CFTS Documentation

Data Processing Addendum

1. PURPOSE

This Data Processing Addendum (“DPA”) governs the processing of personal data by CFTS when providing hosting services to its client.

This DPA is intended to align with the UK GDPR and EU GDPR where applicable.

2. ROLES & DEFINITIONS

Client: Data Controller CFTS: Data Processor

The Client determines the purposes and means of processing personal data. CFTS processes personal data solely on documented instructions from the Client.

3. NATURE OF PROCESSING

CFTS provides:

  • Website hosting
  • Email hosting
  • WHMCS platform hosting (where applicable)

Categories of data may include:

  • Contact details (name, email, phone)
  • Business correspondence -
  • Account management information

CFTS does not store payment cardholder data.

4. PROCESSOR OBLIGATIONS

CFTS shall:

  • Process personal data only on documented instructions.
  • Implement appropriate technical and organisational security measures.
  • Ensure confidentiality of authorised personnel.
  • Restrict administrative access to authorised individuals only.
  • Apply encryption in transit (TLS 1.2+) and encryption at rest (disk & backup).
  • Maintain a 3-2-1 encrypted backup strategy.
  • Maintain logging and monitoring controls.
  • Apply security updates and vulnerability management procedures.

5. SECURITY MEASURES

CFTS maintains a layered security architecture including:

  • Full disk encryption
  • Encrypted backups
  • Web Application Firewall (mod_security)
  • Imunify360 proactive exploit prevention
  • Real-time malware detection and remediation
  • CageFS and LVE user isolation
  • SSH IP whitelisting
  • Multi-factor authentication for administration
  • Log retention (minimum 1 year)

6. SUBPROCESSORS

Primary infrastructure is hosted within a Tier III data centre operated by Easyspace (UK). Cloud-based backup services may utilise secure third-party storage providers. CFTS ensures appropriate security controls are in place with subprocessors.

7. DATA BREACH NOTIFICATION

In the event of a confirmed personal data breach, CFTS shall:

  • Notify the Client without undue delay.
  • Provide available details regarding scope and impact.
  • Support reasonable mitigation efforts.

8. DATA RETENTION & DELETION

Data is retained in accordance with service agreements and backup policies.

Upon termination of services, data may be returned or securely deleted subject to contractual terms and backup retention cycles.

9. AUDIT & ASSURANCE

CFTS maintains documented security procedures and governance controls.

While not ISO 27001 certified, the hosting platform operates in alignment with recognised industry best practices for managed hosting environments.

10. LIABILITY & LIMITATION

Liability related to data protection is governed by the primary service agreement.

SUMMARY

CFTS acts as a Data Processor and implements layered technical and organisational measures designed to protect personal data against unauthorised access, loss, alteration, or disclosure.