Data Statement

Here at esphr we take our legal responsibilities and duty of care to you as a customer very seriously. For some considerable time, we have been working hard behind the scenes to ensure we fulfil our obligations as a ‘data processor’ of key customer data under the introduction of the Data Protection Act 2018 (and therefore the EU’s General Data Protection Regulation (GDPR)) on 25 May 2018. Additionally, we are placing as much emphasis on fully meeting our ‘data controller’ obligations relating to the handling of our own employees’ personal data.

In May 2017, we started work to identify what overall actions needed to be taken, and prioritised these into a detailed implementation plan. As you would expect, esphr already complied with existing Data Protection laws but we recognised the need to enhance some components to meet the requirements of the Data Protection Act 2018 (and, therefore, all GDPR and key customer requirements).

So, since that time, what work streams have been completed to ensure key compliance with the requirements of the Data Protection Act 2018?

1. Personal information data audit incorporating key customer data

We undertook a comprehensive data audit identifying all of the systems that store and process personal data. Copies of this audit available should you wish to see it. We have always had a comprehensive and detailed understanding of what data we store, and our existing Data Protection policies and procedures provided a robust platform from which to undertake our latest audit. This has allowed us to really focus on the new requirements of the Data Protection Act 2018 (and, therefore, all GDPR requirements and responsibilities).

2. Customer Service Agreements

Our Customer Service Agreement (CSA) has been being updated to incorporate all Data Protection Act 2018 (and, therefore, GDPR) requirements, and all existing customers have been sent updated terms and conditions complying with these new requirements (unless, of course, we have already agreed to your own GDPR wording), which clearly outlines both of our responsibilities in relation to the personal data we process for each other.

3. Supplier Agreements

All our existing Supplier Agreements have been updated to incorporate all Data Protection Act 2018 (and, therefore, GDPR) requirements and all suppliers have been requested to sign a specific addendum to the existing agreements, which clearly outline both of our responsibilities in relation to the personal data we both process for each other.

4. Employee Data

We have issued a firm wide employee information note that clearly communicates to all of our existing employees how we process their personal data. We will also ensure all existing employees have a detailed and clear understanding as to our responsibilities in relation to the personal data we hold and how we store, process and use this data (see ESP Staff Training and Development below).

5. ESP Staff Training and Development

We are running tailor-made Data Protection Act 2018/GDPR training courses to raise awareness among esphr’s staff about the impact of the legislation on our business and the specific role they undertake within esphr. Our staff, as part of their employment induction, read and accept our Data Protection Policy to ensure a consistent level of understanding of data privacy and protection across the business. We also operate a transparent, no-blame, culture where any member of staff can raise any concerns they may have, ensuring that esphr is always doing the right thing. Additionally, all employees will have to undertake compulsory Security Awareness Training online that focuses on, amongst other subjects, email scams and phishing.

6. Internal Policy and Procedures

Our existing policies and procedures (including a new, comprehensive Data Protection Policy) have been reviewed and updated by our external legal advisors. These policies are now enshrined into our Employee Handbook and elsewhere (where relevant). Where appropriate, these documents are available to view on the esphr website and will be provided to anyone upon request.

7. Data and online security enhancements

Hardware provider and data centres

We partner with DigitalOcean in the UK. They have some great customers – the likes of HP, Salesforce and Xerox, as well as thousands of medium sized and smaller businesses.

They have 12 data centres across the globe, customers in 195 countries and 78 million active server instances. Customers enjoy a 99.99% uptime SLA, and 40GbE – the best-in-class network connectivity for speed and throughput.

The esphr websites, applications and databases are hosted in their London data centre ( which is used by large online businesses like Box, Priceline, Foursquare and trivago. It is fully accredited to ISO 27001, the international standard that describes best practice for an ISMS (information security management system). Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether data is adequately protected.

The data centre is also Payment Card Industry Data Security Standards (PCI-DSS) compliant – although our specific application does not handle or store financial details.

Network, backup and email

Connection to our servers is solely via SSH (secure shell) using public and private keys to prevent unauthorised access, and data moving to and from the servers is fully encrypted.

Application email communication is securely handled by a trusted partner – SendGrid – an industry standard mail delivery and tracking platform used by the likes of Uber, Spotify and AirBnB.

Data and site content/files are securely backed up daily via SSH to the Amazon S3 storage service based in the EU region to comply with EU data protection laws. Even if our production hardware failed catastrophically, we could be up and running again within a few hours.

All front end web pages are secured with an SSL certificate (https://) to ensure data cannot be intercepted by a third party.

Application and data security

Our case management stand-alone application (where we store sensitive customer employee data) takes advantage of the following security features:

  • User account details and passwords are independent of the core esphr application.
  • All user passwords are one way hashed using up to date encryption methods with random salt.
  • Sensitive portions of the database are fully encrypted (using AES encryption).
  • SSL encryption of web pages and API/JSON calls.
  • Forced password update (6 monthly) with strength criteria (at least 8 characters, one number, one uppercase) on both the core (esphr) application and the Call Reporting application.
  • All inactive archived matters (and supporting notes) are automatically deleted after 7 years of their archived date.
  • Most recent Ubuntu 20.04.3 LTS (Long term support) version of the Ubuntu operating system – with security patching and support guaranteed until April 2021.
  • PHP 8.0.x – the most recent major version release.
  • MySQL 8.0.x – the most recent stable release.
  • 2 Factor authentication mandatory for all users, securing the login with SMS/email security codes.
  • Server security hardening including 
    • disabed root a/c, 
    • log in only by SSH private key, 
    • unattended security upgrades, 
    • Firewall blocking all ports except 80, 443, 22
  • Recent penetration tests performed by a 3rd party.

8. 24/7 server, application and database performance monitoring and Data Breach Response

We use a combination of applications and services to constantly monitor the overall performance of many system metrics that may alert us to technical issues, or suspicious activity. Should anything be operating outside predetermined ranges we are alerted within seconds via email and SMS - and can investigate immediately.

Core Server Hardware Monitoring is handled by our host (Digital Ocean) and tracks CPU, bandwidth I/O, disk read/write, memory utilisation, and disk utilisation.

Uptime Monitoring is conducted from over 70 locations worldwide on the network and allows root cause analysis to identify issues and help prevent recurrence of problems.

Page Speed Monitoring is again managed by and lets us forensically examine each page load, and visualise performance to identify bottlenecks and ensure our applications are as optimised as possible.

Visitor Insights (RUM - Real User Monitoring) lets us actively monitor user experience and analyse site performance in real-time. We can see visitor sessions broken down by OS, browser, platform and geography.

Finally, we also use’s Server Monitor service with a number of plugins to really get into the fine detail of the application’s performance. We monitor Apache load, MySQL connections and operations, network connections and error log tracking.

Pingdom is used by organisations like Shopify, Mailchimp, Buzzfeed, Salesforce and Netflix.

If we become aware of a data breach we would assess its severity and possible effects and follow the advice provided to us by our professional advisors and the guidelines outlined by ICO (the Information Commissioner’s Office). Depending on the circumstances of the breach this may cover:

  • Informing ICO within 72 hours of becoming aware of the essential facts of the breach.
  • Notifying individuals if the breach is likely to adversely affect their personal data or privacy, or result in a high risk to their rights and freedoms. Sensitive data in our database is demonstrably encrypted so this would unlikely be the case.
  • Completing a Breach Log / Incident Form that documents the facts surrounding the breach, the effects and remedial action taken.

9. Marketing communications

All marketing, communication and promotional activities have been reviewed to ensure full compliance with the new requirements. In particular, we are ensuring that all business data continues to be sourced from suppliers that sign key indemnities and warranties with us that they are fully complying with the requirements of the Data Protection Act 2018. As we work with leading HR industry publishers (E.G. HR Magazine) and have done so for some time, we are already well placed in this regard. We will also, of course, continue to allow all subscribers to our communications the option to unsubscribe from our communications and also alter the way in which we communicate with them.

10. Ongoing monitoring

Ongoing monitoring and enforcement is vital, and we already have a Data Protection Officer in place, despite the fact that we are not legally required to do so. This is part of our drive to ensure that we remain compliant with the letter, the spirit, and best practice in respect of the requirements of the Data Protection Act 2018 and all GDPR responsibilities.

11. Changes to our online employment law resources accessed by customers from our web portal

Our legal team have been working hard with our external compliance advisors to ensure that all of our employment law online resources have been updated and are available for review and download by all customers, well in advance of the 25th May. These resources were uploaded on to our web portal early February, as part of our monthly updating process. These will be reviewed and updated on a pro-active basis to ensure they are in line with the law and best practice as it changes over time.

A webinar was also undertaken on Tuesday 13th February to explain these changes in detail and the wider ramifications of the Data Protection Act 2018/GDPR from an employment law and HR perspective. A video of the webinar is available on the Customer Zone. Please do contact your normal legal advisors for more information if needed.


You will notice greater transparency about the way we fulfil our contract obligations as a processor through open publication of our Data Protection policies and new customer and supplier agreements. We will share our Data Protection policy on our website, which will govern the way in which we fulfil our responsibilities as a processor in March and April. Along with this communication, it will allow you to evaluate the measures we have taken to comply with all requirements of the Data Protection Act 2018 and GDPR requirements when processing personal data on your behalf when using our services.

Peter Byrne, CEO, assures customers: “Our dedicated project team have worked diligently to address our Data Protection and GDPR obligations in line with the new regulations and we will continue to ensure this responsibility is a core and key ongoing focus for our business and our customers. We hope that you can see from the above detailed activity report and update that we are have made significant progress along our own Data Protection/GDPR compliance journey. We hope you have too.

We are open to any questions or requests by customers, so please get in touch if you’d like more information.”

If you have a query about esphr’s GDPR compliance, please contact us on or call 0333 006 2929.