Uniti CMS Privacy and GDPR Statement
Identity of UnitiCMS
If there are any questions regarding this Policy you may contact us using the information below.
Bellside Solution Ltd.
43 Shawstonfoot Road, Motherwell ML1 5NY
Phone: +44 778 996 3095
Trading as UnitiCMS (Uniti Counselling Management System)
Registered Company No: SC447773
What information do we collect?
UnitiCMS does not actively collect any information on an individual unless it is exclusively used to process the individual through the counselling or student services process.
UnitiCMS, although responsible for the data integrity and the security of this data, we do not process, pass on or publish any information without your consent.
UnitiCMS holds information on your staff and information on your clients.
All staff information is used to track appointments, availability and access to the system. All information added to UnitiCM is controlled by the Administrators of the system. Administrators are appointed and controlled by you or under your request and will be your staff employee or elected persons.
All data entered will be by you or on your request, staff information includes Full name and email address and may include further information added by your staff or your administrator.
All Client information entered into the system is done by your staff or representative or by the registration process offered to your client for registration.
You will remain in all instances the controller of the data requested from the client. We provide example registration and other online forms. These forms should be configured by you or your request to comply with your Organisations GDPR policies. Failure to comply with this is not be the responsibility of UnitiCMS.
UnitiCMS will not access any of the personal data you record about any of your clients. UnitiCMS will never access this information. All client records and associated data is stored on your own individual database. This information is stored encrypted within the database. All databases are automatically backed up and the restore policy means that our staff cannot access your client data.
On Our Complimentary Cloud Server
When our cloud servers are used:
UnitiCMS is regarded as the Data processor
You are regarded as the Data controller.
On Your infrastructure servers
If you choose to use your own IT servers for UnitiCMS software, then:
You become the data processor
You become the data controller
All security protocols, backups and data processing is completely controlled by you and UnitiCMS becomes only a software supplier, responsible for updates and bug fixes of the software and hold no responsibility for the collated data.
There is a retention policy setting within UnitiCMS to purge all client data from the system, after a given time period. This facility is set to retain all data in perpetuity unless the retention policy is set and activated by you. This retention policy should be set by you to allow your department or service to abide by your controlling body guidelines.
System Generated Data
The Service automatically creates and stores data on basis of the other types of data, e.g.:
Registration data, like start date, Appointment dates and other event/time driven data.
Management data, to provide statistics for your service overview and workload control.
Event data, there is a full event log of system requests to allow system Auditing and problem tracing / resolution.
Staff Email Addresses
We may use your staff data to send periodic e-mails (The e-mail address you provide for software purchasing, may be used to send you information and updates pertaining to your service, in addition to receiving occasional company news (if accepted) and updates, service information, etc.)
If at any time you would like to unsubscribe from receiving future e-mails, you can request this by notifying our contact information above.
EU General Data Protection Regulation (GDPR)
The processing of your data is either based on your consent or in case the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract.
If the processing is based on your consent, you may at any time withdraw your consent by contacting us using the contact information above.
In order to enter into a contract regarding the purchase of UnitiCMS’s Service, you must provide us with the required personal data. If you do not to provide us with all the required information, it will not be possible to deliver the Service.
How do we protect your information?
UnitiCMS implements the following technical, physical and organisational measures to maintain the safety of your personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised use, unauthorised modification, disclosure or access and against all other unlawful forms of processing.
Complimentary Cloud Servers
The Service utilises the extensive features of the cloud environment to ensure high availability, like full redundancy and data backup.
No personal data is stored permanently outside UnitiCMS’s platforms. The physical security is thereby maintained by UnitiCMS’s personnel and the IONOS comply with industry standards such as ISO 27001 for physical security and availability.
To ensure integrity, all data transits are encrypted to align with best practices for protecting confidentiality and data integrity. E.g. all information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our database only to be accessible by those who are authorised by you to access such systems and who are required to keep the information confidential.
For data in transit, the Service uses industry-standard transport protocols between devices IONOS data-centres and within data-centres themselves.
All personnel are subject to full confidentiality and any subcontractors and sub-processors are required to sign a confidentiality agreement if not full confidentiality is part of the main agreement between the parties.
Whenever personal data is accessed by authorised personnel the access is only possible over an encrypted connection.
Any device being used to access personal data is login protected.
UnitiCMS will at all times keep you informed about changes to the processes to protect data privacy and security, including practices and policies. You may at any time request information on where and how data is stored, secured and used. UnitiCMS will also provide the summaries of any independent audits of the Service.
Access to UnitiCMS data is restricted to individually authorised personnel by you. Authorised personnel may be granted a minimum access on a need-to-have basis.
The ability to intervene
UnitiCMS enables your rights of access, rectification, erasure, blocking by providing you built-in functions for user handling in the Adminstration → Practitioners interface.
The responsibility for data security within your organisation, lies with your Data Protection Officer who must educate and updates all of your staff and personnel on the data security measures of your organisation.
Your Data Protection Officer must review and pass all online forms to comply with GDPR guidelines, such as Client Data Requests and Client Contracts.
UnitiCMS uses security reports to monitor access patterns and to proactively identify and mitigate potential threats. Administrative operations, including system access, are logged to provide an audit trail if unauthorised or accidental changes are made.
System performance and availability is monitored from both internal and external monitoring services.
Personal Data breach notification
In the event that your data is compromised, UnitiCMS will notify you and competent Supervisory Authority(ies) within 72 hours by e-mail with information about the extent of the breach, affected data, any impact on the Service and UnitiCMS's action plan for measures to secure the data and limit any possible detrimental effect on the data subjects.
"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of the Service.
Do we disclose any information to outside parties?
UnitiCMS does not sell, trade or otherwise transfer to outside parties any information.
This does not include trusted third parties or subcontractors who assist us in operating our website, conducting our business, or servicing you. Such trusted parties may have access to personally identifiable information of your staff, but never your clients, on a need-to-know basis and will be contractually obliged to keep your information confidential.
We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect our or others’ rights, property, or safety. Furthermore, non-personally visitor information may be provided to other parties for marketing, advertising, or other uses.
Subcontractors/trusted third parties
UnitiCMS will monitor subcontractors’ and subprocessors’ maintenance of these standards and audits to ensure that data protection requirements are fulfilled.
Legally required disclosure
UnitiCMS will not disclose the customer’s data to law enforcement except when instructed by you or where it is required by law. When governments make a lawful demand for customer data from UnitiCMS, UnitiCMS strives to limit the disclosure. UnitiCMS will only release specific data mandated by the relevant legal demand.
If compelled to disclose your data, UnitiCMS will promptly notify you and provide a copy of the demand unless legally prohibited from doing so.
Where do we store the information?
No stored data will be transferred, backed up and/or recovered by UnitiCMS outside of the United Kingdom of Great Britain and Northern Ireland.
Personal data location (Applicable to the Complementary Cloud Service Only)
All data are stored in databases and file repositories hosted in an IONOS data centre, UnitiCMS's cloud vendor. The physical location of these servers will be the same as your Organisational jurisdiction, e.g. UK based.
Databases are continuously backed up to enable restore to any point in time within a retention period of 28 days. Backups are stored on file storage at the same geographical location as the database.
UnitiCMS uses the extensive range of built-in logging features and audits trails on its web application. UnitiCMS also logs all system updates, configuration changes and access to provide an audit-trail if unauthorised or accidental changes are made.
You may request a data protection audit performed by an independent third party who is also accepted by UnitiCMS. You will be liable for any costs and applicable taxes for an audit request along with £150 per hour UnitiCMS is spending in connection with the audit as well as any other costs related to the audit, including the auditor.
UnitiCMS will cooperate with you in order to ensure compliance with applicable data protection provisions, e.g. to enable you to effectively guarantee the exercise of data subjects’ rights (right of access, rectification, erasure, blocking, opposition), to manage incidents including forensic analysis in case of security breach.
You may at any time lodge a complaint with a supervisory authority regarding UnitiCMS’s collection and processing of your personal data.