Privacy Policy

Data for which Lexis Information System Ltd T/A LexisClick is the Data Controller

How we use your information

This privacy notice tells you what to expect when LexisClick collects personal information. It applies to information we collect about:

  • Visitors to our websites;
  • People who contact us via social media;
  • People who call our phone numbers;
  • People who email us;
  • People who use our services, e.g. customers who engage us to manage their marketing or marketing related services;
  • Job applicants and our current and former employees

Visitors to our websites

By providing personal information to LexisClick in any of the ways described in this policy, by instructing or authorising another party to provide such information, or by entering into a contract with LexisClick that requires such processing, you agree that you are authorised to provide the information, that you accept this privacy policy and that LexisClick is authorised to process it.

LexisClick will collect a range of information on you, either via activity via our website or emails, ticketing systems, telephone, in person or at trade shows. This information includes:

  • Name
  • Organisation
  • Job title
  • Address of employment
  • Phone number
  • Email address
  • IP address
  • Username
  • Payment details in the case of ordering a service from us

We will not collect sensitive categories of personal data without your explicit consent.

LexisClick will not collect data relating to minors as defined under UK law. Minors as defined by UK law are not permitted to use LexisClick Services or interact with us as a corporate entity.

LexisClick may from time to time contact customers via email regarding service related matters such as billing, account management and maintenance. These emails are an important part of our service to you.

For business contacts who are not currently customers, LexisClick may contact you via email and other electronic means to promote our services to you. If you do not wish to receive these communications you can unsubscribe at any time. All email communications that we send contain a clear link to manage your subscription preferences.

We only store personal contact details for contacts who have given these to us, by signing up for information communications from us, applying for a role with us, or have provided us these details as their preferred address.

Data retention

We will keep your personal information for as long as you are a customer of LexisClick or a relevant marketing contact.

After you stop being a relevant marketing contact or unsubscribe from our communications, we will remove your data as part of our annual data reviews. Where a contact has been removed from our system, because the information is out of date or the contact has unsubscribed, we may retain a small amount of information relevant to controlling marketing activities. These details typically include email address, subscription preferences and reasons to not contact.

After you stop being a customer, we may keep your data for up to 10 years for the following reasons:

  • To respond to any questions or complaints.
  • To comply with legal requirements.

Data transfers and the use of Data Sub Processors

LexisClick will not share your data with a third party not directly associated with the provision of services without your explicit consent. LexisClick will also not transfer Subject data to a third party country outside of the UK or EEA that is not compliant with the applicable data protection laws via adequacy agreement, Binding Corporate Rules or other legally appropriate means as defined by the Information Commissioners Office without your explicit consent.

LexisClick makes use of a number of third party organisations for the purposes of delivery of Services to the Customer.

Whilst the following list is not intended to be exhaustive, LexisClick typically only transfers the personal data relating to our customers, where required for the activities set out below, to the following third parties or Data Processors:

  • Hubspot Inc – Customer Relationship Management and marketing activities
  • Memset Ltd – Server and data centre hosting
  • Fasthosts Ltd – Domain names and email hosting
  • Microsoft Ltd – Email and internal document management
  • Dropbox Inc – data storage
  • Xero Ltd – Accounting and job management

LexisClick will update this list from time to time as our systems and operations evolve and inform you accordingly.

By interacting with LexisClick as defined in this policy, you provide your consent for this transfer and use of our Data Processors and their Data Sub-Processors, and for transfer to any other appropriate third-party Data Processor for the purposes of delivery of the Services and customer relationship management activities. No data transfer will be undertaken that is outside of the strict scope of the purposes stated in this policy, or that will materially degrade the security of your data or your rights.

The Data Processors and Sub Processors we use will be contractually bound to process only in accordance with our instructions and to maintain technical and organisational controls in compliance with our security policy and the requirements of the GDPR.

Commitment to confidentiality and security of processing

LexisClick will use appropriate technical and organisational security measures within our sphere of responsibility to ensure an appropriate level of confidentiality, integrity and, where LexisClick is the Data Controller, availability of your data and to ensure its availability in the event of a business continuity incident.

LexisClick will undertake security and data protection assessments of any third parties we elect to use prior to transfer of any Customer Data and regularly thereafter.

Visitors to our website

When someone visits www.lexisclick.com we use a small number of third-party services, including Google Analytics, Hubspot and Hotjar to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site, understand how the website is being used, personalise areas of the website and understand how marketing channels are performing. Where consent has not been requested and provided, this information is only processed in a way which does not personally identify anyone.

We use standard software to collect information for the strict purpose of tracking activity on our site. This allows us to understand how many people use our site and which pages and features are most popular. The information we normally collect and store is

  • The name of your Internet service provider
  • The web site that referred you to us (if any)
  • The date and time the pages were accessed
  • The page or pages you requested.
  • Your approximate (nearest city) geographic location

You never transmit personally identifying information that you do not enter yourself, and this is always your option. This information cannot be collected unless you specifically elect to send it to us. This information is used internally only for the purpose of fulfilling the request or for contacting you directly and is not sold to any other organisation. Your information is transmitted directly to LexisClick and is stored securely in the services that we use for this purpose.

Use of cookies by LexisClick and how they Benefit You

Our website uses cookies, as almost all websites do, to help provide you with the best experience we can. Cookies are small text files that are placed on your computer or mobile phone when you browse websites.

Our cookies help us:

  • Make our website work as you’d expect
  • Remember your settings during and between visits
  • Improve the speed/security of the site
  • Allow you to share pages with social networks like Facebook
  • Personalise our site to you to help you get what you need faster
  • Continuously improve our website for you
  • Make our marketing more efficient (ultimately helping us to offer the service we do at the price we do)

We do not use cookies to:

  • Collect any personally identifiable information (without your express permission)
  • Collect any sensitive information (without your express permission)
  • Pass personally identifiable data to third parties
  • Pay sales commissions

You can learn more about all the cookies we use below

Granting us permission to use cookies

If the settings on your software that you are using to view this website (your browser) are adjusted to accept cookies we take this, and your continued use of our website, to mean that you are fine with this. Should you wish to remove or not use cookies from our site you can learn how to do this below, however doing so will likely mean that our site will not work as you would expect.

Website Function Cookies

We use a service called Hubspot to build and host our website. The Hubspot service sets cookies for our use to make our website work including:

  • Remembering if you have accepted our terms and conditions
  • Allowing you to add comments to our site
  • Tailoring content to your needs
  • Remembering your preferences such as colours, text size and layout
  • Remembering if we have already asked you certain questions (e.g. you declined to use our app or take our survey)

There is no way to prevent these cookies being set other than to not use our site.

Website Function Cookies

Our site, like most websites, includes functionality provided by third parties. A common example is an embedded YouTube video. Our site includes the following which use cookies:?

  • YouTube
  • Wistia
  • Vimeo
  • Facebook
  • Google
  • Twitter
  • LinkedIn

Disabling these cookies will likely break the functions offered by these third parties

Social Website Cookies

So you can easily “Like” or share our content on the likes of Facebook and Twitter we have included sharing buttons on our site. Cookies are set by:

  • YouTube
  • Facebook
  • Google
  • Twitter
  • LinkedIn

The privacy implications on this will vary from social network to social network and will be dependent on the privacy settings you have chosen on these networks. Please see the privacy policy of the relevant network for further information.

Site Improvement Cookies

We regularly test new designs or site features on our site. We do this by showing slightly different versions of our website to different people and anonymously monitoring how our site visitors respond to these different versions. Ultimately this helps us to offer you a better website. We use:

  • Google Analytics
  • Hotjar

Visitor Statistics Cookies

We use cookies to compile visitor statistics such as how many people have visited our website, what type of technology they are using (e.g. Mac or Windows which helps to identify when our site isn’t working as it should for particular technologies), how long they spend on the site, what page they look at etc. This helps us to continuously improve our website. These so called “analytics” programs also tell us if how people reached this site (e.g. from a search engine) and whether they have been here before helping us to put more money into developing our services for you instead of marketing spend.

We use:

  • Google Analytics
  • Hubspot

Advertising Cookies

Cookies are widely used in online advertising. Neither us, advertisers or our advertising partners can gain personally identifiable information from these cookies.

You can learn more about online advertising at http://www.youronlinechoices.com

You can opt-out of almost all advertising cookies at http://www.youronlinechoices.com/uk/your-ad-choices although we would prefer that you didn’t as ultimately adverts help keep much of the internet free. It is also worth noting that opting out of advertising cookies will not mean you won’t see adverts, just simply that they won’t be tailored to you any longer.

We use:

  • Google Adwords
  • Facebook
  • LinkedIn

Remarketing Cookies

You may notice that sometimes after visiting a site you see increased numbers of adverts from the site you visited. This is because advertisers, including ourselves pay for these adverts. The technology to do this is made possible by cookies and as such we may place a so called “remarketing cookie” during your visit. We use these adverts to offer special offers to encourage you to come back to our site. Don’t worry we are unable to proactively reach out to you as the whole process is entirely anonymised. You can opt out of these cookies at anytime as explained above.

  • Google Adwords
  • Facebook
  • LinkedIn

Turning Cookies Off

You can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies (Learn how here). Doing so however will likely limit the functionality of our’s and a large proportion of the world’s websites as cookies are a standard part of most modern websites

Further reading

Information about cookies: Useful information about cookies can be found here.

Cookies and how they Benefit You

Our website uses cookies, as almost all websites do, to help provide you with the best experience we can. Cookies are small text files that are placed on your computer or mobile phone when you browse websites.

Our cookies help us:

  • Make our website work as you’d expect
  • Remember your settings during and between visits
  • Improve the speed/security of the site
  • Allow you to share pages with social networks like Facebook
  • Personalise our site to you to help you get what you need faster
  • Continuously improve our website for you
  • Make our marketing more efficient (ultimately helping us to offer the service we do at the price we do)

We do not use cookies to:

  • Collect any personally identifiable information (without your express permission)
  • Collect any sensitive information (without your express permission)
  • Pass personally identifiable data to third parties
  • Pay sales commissions

You can learn more about all the cookies we use below

Granting us permission to use cookies

If the settings on your software that you are using to view this website (your browser) are adjusted to accept cookies we take this, and your continued use of our website, to mean that you are fine with this. Should you wish to remove or not use cookies from our site you can learn how to do this below, however doing so will likely mean that our site will not work as you would expect.

Website Function Cookies

We use a service called Hubspot to build and host our website. The Hubspot service sets cookies for our use to make our website work including:

  • Remembering if you have accepted our terms and conditions
  • Allowing you to add comments to our site
  • Tailoring content to your needs
  • Remembering your preferences such as colours, text size and layout
  • Remembering if we have already asked you certain questions (e.g. you declined to use our app or take our survey)

There is no way to prevent these cookies being set other than to not use our site.

Website Function Cookies

Our site, like most websites, includes functionality provided by third parties. A common example is an embedded YouTube video. Our site includes the following which use cookies:?

  • YouTube
  • Wistia
  • Vimeo
  • Facebook
  • Google
  • Twitter
  • LinkedIn

Disabling these cookies will likely break the functions offered by these third parties

Social Website Cookies

So you can easily “Like” or share our content on the likes of Facebook and Twitter we have included sharing buttons on our site. Cookies are set by:

  • YouTube
  • Facebook
  • Google
  • Twitter
  • LinkedIn

The privacy implications on this will vary from social network to social network and will be dependent on the privacy settings you have chosen on these networks. Please see the privacy policy of the relevant network for further information.

Site Improvement Cookies

We regularly test new designs or site features on our site. We do this by showing slightly different versions of our website to different people and anonymously monitoring how our site visitors respond to these different versions. Ultimately this helps us to offer you a better website. We use:

  • Google Analytics
  • Hotjar

Visitor Statistics Cookies

We use cookies to compile visitor statistics such as how many people have visited our website, what type of technology they are using (e.g. Mac or Windows which helps to identify when our site isn’t working as it should for particular technologies), how long they spend on the site, what page they look at etc. This helps us to continuously improve our website. These so called “analytics” programs also tell us if how people reached this site (e.g. from a search engine) and whether they have been here before helping us to put more money into developing our services for you instead of marketing spend.

We use:

  • Google Analytics
  • Hubspot

Advertising Cookies

Cookies are widely used in online advertising. Neither us, advertisers or our advertising partners can gain personally identifiable information from these cookies.

You can learn more about online advertising at http://www.youronlinechoices.com

You can opt-out of almost all advertising cookies at http://www.youronlinechoices.com/uk/your-ad-choices although we would prefer that you didn’t as ultimately adverts help keep much of the internet free. It is also worth noting that opting out of advertising cookies will not mean you won’t see adverts, just simply that they won’t be tailored to you any longer.

We use:

  • Google Adwords
  • Facebook
  • LinkedIn

Remarketing Cookies

You may notice that sometimes after visiting a site you see increased numbers of adverts from the site you visited. This is because advertisers, including ourselves pay for these adverts. The technology to do this is made possible by cookies and as such we may place a so called “remarketing cookie” during your visit. We use these adverts to offer special offers to encourage you to come back to our site. Don’t worry we are unable to proactively reach out to you as the whole process is entirely anonymised. You can opt out of these cookies at anytime as explained above.

  • Google Adwords
  • Facebook
  • LinkedIn

Turning Cookies Off

You can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies (Learn how here). Doing so however will likely limit the functionality of our’s and a large proportion of the world’s websites as cookies are a standard part of most modern websites

Further reading

Information about cookies: Useful information about cookies can be found here.

Job applicants, current and former LexisClick employees

We have outlined below details about the type of information that LexisClick keeps about job applicants, current and former employees and the purposes for which it keeps them.

LexisClick believes that these uses are consistent with our employment relationship with each member of staff and with the principles of the Data Protection Act and the GDPR.

Recruitment

During the recruitment process LexisClick will ask for information about your personal and employment history. All of the information you provide during the process will only be used for the purposes of progressing your application, or to fulfil legal, regulatory or legitimate requirements if necessary.

LexisClick will not share any of the information you provide during the recruitment process with any third parties for marketing purposes. The information you provide will be held securely by us and/or our data processors whether the information is held in electronic or physical format.

LexisClick will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.

The information we ask for is used to assess your suitability for employment. You do not have to provide what we have requested but it may affect your application if you don’t.

Application Stage

We will ask all candidates for personal details including their name and contact details. We will also ask for information about your previous experience, education, referees and for answers relevant to the role you have applied for.

We use a third party HR consultancy provider Streetwise HR and all the information you share with us, will be shared with them as our external HR department. Our HR provider and your Recruiting Manager will have access to all the information you provide.

You may be asked to provide equal opportunities information. This is not mandatory information. If you choose not to provide it, it will not affect your application. This information will only be made available to our HR provider and your Recruiting Manager, it will not be available to any other staff in a way which could identify you.

Any information you choose to provide will only be used to produce and monitor equal opportunities statistics.

The Selection Process

All external applicants who are to be formally interviewed will be asked to complete an Application and Pre-Employment Screening form .

The selection process will normally begin with a discussion between the Recruiting Manager our HR provider and their Line Manager or Department Head in order to determine the selection approach. The appropriate selection method may not necessarily be limited to, but will always include, face to face interviews. We may also ask you to complete a test or attend other selection events such as a selection centre or psychometric testing. This information will be held by LexisClick and will be accessible to our HR provider.

If, following assessment of your application for the position you have applied for, you are unsuccessful we will retain your information for a period of 6 months unless you instruct us otherwise.

Conditional Offer

In compliance with LexisClick’s recruitment guidelines, if we make you a conditional offer of employment we will ask you for information so that we can carry out pre-employment screening and vetting checks.

These checks include:

  • Address confirmation
  • Credit enquiry with Electoral Roll and ID Verification
  • 5 year employment history check
  • Basic criminal disclosure
  • Right to work documentation verification
  • Activity and Gap Verification 5 Year Gap 28 days
  • DVLA if applicable for role
  • Qualifications if applicable for role

Commencement of your employment is conditional on completion of Pre- Employment Screening and Vetting documentation.

You will be required to provide the following to allow us to complete these checks:

  • Proof of identity – Passport (any nationality), UK driving license, EU Photo Identity card, UK birth certificate (issued within 12 months of birth)
  • Proof of address – e.g. a Bank or Credit Card Statement (dated within last 3 months)
  • Proof of qualifications – you will be asked to provide original documents and we will take copies

We will provide your name and copies of your proof of identity, right to work and proof of address to our HR provider, who may at their discretion provide it to a third-party employment detail checking provider. You will be provided with details of any third party service prior to your data being submitted. LexisClick or our HR provider will also contact your referees using the details you provide in your Application Form to obtain references.

You must successfully complete these pre-employment checks to progress to a final offer.

If we make a final offer and you accept, we will also ask you to provide the following:

  • Bank details to process salary and other payments e.g. commission
  • Emergency contact details so we know who to contact in case you have an emergency at work

Use of data processors

Data processors are third parties, such as our HR provider, who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means they cannot do anything with your personal information unless we have instructed them to do so. They will not share your personal information with any organisation apart from us.

Personnel Records & Retention

If you accept a final offer from us, some of your personnel records will be held on our HR software and physical records may also be held securely. These details will include:

  • Contact names and addresses
  • Bank details
  • Date of birth
  • Salary
  • Information gathered about you and any references gained during the recruitment process
  • Details of terms of employment
  • Payroll, tax and National Insurance information
  • Performance information
  • Details of grade and job duties
  • Health records
  • Absence records, including holiday and self-certification forms
  • Details of any disciplinary investigations and proceedings
  • Training records
  • Correspondence with the Company and any other information provided to us

If you are successful, the information you provide during the recruitment and application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your Application Form, Medical Questionnaire, records of any security checks and references.

If you are unsuccessful at any stage of the process, the information you have provided up until that stage will be retained for 6 months and will then be securely disposed of.

Access to personal information / Your rights

Under the General Data Protection Regulation (GDPR) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict or object to processing. For further information see our Employee Handbook.

Disclosure of Employee Data

The information held will be for our management and administrative use only, but from time to time we may need to disclose some information we hold about employees to relevant third parties.

LexisClick may also hold information about an employee for which disclosure to any third party will only be made when strictly necessary for the purposes as follows

  • • An employee’s health; for the purposes of compliance with our Health & Safety and occupational health obligations
  • For the purposes of HR management e.g. the administration of insurance, pension, sick pay and other related benefits
  • In connection with unspent convictions to enable us to assess an employee’s suitability for employment

Compliance

LexisClick requires all employees to comply with the GDPR in relation to information about other staff. Failure to do so will be regarded as serious misconduct and will be dealt with according to the Company’s disciplinary policy and procedure. If an employee is in a position to deal with information about other employees, they will be given separate guidance on their obligations.

Your rights

Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you. You can read more about these rights here.

Complaints or queries

LexisClick tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of LexisClick’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

If you want to make a complaint about the way we have processed your personal information, you can either email data@lexisclick.com or write to the Data Department at LexisClick, 76 Shelley Road East, Bournemouth, BH7 6HB.

If you are not satisfied with our response you can contact the statutory body which oversees data protection law – www.ico.org.uk/concerns.

Access to personal information

LexisClick tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a data request to us. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to;
  • let you have a copy of the information in an intelligible form: and
  • Provide it to you within one month from the date of the ‘subject access request’.

To make a request to LexisClick for any personal information we may hold you need to put the request in writing addressing it to our Data Department, or writing to the address provided below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Data Department.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 21st May 2018.

We reserve the right to change our privacy policy. A revised policy statement will only apply to data collected subsequent to its effective date. Any revisions will be posted at least 30 days prior to its effective date.

How to contact us

If you want to request information about our privacy policy you can email us at data@lexisclick.com or write to:

Data Department
LexisClick
76 Shelley Road East
Bournemouth
BH7 6HB

Privacy Addendum for Lexis Information Systems Ltd T/A LexisClick

Purpose and Scope of LexisClick’s Data Processing on behalf of Data Controllers

For the purpose of providing the Services, LexisClick will process Customer Provided Data. To the extent that Customer Provided Data is comprised of Personal Data, the parties acknowledge that LexisClick acts as a Data Processor for all Customer Provided Data supplied to LexisClick by the Customer as well as the Customer’s own customers or agents.

The Services are provided on the basis that either:

  • the Customer is the Data Controller for all Customer Provided Data supplied to LexisClick under the Services and has complied with its obligations under the applicable Data Protection Laws, including but not limited to obtaining the required consents (“Data Protection Consents”); or
  • where the Customer is a Data Processor on behalf of a Data Controller, that LexisClick is a sub-Data Processor and that the Customer has:
    1. ensured that all necessary Data Protection Consents have been obtained or other lawful grounds for Processing have been correctly established;
    2. entered into the required contractual arrangements, including arrangements with the relevant Data Controller for LexisClick to act as sub-processor legally;
    3. has complied with its obligations as Data Processor under the applicable Data Protection Laws; and
    4. shall be liable to the Data Controller for LexisClick’s acts and omissions as a sub-Data Processor.

By accepting this addendum, the Customer indicates their acceptance of the provisions below and warrants that the basis of the Services set out in this Data Processing Addendum is accurate.

Nature of the Processing

LexisClick undertakes a range of Processing as defined by the Services, i.e. the provision of marketing and website hosting services to the Customer, the choice of which is determined by the Customer.

LexisClick provides marketing services to support the Customer’s or Customer’s agents’ processing of data to that end.

LexisClick has access to process and manipulate Customer Provided Data under the Customer’s written instruction for the purposes of their marketing activities and customer communications.

Any processing by LexisClick of Customer Provided Data (which may comprise Processing of Personal Data) is determined by the Customer insofar as it is the Customer that ultimately determines what the Services will be and, therefore, what data processing occurs.

LexisClick classifies all Customer Provided Data as the same type of data and does not maintain visibility of different types of Customer Provided Data or categories of Personal Data within this set. LexisClick applies the same level of generic security controls to all Customer Provided Data.

LexisClick provides a service which constitutes among other things the provision of websites, hosting, storage, networking and dedicated servers to Customers. Whilst we will try to ensure the compliance of those underlying services with the applicable Data Protection Laws, we do not maintain reliable access to the Operating Systems, applications or data that Customers upload to their Customer Hosted Solution, so the Customer is responsible for all data protection issues not related to the underlying services.

Duration of Processing

The Customer is responsible for the duration of the processing of any Personal Data comprising Customer Provided Data. While the Agreement is in force, LexisClick will Process all such Personal Data in accordance with the Customer’s written instructions.

LexisClick’s Responsibilities

SECURITY AND COMPLIANCE OF THE UNDERLYING HOSTING INFRASTRUCTURE

LexisClick along with its third party suppliers will be responsible for maintaining the GDPR compliance of the underlying hosting infrastructure, within the scope of the services provided to the customer.  LexisClick’s personnel are subject to a duty of confidence that is compliant with the applicable Data Protection Laws.

LexisClick has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

A non-exhaustive list of technical and organisational measures are as set out below. By entering into this addendum, the Customer confirms that it has reviewed and approved the following measures:

SECURITY MANAGEMENT & POLICY

  • Use of third party hosting providers that have in place an information security management system based on an industry international standard (currently ISO27001:2013)

HR & ACCESS CONTROL

  • Vetting of all LexisClick personnel prior to commencement of employment
  • Appropriate on-hire, role change and termination activities related to LexisClick access and asset management
  • Restriction of LexisClick access to customer data or Customer Provided Data to those personnel with a business need for access
  • The ability to audit all LexisClick personnel access to Customer Provided Data and/or Customer Hosted Data

OPERATIONAL SECURITY

  • Appropriate availability, performance and security logging, monitoring and audit controls for the underlying infrastructure
  • Vulnerability management systems to help ensure the patch and configuration levels of the underlying infrastructure appropriate to LexisClick’s scale and policies
  • Hardening of underlying infrastructure devices to levels that are materially in accordance with good industry practice
  • Appropriate encryption in transit and at rest for sensitive operational data such as API calls, control panel access, customer credentials and key material managed by LexisClick
  • Backups and infrastructure redundancy within the underlying hosting infrastructure appropriate to our Terms and Conditions and SLAs
  • Appropriate security of all LexisClick end-user devices used by LexisClick to access the underlying hosting infrastructure, Customer Hosted Data and Customer Hosted Solutions

INCIDENT MANAGEMENT & COMMUNICATION

  • Sufficient internal incident management procedures including the commitment to escalate relevant security incident to impacted Customers without undue delay

AVAILABILITY OF CUSTOMER HOSTED SOLUTIONS AND SERVICES

Temporary loss of Availability or Integrity related to an Emergency Maintenance or Scheduled Maintenance is not considered to be a loss of Availability under the applicable Data Protection Laws.

In accordance with the Services being provided, LexisClick is not able to decide how Personal Data comprising Customer Provided Data is processed, as it is processing data under the written instruction of the Customer

As the Data Controller the Customer has the following responsibilities under GDPR:

  1. Maintain appropriate technical controls to secure and monitor for security
  2. Where the above is included within the scope of a Customer SLA, LexisClick will undertake the work based on instructions from the Customer, but the Customer remains responsible for the efficacy of the controls implemented.
  3. Undertaking all organisational measures required to ensure compliance with the basic principles for processing (articles 5, 6, 7 and 9 of the GDPR) and Subject’s rights (Articles 12-22 of the GDPR) at point of collection of data, and be aware of the technical and organisational security controls put in place by LexisClick, maintain additional technical and organisational controls to ensure compliance during processing, storage and removal
  4. Undertake and manage all communication with Data Subjects
  5. Maintain any required relationship with the Information Commissioner’s Office on behalf of the Data Controller

LexisClick’s use of Data Sub-Processors

By entering into this Data Protection Addendum, the Customer hereby permits LexisClick to appoint sub-processors of Personal Data and, for the term that the Data Protection Addendum is in force, shall have a general right to appoint sub-processors of Personal Data. LexisClick shall provide the Customer with prior notification before appointing any sub-processors of any Personal Data that are in addition to those noted in this Data Processing Addendum.

LexisClick utilises a small number of Data Sub-Processors in order to provide Services to the Customer. The following list of Data Sub Processors used to provide Services will be updated from time to time to reflect the current operational position:

  1. Memset Ltd  – Provision of hosting services
  2. Fasthost Ltd – Provision of hosting services
  3. Microsoft Ltd – Provision of LexisClick email used for communications with the customer, email and hosting services for customers
  4. Hubspot Inc – Provision of LexisClick website, marketing and customer relationship. Marketing and website hosting for some customers.
  5. MailChimp (The Rocket Science Group) – Provision of email marketing services
  6. Xero Ltd – Provision of accounting and work management systems
  7. Dropbox Inc – Provision of data storage

LexisClick will update the Customer of the use of any new Data Sub-Processor prior to adoption of the Sub-Processor and transfer of Customer Provided Data or provision of any form of access to Customer Hosted Solutions by support ticket or email, and the Customer must ensure that all necessary Data Protection Consents are obtained or other legitimate grounds for processing the Personal Data are established. The Customer’s continued use of the Services constitutes approval for the use of this new Data Sub-Processor and a repeated warranty by the Customer that the use of all sub-processors is lawful under the applicable Data Protection Laws subject to LexisClick complying with its obligations under the applicable Data Protection Laws in respect of appointing sub-processors. LexisClick will perform appropriate due diligence on the Data Sub-Processor, as we will on any security-impacting supplier.

 

LexisClick will maintain written contracts with all LexisClick Sub-Processors including any relevant GDPR-related compliance requirements and will conduct regular checks to confirm their continuing conformance with Data Protection Laws.

 

Transfer to non GDPR-aligned locations or Sub-Processors

LexisClick will not transfer Customer Hosted Data to any Data Sub-Processor located outside of the EEA or to any other third-party location not deemed appropriate by Binding Corporate Rules, Privacy Shield or other adequacy decision defined on a continuing basis by the Information Commissioner’s Office without explicit written permission from the Customer.

 

Processing in accordance with written instructions

LexisClick will only process Customer Provided Data (which may or may not include data for which the Customer is the Data Controller) in accordance with the Data Controller’s written instructions, which for the purposes of data protection and this addendum are taken to be in whole contained within the section ‘Purpose and scope of LexisClick’s Data Processing on behalf of Data Controllers.’ No other written instructions can be accepted as they will fall outside of the scope of our services.

 

Assistance with Customer data protection obligations

Insofar as LexisClick provides data processing services to the Customer, LexisClick will assist the Data Controller in meeting their data protection obligations including:

  1. Carry out internal Data Privacy Impact Assessments as the Data Processor for all Services and provide summaries of these as required to the Customer
  2. To inform the Customer of the possibility of a material security breach to their Customer Provided Data if detected by our systems without undue delay.
  3. Keep a record of all Processing of Personal Data performed in relation to the Services.
  4. Notify the Customer of any Security Incident resulting in a data breach affecting their Customer Provided Data, that has occurred or has been suspected to one of our sub-processors and where we have been notified by the sub-processor without undue delay
  5. For termination of contract for reasons other than breach of Acceptable Use Policy or non-payment of fees, provide a reasonable period in which the Customer can use standard tools to extract the data themselves provided that such extraction by the Customer does not prejudice LexisClick or its systems. In all cases LexisClick will delete all Customer Provided Data on our infrastructure as part of decommissioning a Customer service.
  6. LexisClick shall assist the Customer in complying with its obligations under applicable Data Protection Laws in particular in relation to implementing appropriate security measures, to carrying out a data protection impact assessment, and to consulting the competent data protection authority.