General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ personal data. It will take effect from 25th of May 2018.

We are committed to helping our customers comply with the GDPR by providing best industry standard privacy and security protections that are built into our services.

What are your responsibilities as a customer?

Our customers will typically act as the data controller for any personal data they provide to Cloud Stem in connection with their use of our software services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Cloud Stem is a data processor and processes personal data on behalf of the data controller when they use Cloud Stem services.

Data protection and Data Queries

How to contact us with data queries?

We have a dedicated Data Protection Officer to help you with any requests or questions you have about your data. You can reach out to us by emailing at

Cloud Infrastructure and Systems

Where is our data center based?

UK South

What security accreditations our cloud provider have?






IRS 1075

Who has access to your data?

Technical Customer service team

Is data encrypted on our servers at rest?

Yes, we use Transparent data encryption (TDE) to encrypt your SQL data and all your documents are encrypted through 256-bit AES encryption, one of the strongest block ciphers available.

Data retention / encryption / deletion

For how long do we retain your data?

We never delete your data until you ask us so by emailing. The duration of your data retention is your responsibility

For what period is your data stored in backups?

35 days

Where do we store backups?

UK South

Is Personal Data encrypted at rest?

Yes, we use Transparent data encryption (TDE) and 256-bit AES encryption.

Is Personal Data encrypted in transit?

Yes, using HTTPS protocol.

Third Parties

Is your data shared or passed on to any third parties?

No. We use Microsoft Azure as a Cloud infrastructure, SendGrid for transmitting our emails and Twilio for SMS.

Logs and Analytics

Do we regularly keep, review and access transaction logs on all networks storing/processing our data?


Is access to all logs recorded and monitored?


Are all logs encrypted?


For what period is your data stored in Logs?

35 days

Do we monitor and analyze the logs?

Yes, we analyze logs and build reports on how our services are performing.

Data Breach

Do we have a breach notification mechanism?


Have we had a security breach within the last 24 months?


Do we notify customers of any suspected breach?

Yes as soon as possible.

Regions / Outside of EEA

Is any of data transferred outside of the EEA?


Is any Cloud system used outside of the EEA to store data?



Could you please describe the physical security server access that protects our data?

Physical security of our cloud infrastructure is managed by Microsoft Azure

Could you please describe the physical security of office access?

Physical security of our offices is managed by us.

What are our password complexity rules?

We use AES-GCM-256 authenticated encryption for password complexity.

Software Development

Is production data used in test, release or development environments?


What procedures do we have in place for software development?

We use secure development policy and use scrum as a methodology.

Describe the separation of development, test and operational facilities?

We have completely separate environments for Development, Testing and Production.


What information do we store of our customers?

•  First Name

•  Last Name

•  Email

•  Username

•  Password

•  Country

•  State/Province

•  IP Address/Location Info

•  Timezone

•  Stripe Payment Info.

•  Company Name

•  Address

How do we use our customers information?

•  To provide software and cloud services

•  For on-going promotional software product emails (customers can unsubscribe anytime)