privacy-icon

You trust us to encrypt your data.
That’s why we treat it like our own.

We believe in real transparency and will always tell you how we protect your most valuable asset.

 

  • Privacy

    Privacy Statement


    Updated on 9 April 2018.


    Overview

    Our privacy policy is simple; what is yours, remains yours. We operate our business and services in line with the principle of ‘data minimisation.’ Simply put, we believe that the less we know about you, the better.

    Who we are

    Nimbox Ltd. is a private limited company that is registered in England, with company number 08280927, and we conduct our business at The Waterscape, Leeds, LS5 3EG. Our business is to provide you with secure online collaboration and file storage services.

    Who you are

    Customer

    Unless otherwise noted, we refer to you, the Customer, as an owner or administrator of an Organisation, whether you are a legal or natural person.

    Customer’s end users

    If you are not the owner or administrator of an Organisation, your use of Nimbox Vault may be subject to your organisation’s privacy policy or practices, if any. End users of an account transfer some of the rights described here to the account owners.

    Information we keep

    We store and process three types of Customer Information: Secure Customer Data, Account Data, and Support Data. We store and process this information in order to deliver our services to our Customers. We treat each of these data equally, but there are some important technical and usage differences to note.

    Secure Customer Data

    This data is the content that you upload to Vault. It is held on our platform in an encrypted state, and we cannot decrypt this data. Your Secure Customer Data is your property. We claim no rights to it beyond those necessary to deliver our services to you. You may add, modify, and delete Secure Data at your discretion. If you do not have a Vault account, you cannot provide us with this data. You can read more about how we secure this data, here.

    Account Data

    To provide you with our services, we must collect, store, and process limited Account Data. This data includes your full name, email address, telephone number, and billing details. This data is never used for any other purpose.

    Support Data

    To ensure that you have a trouble-free experience whilst using Vault, we collect, store, and process Support Data. This data includes server logs, client IP addresses, number of items stored in Vault, company name, and Guest email addresses.

    We retain the right to store and process Support Data to provide our services effectively, troubleshoot problems, analyse the performance and demands on our services.

    We may, from time to time, ask you to submit other data that is not automatically collected, as part of a support ticket that you raise. You are never obliged to submit this other data, but it will severely hamper our ability to help you, if you don’t. This data can include client logs, screenshots, information about your devices and operating environment, and personally identifying information. We will never ask you for your password.

    Data Location and Transfer

    Secure Customer Data

    This data is stored and processed on servers located within the European Union, specifically the United Kingdom, and in the event of a service failover, from either Germany or Canada. The European Union recognises Canada as a destination country with an “adequate level of protection” for data privacy of individuals.

    Account Data

    This data is stored with, and processed by, our internal billing system, as well as our payment provider (GoCardless), and our financial management system (Xero). This data includes full names, email addresses, and payment details.

    Support Data

    Our ticketing system is hosted in the United States of America, by Groove. Any information you choose send us through email and our customer support system may pass through and be stored on a variety of intermediate services, including Amazon Web Services. If you wish, you may encrypt email to us using our PGP public key.

    Securing your data

    We understand that we have a duty to protect the information that you trust us to store. We have produced a comprehensive guide to how we secure your information, here.

    Your rights

    You have a right to know what data we hold about you, and to see how that data is collected, stored, and processed. You may ask to receive a screenshot of dat that we hold on you in our back-office systems. You may also ask us to update information about you that is incorrect. However, these requests must come from an authenticated email address, as described in the ‘Your responsibilities’ section, below.

    As Nimbox is merely a custodian of your data, we never delete your information without your consent, or a contractual obligation [sub agreement], such as when you cancel your Vault subscription.

    Our disaster recovery and availability arrangements mean that we have a legitimate interest in maintaining immutable backups of certain Customer Information. Erasure requests will leave those backups intact. However, we will remove that data if legally compelled to, and if the technical means exists.

    Your Responsibilities

    Whilst we employ extensive security and process measures to protect your account, it can only ever be as strong as your Password and Backup Key (generated as part of the two-factor authentication setup). You have a responsibility to protect your Password and Backup Key from unauthorised access.

    It is extremely important that you understand that anyone with access to your Password or Backup Key can access your Secure Customer Data. It is equally important that you keep a copy of your password in a safe place, because future access to your data depends on having access to your Password and Backup Key. We will never ask you for your Password or Backup Key, and you should never send either to us.

    We recommend using a password manager, and two-factor authentication, to protect your Vault password.

    Due to the ‘privacy-by-design’ nature of our service, and the sensitivity of the data that you trust us to store, we cannot help you with certain support request, unless you are an account owner, and are contacting us from the email address on your Vault account. In the event that you change your email address, you must ensure it is updated on your Vault account. We do not accept unauthenticated support requests made via telephone.

    Cookies and Tracking

    Nimbox does not engage in any form of cross-service tracking. We do use cookies (small text files placed on your device for a limited time) on domains that we control. The cookies allow us to provide our service effectively. We also use ‘user analytics’ software to track how you interact with our service and marketing website. This software is provided by Google, but doesn’t collect or store any personal information. You may disable cookies in your browser without any impact to your use of our services.

    Some client applications, such as web browsers, may store information about your account (such as form autofill). We recommend that you do not allow your web browser to store this information.

    Contacting you

    We may use your contact information (email address, telephone number) to communicate with you about your use of the service, to provide support, and to send you other service-related information. You may choose to stop receiving communications from us, except certain important notifications such as billing and account security alerts.

    Data Portability

    We work very hard to make our customers happy, but we realise that sometimes relationships come to an end. We do not lock you in to our service, or lock you out of your data. That said, we are unable to decrypt your Secure Customer Data, so you will need your Password or Backup Key to access it.

    You may download your Secure Customer Data at any point, during the course of your active subscription.

    Breach notification

    If we discover a breach of Customer Information, we shall inform our regulator (the Information Commissioner) within 72 hours of the discovery, and our Customers within 7 days. Notification to users may be sent via email, postal mail, for telephone.

    Disclosure

    We comply with legal requests that are in the letter and spirit of the law, in the jurisdictions where we must. We have written about this, here.

    Updates to our Privacy Statement

    We may update this Privacy Statement from time-to-time, and publish those changes on this page, with the data of last revision.

    Contacting us

    If you feel that your privacy or security has been compromised, let us know, and we’ll work with you to make it right.

    If, for any reason, you feel that we haven’t made it right, you may contact our supervisory authority, the Information Commissioner’s Office.

  • Compliance

    Compliance

    Nimbox exists to secure your data and, as you would expect, we’re compliant with some of the most stringent regulatory standards in the world.

    We operate our infrastructure exclusively in ISO27001:2013 certified data centres, and your service is provisioned and maintained by an ISO27001:2013 certified team.

    Our service and software is fully compliant with HMG’s Cloud Security Principles, and aligned with CESG’s Good Practice Guides. We have built our service around the technical and policy controls that are suggested by these programmes. As such, our service can host information that is classified up to OFFICIAL under the UK Government Protective Marking Scheme.

    By hosting on infrastructure that we control, we ensure that data is stored in named locations in the United Kingdom, and that it will never reside outside of her sovereign borders.

    ISO27001:2013

    Our data centres, and technical service provision team, all hold current ISO27001:2013 certifications. As part of this, we operate a robust Information Security Management System, which helps us to appreciate, and mitigate technical risk at every level of our organisation.

    Cyber Essentials

    We hold a Certificate of Assurance that testifies to our compliance with the requirements of the UK Government Cyber Essentials Scheme. You may view our certificate here.

    Crown Commercial Service Supplier

    We’re listed in the Digital Marketplace, and hold a current Crown Commercial Services Framework Agreement (G-Cloud 9), covering government procurement of our services. You may view our listing here.

    Solicitors Regulation Authority

    Our service is fully compliant with the SRA’s Code of Conduct. You may download our CoC fact sheet here.

    Insurance

    We’re insured by Hiscox Insurance Company for the following business activities:

    • Public and Products Liability; £1,000,000
    • Professional Indemnity; £5,000,000
    • Employers’ Liability; £10,000,000
  • Legal Requests

    Legal requests

    Nimbox’s founders have over 40 years of data hosting and information security experience. We have learned a lot over this time. We are transparent about what we can and cannot protect. We think it’s important that our customers know how Nimbox responds to government demands for user data. It’s important for law enforcement organisations to know this, too.

    We are a law-abiding company, and as such we comply with legal requests that are in the letter and spirit of the law, in the jurisdictions where we must. Presently, this would be those authorised by the Courts of England and Wales.

    We have designed our services to hold a minimal amount of information, such that any legal disclosure we must make reveals only a small amount of personal information, as set out in our Privacy Statement. We do not hold the encryption keys to your data, and are unable to decrypt your files under any circumstances. Against this backdrop, we must and will comply with binding legal requests for data.

    Before we release any information to law enforcement or other agencies, we, and our council, will evaluate the request to ensure it complies with the letter and spirit of the law. Like our fellow privacy-first companies, and when possible, we will notify affected users to give you a chance to object to the disclosure.

    Submitting a request

    If you are a law enforcement or other agency, and wish to serve a warrant or other legal request for user data, you may write to us at:

    Disclosure Team,
    Nimbox,
    The Waterscape,
    Leeds,
    LS5 3EG

lightbulb-icon

Additional documentation

Service Overview PDF

Get started for just £10 a month Grab your free premium trial

Hey! Have some questions about how we keep your data private, whilst staying compliant? Ask us :-)