GDPR: Access controls for customer data and meeting our support obligations

This article is currently aimed at customers based in the EU/UK who are covered by the General Data Protection Regulations (GDPR), however it will be expanded should additional legislation be brought into other territories in which we operate.

Delib works with customers around the world and has colleagues in a few different locations. This article aims to set out where we are located, how we support our customers, and what access controls we have in place to ensure that access to data is restricted to those who need it, but so that we can still provide support for all our customers and continuity of our business.

Where?

Delib's head office is based in Bristol, UK. We have around 35 staff globally. The majority of our staff are based in the UK head office, and all of our product development work runs through there. We have a small number of colleagues based in Australia, New Zealand, and the United States primarily looking after our operations and customers in those territories. Delib does not currently have staff based elsewhere in the world.

How Delib supports customers while applying necessary safeguards to EU/UK data:

Delib is a data processor for data collected through our products, our customers are the data owner/controller. 

  • Data for UK based customer sites is stored in the UK in secure data centres
  • Data for European based customer sites is stored in the EU in secure data centres
  • Data for Australian based customer sites is stored in Australia in secure data centres
  • Data for New Zealand based customer sites is stored in New Zealand in secure data centres
  • Data for US based customer sites is stored in secure data centres in the US
  • Data for Canada based customer sites in stored in secure data centres in Canada

Dealing with support requests and data access

Access to the administrative side of EU and UK customer sites is restricted to a core operations team of staff based in the UK only. Those staff members require this access in order to provide technical support to customers when it is requested and to deal with any critical issues. They must only access the admin side of a site upon instruction from named individuals at that customer's organisation and only in order to carry out these support tasks, apart from once a year when each customer success manager will log into each Citizen Space or Dialogue site to prepare an annual report as part of the standard service we provide. (Customers can let us know if they'd prefer not to receive this.)

Log-in credentials are stored in a secure password vault, accessible only to these UK-based staff members. Our secure password vault logs when any passwords have been used, and by whom. 

We use Help Scout so that our customers can email support requests to us and so that we can respond effectively to those. Access to this support system is restricted to Delib's core customer operations staff in the UK, US, Australia and New Zealand.

Support queries are dealt with between the hours of 9:00 - 17:30 Monday to Friday for customers in each territory.

Having access to this system for our core team of operations staff allows us to provide a continuous and helpful service to our customers wherever they are. The majority of queries do not require us to log into customer sites. Where they do, only UK-based operations staff are able to log into EU/UK customer sites, so our colleagues in Australia, New Zealand, and the United States would not be able to assist with any queries requiring this more detailed access.

Dealing with critical issues

Delib staff's access to the servers for EU and UK customer sites is restricted to our engineering team in the UK to allow them to deal with any critical issues which may arise.

Colleagues in the UK and in Australia, New Zealand, and United States have access to the contact details (email address, name, and telephone numbers) of our main contacts at all our customer's organisations. This is required so that we can provide round the clock support for any critical issues. Our SLA states that we will notify customers as quickly as possible if a critical issue is identified on their site(s): 24/7, 365 days a year. We need access to these contact details to be able to notify our contacts at any organisation should an issue arise which affects their site(s).