We consider your personal information to include:
It does not include information you have made public, such as any posts you may make to our public mailing lists, forums, etc.
Data you store or transmit through your service with us, such as your filesystem data and network traffic, is not covered by the Data Protection Act since it is not information about you stored and processed by us. We detail our policies on this separately, below.
BitFolk takes your privacy very seriously. When you provide us with your personal information, you agree that we may use it:
If you believe we hold personal information about you and wish to have a copy of it, we can provide this to you on payment of a £10 administration fee. The request must be made in writing to us at:
The Data Controller
21 Trevithick Close
Your personal information is confidential. We will only disclose it outside of BITFOLK LIMITED when:
Where legally possible, we will inform you if we are compelled to disclose your personal information.
Active account names and levels of CPU/network usage are currently exposed in the public Cacti interface because public access to performance figures is operationally useful and consultation has shown this to not be of concern. If you do not wish this data to be publicly visible then it can be removed on a case-by-case basis.
If you nominate an existing customer as a referrer then you give consent for some details regarding your account with us to be disclosed to your referrer. You can find full information about this in our referral scheme. If you would prefer that these details were not disclosed, do not nominate a referrer.
Assuming your account is up to date, we will keep the personal information of former customers on file no longer than one year from when their service was last active. In the event that we may have a need to chase unpaid bills, we will keep former customer details on file for up to six years from the due date of the latest invoice.
Your personal information is currently stored in the UK, but we reserve the right to transfer it to other countries if necessary. Some countries do not have the same standard of data protection laws as the UK, however, we will always ensure that there are agreements in place to maintain our obligations under the Data Protection Act.
Data associated with your service such as your filesystem contents and network traffic is not covered by the Data Protection Act because it is not collected, stored and processed by us for our purposes. However, we do of course consider it to be confidential. This means that we do not observe or share your data unless operationally required.
We can't explicitly list every operational situation which will require us to gain access to your data; something new may always come along. In general we will always try to ask for permission first. The following is a non-exhaustive list of situations in which we know we will need some level of access to your data, and may not be able to ask permission first:
Your levels of network traffic, CPU usage and disk activity are automatically measured for operational and billing purposes.
Your outgoing network traffic is automatically sniffed for port 22 TCP SYN packets in order to automatically detect SSH dictionary attack activity. Time, source IP, source port and destination IP are stored. It isn't reviewed by a human unless an alert fires.
If there is any sort of abuse report or indication of possible abusive activity, a problem with your service or any other sort of operational need, then we may need to sniff your traffic to diagnose the situation. If possible we will ask for permission first, but this is not always possible (e.g. one of our customers being the source of a network attack in the middle of the night). In these situations, we do our best to only look for the information we require.
Any information stored is deleted once the problem is resolved.
If your service is using an abnormal amount of resources then we may look at the console of your VPS to see if it has crashed, in which case we may see part of whatever has been printed there. We can't ask for permission before doing this.
Your data may be automatically accessed for backup purposes and moved between hosts as required. If you make use of the backup service then it will be duplicated one or more times for this purpose. We will keep the data of former customers in good standing for at least three months but for no longer than one year. Former customers in good standing may request their data to be deleted immediately. Backups will always be deleted as soon as you are no longer a customer.
If your service has been (or we deem it likely to have been) compromised and abusive behaviour has been detected, our first step will be to prevent abusive behaviour from leaving your virtual machine. This is usually accomplished by turning off your network access or applying firewalling. We then expect you to work out what has gone wrong.
If you are unable or unwilling to work out what has gone wrong, then we have to make a judgement call between examining the situation ourselves or terminating your service. There is little point in us setting up a new service for you if we don't know how it got compromised; it will just happen again.
If we decided to investigate the matter for you then we would ask for permission to look through your data to do this.
Your data is confidential. We will not disclose your data outside of BITFOLK LIMITED unless:
Where legally possible we will inform you if we are compelled to disclose your data.
Those are our policies, but in terms of what it is possible to access, you should consider that all of your data is potentially accessible to anyone with root access on the hardware they are hosted on. The block devices can be directly read, even encrypted block devices can have their keys read out of computer memory. It is important for you to consider if it's appropriate for you to store your data on someone else's hardware.