CFTS Documentation

Data Location and Subprocessors

This page provides a client-facing summary of data location and third-party involvement. The Privacy Notice, Data Processing Addendum, and service agreement control the formal position.

Hosting Locations

CFTS services may be delivered across:

  • Uganda
  • United Kingdom
  • hybrid Uganda and UK deployments
  • other locations where required by the specific service design or operational need

The exact location depends on the quoted service, workload requirements, data residency needs, backup design, and available infrastructure.

Data Location Considerations

Clients should confirm:

  • whether personal data will be hosted
  • whether data must remain in a specific country or region
  • whether backups may be stored separately from production systems
  • whether cross-border services are acceptable
  • whether a regulator, donor, customer, or contract imposes special location requirements

Where a specific data location is required, it should be documented before service deployment.

Backups and Replication

Backups, archive copies, or replicated data may be stored separately from the live production environment for resilience.

Backup location depends on:

  • service design
  • backup retention
  • storage availability
  • resilience requirements
  • data protection requirements
  • commercial agreement

Clients should not assume that production data and backup data are stored in the same location unless this has been confirmed.

CFTS Role

In most hosted client environments:

  • the client acts as Data Controller
  • CFTS acts as Data Processor
  • CFTS processes personal data on documented client instructions

For CFTS operational records, account records, and support records, CFTS may act as Data Controller.

Subprocessors

Subprocessors are third parties used to help provide infrastructure, backup, storage, connectivity, or related services.

Depending on the service, subprocessors may include:

  • datacentre operators
  • cloud or backup storage providers
  • network or transit providers
  • software platform vendors
  • security or monitoring service providers

CFTS applies appropriate controls where subprocessors are used.

Client Review

Clients should review data location and subprocessors where:

  • sensitive personal data is involved
  • the service is subject to contractual or donor requirements
  • regulated data is involved
  • a data protection impact assessment is required
  • data residency is a deciding factor

Data Subject Requests

Where CFTS acts as Data Processor, data subject requests should be directed to the relevant client as Data Controller.

CFTS may support reasonable requests according to the service agreement, Data Processing Addendum, and applicable law.