axis vMerchant & GDPR
Is axis vMerchant GDPR compliant?
No software product is "GDPR compliant". It is the data you hold, your policies and processes as a data controller which contribute to your organisation's GDPR compliance.
Is my website GDPR compliant?
There are several areas of your website that you may need to review and these generally fall within the area of consent: under GDPR, consent must be "freely given, specific and informed".
This has a number of possible repercussions and so we have compiled a separate GDPR Website Checklist »
Is the data held in axis vMerchant likely to fall within the scope of GDPR?
Almost certainly. Since the scope of “personal data” under GDPR is significantly expanded from the Data Protection act which it supersedes, it is our view that almost any axis vMerchant website and its associated axis diplomat system will hold some elements of “personal data”.
What “personal data” am I likely to be holding in axis vMerchant?
“Personal data” is now defined as anything which can identify an individual. This includes something as apparently innocuous as an email address (regardless of whether it is a personal email address or a corporate/work email address which identifies an individual) so that would encompass many, if not all, of the orders and enquiries captured by your website.
Is axisfirst GDPR compliant?
There is no GDPR compliancy badge or certification. Compliancy can therefore only be established through internal and external audit of an organisation’s information security management. The International Standards Organisation (ISO) provides a specification for an information security management system (ISMS) known as ISO 27001. (An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.) axisfirst is utilising the ISO 27001 standard in order to demonstrate its practice in managing data protection.
Does axisfirst hold any copies of my data?
axisfirst often has one or more copies of a client’s website data. We use this data for the following purposes:
- To provide backups for disaster recovery
- To provide support services (using the data to carry out investigations into reported problems, suspected software bugs or unexpected behaviour).
- To check compatibility when developing and testing software and website modifications.
- To provide helpdesk and consultancy advice to you.
In this regard we act as a data processor for You, the data controller. Should you, for any reason, wish axisfirst to delete all copies of the data we hold we on your behalf, we undertake to do this on receipt of a written request from a Director or authorised officer. Should axisfirst cease to provide any services to you, we may permanently delete all copies of your data held by us immediately and without further notice.
Where does axisfirst hold copies of data?
Copies of your data as outlined above may reside in the following locations:
- Secured on our own network, entirely within the UK.
- At our web hosting data centre, entirely within the UK.
- Within Microsoft Azure, limited to data centres in the UK, Ireland or Netherlands.
Is any of my data ever exchanged between axisfirst and third parties?
When developing or testing websites which interface with third parties with which you interact (e.g. a Payment Service Provider or tracking application) then relevant data will need to be transmitted between us and those third parties. All data held within your licensed axis vMerchant system belongs to you and all of that data is treated by us as confidential to your organisation.
In addition, on an on-going basis, your data held within your hosted axis vMerchant website is backed up by us as part of our disaster recovery planning. We will ensure that those backups are stored in secure, off-site facilities as listed above.