GDPR Compliance

UK GDPR Compliant

1. Our Commitment to GDPR

PICMS is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We handle personal data with the utmost care and respect for individual privacy rights.

Key Commitment: All customer data is stored exclusively in UK/EU data centres (AWS EU-West-2, London), ensuring your data never leaves the UK/EEA unless explicitly authorised.

2. Lawful Basis for Processing

We process personal data based on the following lawful bases under Article 6 of the UK GDPR:

Contract

Processing necessary to provide our compliance management services as agreed in our Terms of Service.

Legitimate Interests

Processing for improving our services, ensuring security, and communicating with users.

Legal Obligation

Processing required to comply with applicable laws and regulations.

Consent

Where you have given explicit consent for specific processing activities.

3. Your Data Subject Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right	Description	Response Time
Right of Access	Request a copy of all personal data we hold about you	30 days
Right to Rectification	Request correction of inaccurate or incomplete data	30 days
Right to Erasure	Request deletion of your personal data ("right to be forgotten")	30 days
Right to Data Portability	Receive your data in a structured, machine-readable format	30 days
Right to Restriction	Request limitation of processing in certain circumstances	30 days
Right to Object	Object to processing based on legitimate interests	30 days
Right to Withdraw Consent	Withdraw consent at any time where processing is based on consent	Immediate

To exercise any of these rights, contact us at privacy@picms.com

4. Data Protection Measures

We implement comprehensive technical and organisational measures to protect your data:

4.1 Technical Measures

Encryption: 256-bit SSL/TLS for data in transit, AES-256 for data at rest
Access Controls: Role-based access control, multi-factor authentication
Infrastructure: UK-based data centres with SOC 2 Type II certification
Monitoring: 24/7 security monitoring and intrusion detection
Backups: Encrypted backups with tested recovery procedures

4.2 Organisational Measures

Policies: Comprehensive data protection and security policies
Training: Regular staff training on data protection
Audits: Regular security audits and penetration testing
DPO: Designated Data Protection Officer
DPIA: Data Protection Impact Assessments for high-risk processing

5. Data Processing Agreements

As a data processor, we enter into Data Processing Agreements (DPAs) with all customers, ensuring:

Clear allocation of responsibilities
Instructions on data processing
Confidentiality obligations
Sub-processor management
Assistance with data subject rights
Breach notification procedures

Download our standard Data Processing Agreement.

6. International Data Transfers

Your data is primarily stored within the UK (AWS eu-west-2, London). Some sub-processors process API content in the United States (Anthropic, OpenAI, Auth0, Resend) under the UK addendum to the EU Standard Contractual Clauses. We:

Use Standard Contractual Clauses (SCCs) approved by the ICO
Verify adequacy decisions where applicable
Conduct Transfer Impact Assessments
Implement supplementary measures as needed
Confirm that Anthropic and OpenAI's published API terms exclude API content from being used to train their models by default

The full sub-processor list (with locations and DPA terms) is at /trust#subprocessors and in the Privacy Policy §5.

7. Data Retention

We retain personal data only as long as necessary:

Active Accounts: Data retained while account is active
After Termination: 30 days for data export, then deletion
Compliance Records: Up to 7 years as required by regulations
Backups: Purged within 90 days of deletion
Audit Logs: 2 years for security purposes

8. Data Breach Procedures

In the event of a personal data breach, we will:

Notify the ICO within 72 hours (where required)
Notify affected individuals without undue delay (where required)
Document all breaches in our breach register
Implement measures to prevent recurrence

9. Sub-Processors

We use the following sub-processors to deliver the Service. The canonical list (with locations and DPA terms) lives at /trust#subprocessors and in the Privacy Policy §5:

Amazon Web Services (AWS): Cloud hosting + transactional email (SES) — eu-west-2 (London), United Kingdom
Auth0 (Okta): Authentication, MFA — United States (UK addendum to EU SCCs)
Anthropic (Claude API): AI analysis & content drafting — United States (UK addendum to EU SCCs)
OpenAI (Embeddings API): Semantic search of customer documents — United States (UK addendum to EU SCCs)
Resend: Transactional email (RAMS, invitations, digest) — United States (UK addendum to EU SCCs)
Stripe: Payment processing — United Kingdom / United States (PCI DSS Level 1)
Telegram (optional): Digest/alerts only when a user voluntarily links their account

All sub-processors are bound by data processing agreements and undergo regular security assessments. We notify you 30 days before adding a new sub-processor.

10. Supervisory Authority

If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Data Protection Contacts

General Enquiries: privacy@picms.com

Data Protection Officer: dpo@picms.com

Data Subject Requests: dsar@picms.com

Address: PICMS Ltd, London, United Kingdom