Data Protection Policy

1. Commitment and Regulatory Framework

SCS Hosts is committed to handling personal data lawfully, fairly, and securely. We operate in line with UK GDPR and the Data Protection Act 2018. The Information Commissioner's Office (ICO) is the UK data protection regulator.

2. Roles and Responsibilities

For customer account, billing, and domain service administration records, SCS Hosts acts as a Data Controller. This means we decide the purposes and means of processing for those records.

In some service arrangements, we may process personal data on behalf of a customer acting as controller. In those cases, we act as a processor and follow the customer's documented instructions under applicable contract terms.

3. Data Protection Principles

We apply the UK GDPR principles in practical, plain-English terms:

• Lawfulness, fairness, and transparency: we explain what we do with personal data and rely on valid legal bases.
• Purpose limitation: we use personal data only for clear, legitimate service and compliance purposes.
• Data minimisation: we collect only what is reasonably necessary.
• Accuracy: we maintain processes to keep records up to date.
• Storage limitation: we do not keep personal data longer than needed.
• Integrity and confidentiality: we protect personal data against unauthorised access, loss, or misuse.
• Accountability: we document and review our data protection decisions and controls.

4. Operational Controls

• Role-based access controls and least-privilege access.
• Multi-factor authentication where feasible and proportionate.
• Security logging and auditing to support monitoring and investigations.
• Vendor due diligence and contractual data protection terms for relevant suppliers.
• Confidentiality obligations for any authorised personnel or contractors.

5. DPIAs and Risk Assessment

Where processing could present higher risk to individuals, we carry out data protection impact assessments (DPIAs) or equivalent risk assessments and document mitigations before proceeding where appropriate.

6. Incident Management

We maintain an incident response process for suspected or confirmed personal data incidents. Where legally required, we notify affected parties and/or the ICO without undue delay.

7. Training and Awareness

We maintain data protection awareness through periodic policy review, practical security practices, and role-appropriate guidance for authorised personnel and contractors.

8. Review and Governance

This policy is reviewed at least annually, and sooner where there is a material legal, operational, or service change.