact form

When using the website contact form (at https://netuxo.coop/contact) this data is encrypted using our PGP key and emailed to us. Only two Netuxo staff have the corresponding private key and can decrypt the incoming message. It is stored on Netuxo’s mailserver in that encrypted instance and is only decrypted when viewed, by us in an email client in an email client.

NETUXO AS A DATA CONTROLLER (GDPR)

We hold the minimum personal data about our clients necessary to communicate with you and to provide our website development, support and hosting services. Information about how we “process” the information we hold on behalf of our hosting clients is outlined below in the “Netuxo as a data processor” section.

1. Client Record Management (CRM)

Netuxo Ltd holds customer data in our own private records management application. Sensitive data, such as passwords, is specifically/additionally encrypted, whilst the entire application is protected via apache http auth (https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) and all data transfer (reading, writing) takes place over an encrypted ssl connection (https://www.websecurity.symantec.com/security-topics/how-does-ssl-handshake-work);

2. Book-keeping (Quickbooks Online)

Netuxo Ltd use this popular online book-keeping application to generate customer invoices, estimates, reminders and to carry out all other financial administration tasks. This means that customer contact and account information is held by a third party (QBO). All communication between Netuxo Ltd and the Quickbooks Online platform is encrypted over https and we trust that data security and privacy are at the top of the agenda for any commercial accountancy software provider. For more information see https://quickbooks.intuit.com/uk/gdpr/

3. Hosting administration (ISPConfig)

We use a front-end administration application (ISPConfig) that allows us and our hosting customers to carry out various administrative tasks in relation to mail and website hosting. To provide this service requires us to create one user account per customer and we store these customer names, email addresses and other contact information in a database hosted on a server in a German datacentre. This customer data is backed up nightly to a secure backup box within the same datacentre and is never taken off-site. All communication between this application and the browser takes place over an encrypted ssl connection (https://www.websecurity.symantec.com/security-topics/how-does-ssl-handshake-work).

NETUXO AS A DATA PROCESSOR (GDPR)

This information applies (in part or in full) if you are a web or mail hosting customer, or visit or submit information through any websites we host on behalf of our customers.

WEB HOSTING - General information

Netuxo Ltd’s (“Netuxo”) web servers log the IP addresses of site visitors in both the access log and the error log of the web server (Apache) – we do so for security reasons, allowing us to follow up on problems or to detect attacks.

All of these logs contain personal information by default (IP addresses are specifically defined as personal data per Article 4, Point 1; and Recital 49 of GDPR 2018). The logs can also contain usernames if your web service uses them as part of their URL structure. Even the referral information that is logged by default can contain personal information (e.g. unintended collection of sensitive data; for example, being referred from a sensitive-subject website).

However, like most hosting companies, we do not believe it is necessary to seek explicit consent to collect this data, as the GDPR provides for the collection and retention of logs without consent in certain cases:

Article 6, Paragraph 1, Point F: “Processing shall be lawful only if and to the extent that at least one of the following applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Recital 49 (excerpt): “The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

Netuxo Ltd retains logs for a limited period of time and solely for the above purposes.

Additionally, all client websites are served via and sandboxed in a dedicated virtual host, so that no client can access data belonging to another client. Database users are also linked to clients, and even though each web server has only one database server, access is limited to the database(s) a specific user/client has access to. This also greatly reduces the risk of a data breach should one website be compromised – a breach is likely to be limited to this one client only.

YOUR HOSTED WEBSITE

Whether your website files or database hold personal data depends on what your website does and this is your responsibility. For example, if you have several users, or even let users self-register, the database of your website will hold personal data, as usernames and email addresses are considered personal data within the meaning of the GDPR. If, for example, you have a webshop, then order data which is linked to a user account is also personal data.

We back up all files and databases every night, and these are stored in an encrypted form and on a different file server. This ensures that without the decryption key, nobody can access the backed up data. We automatically delete backups older than one month.

EMAIL HOSTING

As with web hosting, we also retain logs generated by the mail server (amavis and postfix), the imap server (dovevot), and of authentication to either of these services – meaning IP addresses, email addresses and usernames.

These constitute personal data according to the GDPR. However, we believe this is data “strictly necessary and proportionate for the purposes of ensuring network and information security”. These logs are also retained for a limited time.

The email server is physically separated from the rest of our infrastructure – it sits on its own server, dedicated to email only. Mail is backed up nightly in the same way as described above for website files and databases.

WEB ANALYTICS

Netuxo uses Matomo Analytics on its own website, and provides Matomo Analytics as a service. This has implications in relation to GDPR (https://matomo.org/blog/2018/04/how-to-make-matomo-gdpr-compliant-in-12-steps/). If you use Matomo Analytics (or Google Analytics), you need to include the fact that you are using Matomo in your privacy notice and to your privacy policy.

Netuxo’s Matomo installation only tracks 2 byte anonymised IP addresses (e.g. 192.168.xxx.xxx). These should be considered sufficiently anonymous to not constitute personal data. This also applies to location data derived from IP addresses, as we use the anonymised IP addresses for this.

Our Matomo installation is also configured to honour “Do-not-track” settings, which any site visitor can enable in their browser.

For information on Matomo and GDPR, visit https://matomo.org/gdpr/ and https://matomo.org/docs/gdpr/.

If you use Google Analytics on your Netuxo hosted website, please check out:

EMAIL NEWSLETTERS

The requirement to obtain informed consent also applies to email newsletters.

Mailchimp is used by some of our clients, and Mailchimp has a knowledgebase article on the topic: https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation.

The Drupal module Simplenews is used on other websites, and there is presently an issue open: https://www.drupal.org/project/simplenews/issues/2965662. While double opt-in (subscription form and subscription confirmation) is one important aspect - and it is good practice to include a clear text that by subscribing a subscriber consents to you storing their data (Email, Name, etc) - there is also a requirement to be able to prove that consent has been granted. Work is under way to make Simplenews GDPR compliant in this regard.

We encourage our hosting clients to be proactive in this regard.

SUBJECT ACCESS REQUESTS AND DELETION

If you believe that Netuxo Ltd holds any private data about you, or your organisation, you can (subject to confirming your identity) ask us to retrieve and provide you with a copy of whatever data we may hold.

You can also ask us to permanently delete any non “assumed-consent” information. However, there may be instances where there are competing data retention requirements (eg as a company we are obliged to retain several year’s worth of financial data).

In any such cases we will discuss with you and take expert advice as required.

To exercise either of these rights please contact us.

All services: personal data

When you choose Netuxo Ltd to provide your or your organisation with services of any description you are, de facto, accepting that your data will be controlled and, where relevant, processed, as per the information outlined above.

If you have any questions or concerns about what data we hold, how we store or use it, please contact us.

All services: invoicing and payment methods

We invoice all hosting 30 days in advance of renewal date and payment can be made by card, transfer, direct debit, Paypal account, or paying in at a UK bank. We do not accept cheques by post.

All hosting packages are provided for 12-months and are non-refundable.

Hosting*: purpose of use

As an ethical provider we require our clients to use our services in a way that is compatible with our stated values. We reserve the absolute right to withdraw our services, without notice, from an client we feel has substantially deviated from these values.

Hosting*: client responsibility

You agree that you will keep secure the client login name and password provided for your web and/or mail hosting administration panel and not pass that information to any unauthorised person. In the event of your login name and password being used by any unauthorised person, we accept no responsibility and you will be liable for additional charges arising therefrom.

It is your sole responsibility to make regular back-ups of your data and files used in connection with the service. Even though we may make our own periodic back-ups for server maintenance purposes we are not responsible whatsoever for your data or files. The hosting administration panel provides the means to take and restore backups of website files, databases and mailboxes. It is your responsibility to ensure you use this.

Unless we provide you with an ongoing updates service for your website, you are responsible for maintaining your website's systems updated and secure. In the event of your website being hacked due to an unmaintained system (eg non-application of security updates or patches), we accept no responsibility and you will be liable for any additional charges arising from the restoration of a compromised website. You can contract Netuxo to provide you with update services or any other provider.

If we notice that your website's system are unmaintained and pose a security risk to our server, we will contact you to discuss options, but we reserve the absolute right to withdraw services without notice.

Hosting*: Domain names

We can provide you with domain names, but due to their accelerating and disproportionate cost, we do not include them automatically within any hosting package. You can find out about the cost of domain names here.

Hosting*: limitation of liability

We make no claims about the stability or uptime of hosting services (despite >99.9% uptime recorded across our servers) and Netuxo Ltd is not liable to compensate any customer for the following items in relation to the provision of hosting services:

  1. pure economic loss
  2. loss of profit
  3. loss of business
  4. loss of anticipated savings
  5. depletion of goodwill or otherwise.

In each case, this applies whether caused directly, indirectly or consequentially. Neither is Netuxo Ltd liable to any claims for consequential compensation whatsoever (howsoever caused) which arise out of or in connection with the provision of our service.

Updates service: terms

Terms and conditions specific to the provision of ongoing updates service are detailed in the contract offer the customer accepts at the point of embarkation. There are no additional terms of service.

*Hosting: this refers to all website and mail hosting packages and services and the server provisioning service Netuxo provides.

USEFUL LINKS

This page was last updated: May 2018