We have all policies


CLOUDTHING LIMITED incorporated and registered in England and Wales with company number 07510381 whose registered office is at Galtons Mill, Galtons Lane, Belbroughton, Stourbridge, West Midlands, DY9 9TS. cloudThing is a software developer offering a range of IT support services with a variety of contracts and terms, depending on the customer need.

When a potential customer engages us through a third party marketplace, we will provide the relevant terms and conditions depending on the service, the customer then will be given time to review and accept these terms before the service commences. Should you wish to review the terms in advance, please contact info@cloudthing.com detailing the service you require terms for.

All messages sent from CloudThing should be considered confidential, privileged and for the exclusive use of their intended recipients. If you received this message by mistake please inform us as soon as possible and delete it from your system; you may not copy this message or disclose its contents to anyone.

The integrity and security of this message cannot be guaranteed on the internet. The views, opinions, conclusions and other information expressed within this email may not necessarily represent the views or policies of CloudThing, unless explicitly stated.


At cloudThing, we have always believed in and honoured the right to data privacy and protection for all individuals that we hold data for, and championed the same position with our customers, as a part of trying to set the highest ethical benchmark in everything we do. Over the years, we’ve also demonstrated our commitment to data privacy and protection by meeting industry standards for information security such as ISO 27001 and Cyber Essentials. We have already have many Data Processing Agreements in place, and we are revising them further to meet the requirements of the GDPR, recognising that the new regulation will help us implement the highest standards in protecting personal data.

As we care deeply about transparency, in addition to our Privacy Policy we think it’s important that we clearly state the controls we have in place to ensure that we treat all personal data with the respect that it deserves, presenting an opportunity for our customers to challenge our approach in the interest of collective, continual, improvement.

How we Comply

cloudThing has incorporated deep best-practice and all required privacy protection regulations (including the GDPR) as part of its standard business processes, managed via our Governance Team/ This includes integration throughout our ISO 9001:2015 accredited framework for quality and our ISO 27001:2017 accredited framework for information security, independently assessed at least annually.

Organisational Controls

  • We maintain a detailed data inventory using our complyThing product to track data sets, data owners, applications, locations, implemented controls and to maintain a record of processing activities.
  • We have appointed a Chief Data Protection and Privacy Officer (DPPO) and a DPPO in any country in which we operate an office, details of whom can be found in our Privacy Policy.
  • We publish a privacy notice, providing clear information for cloudThing staff, current customers and prospective customers regarding what data we gather, what we will use it for, how data subjects can exercise their rights and include contact details for cloudThing's DPPO and the ICO.
  • We conduct information audits to ensure that all personal data we hold is tracked to maintain the adequacy, security, accuracy and integrity of data.
  • We have a clearly defined Data Retention & Disposal Policy which (in combination with our Data Inventory) defines the retention period, review schedule and method of disposal, to ensure that data we hold is only kept only as long as necessary and destroyed appropriately.
  • We have a clearly defined Data Breach & Reporting Policy which documents data breach escalation and reporting processes.
  • We maintain a Subject Request Protocol which explains how data subjects can exercise their rights under privacy laws, and use our complyThing product to expedite data subject requests.
  • We maintain clear version control for all internal documentation and audit trails of all communication sent or received to or from individuals, demonstrating accountability.
  • We have an extensive Business Continuity Plan in place which is tested at scheduled intervals to ensure that in the event of extended service outages caused by factors beyond our control (e.g. natural disasters), we can restore services to the widest extent possible in a minimum time frame.
  • We conduct supplier assessments in line with our Purchasing Policy before a supplier is approved. This assessment helps to ensure that the supplier has robust controls in place to ensure the security of data shared with them. Where required, we implement Data Sharing Agreements with our suppliers.
  • We have implemented a Corporate Binding agreement between our offices in the UK and wholly owned subsidiary in India, to ensure all data is processed and managed securely and in-line with the requirements of privacy regulation – data will also only still be transferred to India with explicit customer consent.
  • Prior to processing any data, be it internal or on behalf of our customers, we ensure that all data is privacy screened.
  • Where appropriate, we conduct Data Protection Impact Assessments (DPIAs) for data processing operations that involve a high risk to the rights and freedoms of data subjects to determine the appropriate measures to be taken to minimise, or eliminate, the risks.
  • If we identify any high-risk processing for which effective controls cannot be designed, we escalate this to the ICO before proceeding.
  • For customers which we are engaged, we operate using Service Level Agreements (SLAs), clearly defining our and our customer's responsibility to manage and process data in-line with privacy regulations.
  • We have a dedicated Secure-DevOps team who are all trained in privacy and security management best practices, providing on-going guidance internally and to our customers.
  • We are committed to continuous improvement and subject every part of our business to an internal audit, at least annually.
  • Our services are not aimed to serve children. If in the case that, we receive an inquiry from children through our website we do not process data in a way that should put them at risk.

Human Resource Controls

  • We perform Pre-Employment Vetting and Screening checks to verify that are employees are suitable to work for us and that the data they provide about themselves is accurate, ensuring that the safety and security of existing staff, services and end-users is maintained.
  • Our employment contracts include data protection clauses for all staff ensuring compliance with applicable laws, regulations, and procedures.
  • We deliver regular training sessions for our employees including for relevant data protection regulations. Regular communication is sent to its employees to raise awareness and ensure implementation of data security controls and processes in daily operations. Training sessions are recorded for playback and attendance is tracked in our training log.
  • We conduct regular tests and assessments for all employees to ensure a high level of competency, knowledge, and understanding of relevant data protection regulations, their responsibilities and the controls we have in place to protect personal information.
  • We gather digital signatures from all employees annually on an adherence register, confirming their understanding of all our management systems and underwriting their responsibility to ensure the organisation and their personal compliance.
  • We annually review cloudThing staff data to ensure that the data we hold about them is accurate and up to date. All employees have access to self-service tools where the relevant information can be updated/corrected. All employees are responsible for ensuring that information we hold about them is accurate and up to date.

Technical Controls

  • We operate as an organisation using a set of Architectural Principles, which mandate an array of good practices such as Privacy by Design, Secure by Design and Defence in Depth.
  • We design and build software and services in-line with a detailed Secure System Engineering Policy, which is regularly updated, to ensure strict security controls are in place including (but not limited to) continuous monitoring of environments, regular vulnerability scanning, penetration testing, weekly reviews of infrastructure and key storage abstraction, to identify threats and malicious unauthorised activity.
  • We enforce that all devices (physical or virtual) and methods of communication that store and/or transfer data are encrypted, in-line with good industry practice.
  • We follow a robust set of policies directed by our Information Security Management System, including (but no limited to):
  • an Access Control Policy to mandate a Role Based Access Control and Principle of Least privilege for user/system access
  • a Remote Access Policy designed to minimise the potential exposure to unauthorised use of our systems and data from remote locations
  • a Password Policy to ensure a strict standard for the creation of strong passwords, the protection of those passwords, and the frequency of change
  • a Removable Media Policy forbidding use in nearly all situations and to minimise the risk of loss or exposure of sensitive information in relation to portable storage
  • an Information Transfer Policy mandating minimum requirements to ensure that the transfer of data is performed in a way that adequately protects it
  • a Data Security Policy to ensure we protect restricted, confidential or sensitive data from loss or corruption
  • a Mobile Device & Teleworking Policy to ensure that data used on our mobile device estate is robustly protected, even when devices are lost or stolen.
  • a Bring Your Own Device policy mandating controls around any device which is used to access our employee tools that isn’t issued by us
  • a Key Management System Policy which mandates controls and processes for key strength, rotation management and defining how credentials are stored and processed
  • a Clear Desk and Clear Screen Policy to establish the minimum requirements for ensuring data is not inadvertently shared within the office
  • We utilise best-of-breed device management tooling to provide near-real-time security insight across our estate.
  • We conduct regular backups to enable data recovery in case of accidental loss or malicious attacks on internal or customer data, in-line with agreed Service Level Agreements.


This Privacy Notice sets out how we use and protect any information that you give us or is collected when using this website. Data privacy is important to us and we are committed to ensuring that your privacy is protected, we are transparent with our users about data privacy. Should we ask you to provide information by which you can be identified, then you can be assured that it will only be used in accordance with this Privacy Notice, we will never sell it to third parties and we will always make sure it’s secure. We may need to change this policy from time to time by updating this page, but we will always let you know.

The prime purpose of collecting your data is to enable us to deliver appropriate, quality services to you. This Privacy Notice explains what personal information we collect from you and how we will use it. Personal information is any information that can be used to identify you or that we can link to you.

What data do we collect?

We only collect information you voluntarily provide to us when you want to enquire about our services, you become a customer of the services we provide, or you contact our support department (DevOps) for assistance.

We may collect the following information:

  • Your name, job title and company name
  • Contact information, including phone numbers and email addresses
  • Preferences and interests
  • Other information relevant to customer surveys and/or offers

What are the legitimate grounds for us to process your personal data?

We need your information to provide our services to you. The legal basis we rely on is:

  • To fulfil our legal and contractual obligations to manage the products and services you hold with us and to provide you with information about the changes and updates to our products and services, governance framework, and to keep a record of the communication we have with you.
  • To manage activities including enquiries, providing information about our products and services, administration/management for the products and services you have expressed interest in with your consent, or explicit consent for direct marketing purposes.

What is the source of your personal information?

  • For Enquiries: We collect personal information from you directly including the products/services you may be interested in. This information is only processed in relation to the services you are enquiring about or have subscribed to receive information about.
  • For Customers: We collect personal information from you directly to maintain communication with you about the services we provide and facilitate service delivery. This may include providing access to our software delivery tooling services, account management or commercial activities.

Controlling your personal information

We want you to be in control of how your personal information is used by us. You can control this in the following ways:

  • You can withdraw your consent where we are relying upon it to process personal data for direct marketing purposes, to send you information about our services and products.
  • You can inform us if you believe that any information we are holding about you is incorrect or incomplete and we will promptly correct any found to be incorrect.
  • You can ask us for a copy of the personal information we hold about you
  • In certain situations, you can ask us to erase, block or restrict the personal information we hold about you, or object to ways in which we are using your personal information.
  • In certain situations, you may have rights to data portability and you can ask us to transfer your data to a third party.
  • You can ask us what data is processed, how the data is processed, request the restriction of your in data for processing or object to the processing of your data.

You can make a request in relation to your data by sending us an email to subjectrequests@cloudthing.com or you can write to us at:

Galtons Mill
United Kingdom

If we are not able to restrict, delete or cease to process your data due to our legal or contractual obligations, we will let you know.

How do we use the information we gather?

cloudThing uses the data we collect to provide you with the products and services we offer, and for the following reasons:

  • To respond to enquiries: we may need to communicate with you regarding enquiries about our services.
  • To provide our services: we may need to communicate with you about the services we deliver to you including facilitating support requests.
  • To improve our products and services: feedback may be used to develop and improve the services we offer.
  • To tell you about products and services: if you have given permission, we may periodically send promotional emails about new products, special offers or other information which we think you may find interesting, you may rescind permission at any time.
  • Research: if you have given permission, we may also use your information to contact you for market research purposes. You may rescind permission at any time.
  • For compliance: we may need to keep records and report in order to fulfil compliance obligations in line with relevant legal and regulatory requirements.

What do we do with your personal information?

  • We will retain your personal data in-line with our Data Retention and Disposal Policy (which is available upon request).
  • We will not sell or lease your personal information to third parties.
  • We do not use automated decision or profiling for marketing purposes.
  • We do not transfer personal data outside the EU. However, if you are an existing customer and there is a requirement to transfer personal data to our subsidiary in India, we will only proceed if we have an agreement in place with you to do so.
  • If in the future we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information including your rights and choices.


Contacting cloudThing’s Data Protection and Privacy Officer

Our Chief Data Privacy and Protection Offer is Gareth Porter. You can contact him by emailing subjectrequest@cloudthing.com or via snail mail at our address listed above.


If you have a request or question about privacy and we are unable to resolve your issue, you can contact the Information Commissioner’s Officer at casework@ico.org.uk or

Wycliffe House
Water Lane

How we use cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added, and the cookie helps analyse web traffic or lets you know when you visit a site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website experience. We only use this information for statistical analysis purposes and then the data is removed from the system. Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over the third-party website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this Privacy Notice. You should exercise caution and look at the Privacy Notice applicable to the website in question.



© 2019 Copyright cloudThing ltd. All rights reserved. Company registered in England & Wales no. 7510381, VAT no. 152340739