How is CyberHour Getting Ready for the GDPR?


Staff member
These days we are receiving lot of questions from clients asking if CyberHour will be GDPR-compliant. With this forum post, we would like to clarify what we have been doing and share our knowledge with becoming GDPR-compliant, both as a way to notify you what you can expect from us in the next days, before May 25, 2018, and as a way to help you out prepare for the GDPR yourselves.

The usage of our personal private data by big companies is without a doubt the hottest topic right now and we don’t think virtually anyone doubts the importance of regulations to protect against abuse and enhance the security of that personal data. The European General Data Protection Regulation - GDPR, which will take effect on May 25, 2018 is making an effort to do exactly that - regulate how personal data of individuals in EU territory gets collected and used. It defines what personal data is - being literally every little thing - from name, email, username, address, phone number, financial data, age, behavioural data and more, and obliges everyone who collects and processes such data of EU individuals, no matter where that company or person is located around the world, to act in accordance with this regulation.

CyberHour started the process of becoming GDPR-compliant about an two years ago and we completely look forward to it being enforced. We think the GDPR is good for users and good for the overall security of the Internet and we have always been acting in line with its main principles. Now our end goal is to overview and make public these internal rules, and also make sure we apply the letter and the spirit of the GDPR to all our clients, no matter if you are an EU-resident or a resident of another country.

GDPR Allow Users Stay Informed And Gives Them Control over their Personal Data.

The GDPR is a fantastic thing when you look at it from the viewpoint of the users. When a user registers for paid or free service, for an app etc, and provides their personal data, the service provider has to notify them clearly how their personal data will be used well before they complete the registration. Regardless of whether that use is for profiling and marketing, or if there is a possibility of the data to be subject of sale or transfer to third-parties, it has to be clearly stated in upfront. Users will have the ability to say NO to certain types of usage and will have to give consent - opt in - to the Terms of Service and Privacy Policy of the provider, thus making an informed choice. So, big win for the users - more control over their data, less invasion of their privacy, less spam and less intrusive advertising overall!

The Hard Bureaucracy Around The GDPR

The GDPR by design has been aiming to regulate activities of the big companies like Google and Facebook that process insane amounts of personal data and are using it to generate significant gains, but at the end of the day it affects everyone - every small business that works with any personal data. Even if a company uses data in a completely legitimate way, the new regulation requires specific modifications like rewording its Privacy policy to state explicitly what kind of usage there is, making automations in how the user can access their personal data, and more. Unfortunately, this effort to comply comes costly in both legal fees, time and deviations from standard business operations so one can focus on the GDPR with high priority.

CyberHour Getting Ready For The GDPR

In compliance with the GDPR, a hosting company like CyberHour has two responsibilities - to protect the personal data we collect from our clients upon registration (name, email, address, password, billing data) and the data our clients collect from their clients and host on our servers during their usage of our services. We have to guarantee that we collect, store and work with our clients’ data in a legitimate way and that our clients are informed how exactly we do that. On the other hand, we have to provide sufficient guarantees and undoubted transparency as processor on the way we store the data our clients host on our servers on behalf of their clients.

(Not that we have ever disclose or sell our customers data to 3rd parties for gains)

We have to guarantee that we collect, store and work with our clients’ data in a legitimate way and that our clients are informed how exactly we do that. On the other hand, we have to provide sufficient guarantees and undoubted transparency as processor on the way we store the data our clients host on our servers on behalf of their clients.

We must guarantee that we collect, store and work with our clients’ data in a legitimate way and that our clients are informed how exactly we do that. On the other hand, we have to provide sufficient guarantees and undoubted transparency as processor on the way we store the data our clients host on our servers on behalf of their clients.

Even though CyberHour has always been acting in accordance with the principles of the GDPR, there is still work to tidy up the processes we follow and comply with the letter and spirit of the law. So here is a list of the major things we are going through and why they matter.

1. Terms Of Service And Privacy Policy Updates

The GDPR states that we have to explain to clients what data we collect about them and legitimize how we use it afterwards. The fantastic news is that we collect only the minimal set of personal data that is required to deliver the hosting service. For example, we collect your physical address for invoicing and tax purposes. We don't collect your credit card data but only PayPal transaction number because we need track the payment upon purchase. We collect your email because we need to contact you regarding your orders, the status of the services, important functionality updates and, where you have consented to receive such communications, contact you with newsletters and promotions (Generally we are sending emails rarely since we hate spam regardless of the reason). We use cookies because they help us show relevant content to our website visitors and advertise based on these interactions. We don’t use any of the data collected for profiling or other secondary purposes and we do not sell it to anyone.

As per the GDPR requirements, our new Privacy Policy will fully describe why and how we collect and process personal information and any client, existing or new, would be able to validate that we handle this information carefully and sensibly.


Staff member
2. Create Annexes To Contracts With External Providers

Some of the services we sell are provided by external partners - domain registrars like Enom / Name / Tucows and Open Provider, GlobalSign for SSL certificates, Cloudflare for CDN and others. They need the client's data so they can deliver the service.

What we are making sure is that our partners adhere to data protection obligations and responsibilities to the protection of your data the same way we do. This happens by adding annexes to our contracts with these providers where we define their responsibilities as per the GDPR.

3. Internal Procedures And Access-Control Enhancements

Given that we have been in one of the toughest on security businesses for 13 years, all our operations are designed following the “security and privacy by default” and least privilege principles. What we are doing in line with the GDPR is auditing and enhancing the security levels and adding new procedures where it is required by the new regulation. For example, we are strengthening our personnel background checks and extending our confidentiality agreements. We enhance our security and incident management procedures with new ones that are in tune with the breach response requirements of GDPR. Another new procedure we introduced is working only with partners that are GDPR-compliant.

4. Prepare A New Data Processing Agreement

Many of our clients operate with the personal data of their clients - they take orders, they collect emails through sign up forms, they process credit cards, and more. The client controls the data and how that data gets collected and used, but CyberHour stores it on our servers hence take part in its processing. The new data processing agreement will regulate our processing of that data only for the purposes of delivering the hosting service and resolving technical inquiries and no other secondary functions, which has always been the case. Providing the agreement to our customers we guarantee we are a trusted partner, committed to the principles of transparency, and we meet our obligations under GDPR adequately.

(CyberHour is known for its high privacy protection, zero logs of user activity)

5. Right To Be Forgotten (for real!)

Under the GDPR every client could request “to be forgotten”, meaning all their data has to be deleted and never used again, except in certain circumstances, which may include having to keep processing your personal information to comply with a legal obligation. An example of such obligation is the requirement to keep a copy of all invoices to comply with financial and tax legislation. We are now developing a functionality that allows our clients to delete their profiles after all services have been deactivated.

(CyberHour customers always had the option to request deactivating/deleting of their accounts and personal data)

6. Right Of Access, Update, Portability And Withdraw Of Consent

Our new Privacy Policy will provide you with full details about how we process your personal data. As a client you should also be able to see what data we store about you, update it and, where we rely on your consent for processing the data, you can withdraw your consent to that use. All our clients could currently see their personal information in the My Details section of their User area and they are able to correct it. Our use of your personal information is necessary to perform our obligations under any contract with you. We rely on your consent only to send you marketing information and promotional offers and we have introduced new preferences which enable you to control your consent for this usage of your data. We should also be able to provide you with a copy of any data which we hold about you. For this, we are working on allowing you to easily export it if needed.

7. Assign Data Privacy Officer

The GDPR says we need to assign a Data Privacy Officer to make sure we are compliant with the regulations and handle complaints. We are assigning a DPO and we educate a small team of people who will be able to assist with inquiries and data protection issues.

As an hosting provider with high privacy protection standards CyberHour will always take the needed actions in order to protect the privacy of its customers.

We will inform all registered customers for our Privacy Policy and Terms of Use policy changes via email and forum post in this section.

Best Regards,
  • award-img1
  • award-img2
  • award-img3
  • award-img4