Who this page is for. Clients (and their legal / DPO teams) who use software we host on their behalf — for example the Diocese Management System (DMS), Property, Event Jamboree, or a bespoke build. This page summarises our role as a data processor under UK GDPR. The data controller is always the client organisation.
For visitors to this marketing site, the relevant document is our Privacy Policy. This page covers what happens to your end-users’ personal data when you contract us to host or operate software for you.
Our role
When HCOMS hosts software on a client’s behalf, the client is the data controller for any personal data their staff or end-users enter into that software. HCOMS acts as a data processor, processing that data only on the client’s documented instructions, set out in the contract and any specific Data Processing Agreement (DPA) we have signed with the client.
We do not use client data for our own marketing, analytics, training of AI models, or any other purpose beyond delivering the service.
Subject matter and nature of processing
- Subject matter: hosting and operating the software product the client has commissioned from us.
- Nature of processing: storage, retrieval, backup, transmission, support and (with explicit instruction) deletion of personal data the client has uploaded or generated through use of the software.
- Duration: for the duration of the service contract, plus any wind-down period agreed in writing. After termination we return or delete personal data as the client instructs, subject to any legal retention obligation.
Categories of data subject
Depending on the product, this may include:
- Client staff, volunteers and trustees who use the system.
- Members, parishioners, tenants, residents, supporters or other contacts that the client manages within the system.
- End-customers in e-commerce or event-booking flows.
Categories of personal data
Again, this depends on the product the client has commissioned. Typical categories include: names, contact details, addresses, role/position, communication history, document metadata, payment references (we do not store full card numbers — see “Payments” below) and audit logs of user activity.
Some clients use our systems to record categories of data that are special-category data under UK GDPR (for example, religious affiliation within a diocesan context, or health-related records within a property safety context). The client is responsible for identifying these categories and ensuring they have a lawful basis under Article 9 of UK GDPR.
Hosting and location
Client production data is hosted in the United Kingdom, in data centres operated by reputable UK-based providers under their own ISO 27001 and physical-security regimes. We do not transfer personal data outside the UK or EEA as part of the standard hosted service. Where a client specifically requests an international transfer, we use UK GDPR Article 46 safeguards (such as the UK International Data Transfer Agreement).
Sub-processors
We rely on a small number of sub-processors to deliver the service. We will give clients reasonable advance notice of any change to this list.
- UK hosting providers — infrastructure (servers, backups, networking).
- Transactional email providers — delivery of system notifications, password resets and reports.
- Stripe — where the client has enabled card payments. Stripe is the controller of cardholder data; HCOMS does not store full card numbers.
- Error monitoring — minimal application telemetry for diagnosing faults, with personal-data fields scrubbed by default.
- Where a client integrates a third-party service of their own choosing (for example a CRM, document store or analytics tool), that provider is the client’s sub-processor, not ours.
Security measures
We apply a layered set of technical and organisational measures, including:
- Encryption of data in transit (TLS) and at rest (disk-level encryption on hosted systems).
- Per-user authentication with strong-password and lockout policies. Multi-factor authentication is available and recommended.
- Role-based access control inside the application, audit logging of administrative actions, and least-privilege access for HCOMS staff.
- Regular off-site, encrypted backups with documented restore tests.
- Routine patching of operating systems, frameworks and dependencies.
- Confidentiality obligations on all HCOMS staff and contractors.
- An internal incident-response process with escalation paths for personal-data breaches.
Personal data breaches
If we become aware of a personal-data breach affecting client data, we will notify the affected client without undue delay — in practice, within 24 hours of confirmation — with the information they need to meet their own 72-hour notification duty to the Information Commissioner’s Office. We assist the client’s investigation and remediation as required by the DPA.
Data-subject rights
Requests from individuals to access, correct, delete, restrict or port their personal data are handled by the client as data controller. Where the client needs our technical assistance to fulfil such a request (for example, to extract or delete records inside the hosted system), we provide it as part of the service.
Payments
Where a client uses a payment gateway (typically Stripe or SagePay) through software we host, the gateway is the controller of cardholder data. HCOMS does not see, store or process full card numbers, CVV codes or expiry dates. We store only the references and metadata returned by the gateway (such as transaction IDs, last-four digits, amount and outcome).
HCOMS as a data controller
HCOMS is the data controller for a small amount of data that we hold about the client organisation itself — for example, billing contacts, support-portal users and project correspondence. The handling of that data is described in our Privacy Policy.
Getting a signed Data Processing Agreement
Most clients are covered by the data-protection clauses in our standard Terms & Conditions. Clients who need a standalone DPA (for example, to satisfy a procurement or compliance team) can request one by emailing hello@hcoms.co.uk. We will return a signed copy within 10 working days in most cases.
Hayes Computing Solutions Ltd, trading as HCOMS · Registered in England, company no. 04254140 · ICO-registered data controller · 31 Gt. Melton Road, Hethersett, Norwich, Norfolk NR9 3AB · hello@hcoms.co.uk