.
GDPR Statement and Policy
.
The General Data Protection Regulation (GDPR) comes into effect the 25th May 2018, replacing the Data Protection Act 1998 (UK).
.
James Burrows t/a jigsaw kloud, in his role as a Data Protection Officer, is a Data Controller, responsible for collecting and protecting sensitive client data (including contact information and banking details). Information is only ever stored electronically. No paper records are kept but are scanned into electronic copies, when necessary, and then securely shredded.
.
Suppliers acting as Data Processors:
#1 Microsoft
#2 Google
#3 Zoho
#4 Boxcryptor
#5 Authy (Twilio)
#6 Signable, WordPress, and SiteGround
.
Suppliers acting as Data Controllers:

#7 Business energy aggregators/suppliers
.
.
#1 Microsoft
Windows 10
Access to the Windows 10 device is restricted by a password known only to James Burrows t/a jigsaw kloud. Documents detailing sensitive data are password protected; encrypted with Boxcryptor (#4), and backed-up using Google Backup and Sync (#2) [both of which are protected by two-factor authentication (2FA), which is managed using Authy (#5)].
Microsoft’s GDPR statement
.
.
#2 Google
Backup and Sync; and Gmail contacts
All documents stored on Backup and Sync can only be accessed through the devices of James Burrows t/a jigsaw kloud, as all files are encrypted locally using Boxcryptor (#4). As such, if Google Backup and Sync experiences a data breach, the data jigsaw kloud holds will not be compromised.
.
Contact information is saved in Gmail, access to which is possible through other devices; as such, 2FA has been implemented to prevent unauthorised access.
Google’s GDPR statement
.
.
#3 Zoho
CRM, Mail, Invoicing, Campaigns, and Vault
jigsaw kloud stores data (including contact details, emails, notes of conversations, project information, invoice details and login details for digital accounts) for leads, clients and suppliers in the Zoho CRM, Mail, Invoicing, Campaigns, and Vault applications. Standard password login, coupled with 2FA, is required to access these accounts and is known and accessible only to James Burrows t/a jigsaw kloud.
Zoho’s GDPR statement
.
.
#4 Boxcryptor
All files are encrypted using Boxcryptor; access to which is only possible via the devices of James Burrows t/a jigsaw kloud, both of which are password protected (and known only to James). Access to the Boxcryptor account is further secured by 2FA. When necessary, jigsaw kloud will use Whisply (from Boxcryptor) to send encrypted files. Boxcryptor advises that implementing their software ensures there is “no risk of losing the trust of your clients and partners. In case of a breach, you do not have to notify partners, customers and authorities, because you protected the data accordingly. Thanks to encryption, there is no risk for the affected parties. For transparency reasons, we suggest you let the affected party know what is going on. However, you can assure them everything is fine and there is no risk.”
Boxcryptor’s GDPR White Paper

.
.
#5 Authy (Two-factor authentication)
jigsaw kloud utilises the Authy code generator to manage 2FA when adding additional security to digital accounts (including client accounts). Access to Authy is password and fingerprint/pin-protected (known and accessible only to James Burrows t/a jigsaw kloud).
Twilio’s GDPR statement
.
.
#6 jigsaw kloud website
Signable, WordPress, 
and SiteGround
The only data we collect through the jigsaw kloud website is through the contact and Letter of Authority pages, which transfers the information directly into our Zoho CRM (#3) and Signable accounts, respectively.
Our website is managed through WordPress and hosted by SiteGround; both of which are protected with Authy 2FA (#5). We always advise our clients to let us implement 2FA on websites we create for them.
Signable’s GDPR statement
WordPress’ GDPR statement
SiteGround’s GDPR statement
.
.
#7 Business energy aggregators/suppliers
GEC, Online Direct, and D-ENERGi

jigsaw kloud shares information with energy aggregators (Green Energy Consulting, and Online Direct) to prepare and process energy quotes and contracts on behalf of various energy suppliers (EDF, SSE, Scottish Power, Gazprom, E.On, nPower, British Gas, CNG, Dual Energy, Opus, Crown Gas & Power, Axis, Utilita, Haven Power, Total, LOCO2 Energy, Green Energy UK, Ecotricity, GDF Suez, Dong, and Extra Energy). We process contracts directly with D-ENERGi.
Green Energy Consulting’s GDPR Policy
Online Direct’s GDPR Policy
D-ENERGi’s GDPR Policy

.
.


.
.

What personal data we collect
jigsaw kloud considers there to be either a contractual or legitimate business interest to maintain contact with current clients, partners and suppliers. We only collect and process personal data we require to provide a specific service, which may include the following personally identifiable information: name, company name, e-mail address, telephone number and address (collectively called Contact Information). In addition, if you contact us directly, we may receive additional information, the contents of any message and/or attachments you send us, and any other information you choose to provide. The personal information you are asked to provide, and the reasons you are asked to provide it, will be made clear to you when we request your personal information.
.
How we handle your personal data
jigsaw kloud uses your data to provide a specific service and makes this data available only to trusted third parties relating to a specific service i.e. energy aggregators/suppliers for energy contracts.
.
How we protect your personal data
jigsaw kloud takes reasonable precautions, utilising encryption (#4) and two-factor authentication (#5) to protect data in our possession from loss, misuse, and unauthorised access.
.
How long we process your personal data
The personal data we process for any purposes will not be held for a longer period than we have an ongoing legitimate business need to do so. When we have no ongoing legitimate business need to process your personal information, we will either delete or, if not possible, continue to securely store your information and isolate it from any further processing until deletion is possible.
.
How we process requests for data
Any clients, suppliers or partners who wish to receive copies of the data jigsaw kloud holds about them are welcome to request copies, which we will send via Whisply, free of charge within 30 days (unless the request is complicated; in which case a charge of £25 will be applied and a time period of 2 months shall be allowed).

.
YOUR RIGHTS
.

Right of access: You have the right to obtain from us information concerning you and to request copies of your personal data.
.
Right to rectification: You have the right to request rectification of inaccurate personal data and, in addition, provide information to correct any mistakes.
.
Right to be forgotten: You have the right to request from us the erasure of your personal data, and we have an obligation to delete it without undue delay.
.
Right to restriction of processing: In certain situations, you have the right to obtain from us the restriction of processing.
.
Right to data portability: You have the right to receive from us in a structured, commonly used and machine-readable format your personal data and to transmit your personal data to another controller.
.
Right to object: In certain situations, you have the right to object to the processing of your personal data. You have the right to object to further processing of your personal data e.g for marketing purposes.
.
Right to file complaints: You have the right to file complaints with the Information Commissioner’s Office (ICO) regarding our processing of your personal data.
.
Right to compensation of damages: In case we breach applicable legislation on processing your personal data, you have the right to claim damages from us for any damages such a breach may cause you.
.
If you wish to make a request regarding your personal data, related to any of the rights mentioned above, please contact us.
.
James Burrows t/a jigsaw kloud

19th May 2018
.

.