This page explains the main systems Cultrix uses to store and process personal data, both for our own business and when we provide services to our customers. It is designed to support our GDPR commitments and to give you a clear, plain-English view of “where your data lives” when you work with us.
It should be read alongside our Privacy and cookies policy and our Third parties and data sharing page, which explain how and why data is collected, shared and protected.
How we use systems to deliver our services
Cultrix provides IT support, cloud, web hosting, development and related services. To do this safely and sensibly we use a small number of core systems, supported by carefully chosen partners. These systems allow us to:
- host websites and web applications for ourselves and our customers
- provide day-to-day IT support, monitoring and maintenance
- manage our own email, documents and collaboration
- track assets, changes and support history
- store login details securely where we need to manage systems on your behalf
- handle billing and accounts
In some cases we act as a data controller (for example for our own business systems and marketing). In others we act as a data processor on behalf of our customers (for example where we manage their Microsoft 365 tenant or host their website). The role we play is set out in our contracts and data sharing information.
Core platforms operated by Cultrix
The table below summarises the main systems we operate that may hold or process personal data. It is not intended to be a full technical inventory, but a clear overview for customers, regulators and anyone who needs to understand our data landscape at a sensible level of detail.
| System / platform | What it is used for | Typical personal data | Our role |
|---|---|---|---|
| Cultrix Cloud hosting platform | Our own Linux-based hosting platform, running cPanel on CloudLinux in UK datacentres. Used to host websites and web applications for Cultrix and our customers. | Names and contact details submitted via websites; user account details for hosted applications; technical logs and IP addresses generated by normal web use. | Data controller for our own sites and services; data processor for customer websites and applications we host under contract. |
| Remote desktop and management platform | A Windows Remote Desktop Services (RDS) environment hosted and managed in partnership with our infrastructure provider. Used to provide remote desktop services to some of our customers and to give Cultrix engineers a managed, fixed-location environment to administer those systems. | End-user account details, activity logs and any business data that customers choose to store or process within their remote desktop environment. | Typically data processor, operating and supporting the platform under our agreements with each customer. |
| Microsoft 365 (Cultrix tenant) | Used by Cultrix staff for email, calendars, file storage (OneDrive), collaboration (Teams) and shared data (SharePoint). Also used to manage identity, access and security policies (for example Conditional Access and MFA). | Names, email addresses, roles and contact details for Cultrix staff and business contacts; business documents and records stored in OneDrive or SharePoint; Teams chat and meeting data. | Data controller for Cultrix’s own tenant. For customers, we may administer their own separate tenant as a data processor - their data stays in their tenant. |
| Service and support systems (Control, Asset Directory, Washplant, WHMCS) | Our internal Laravel-based systems and billing platform used to manage support tickets, assets, licences, services, projects and invoicing for our customers. | Customer contact names, email addresses, telephone numbers; details of devices and services; support history; limited billing contact details. We do not store full payment card details in these systems. | Data controller for our own records about customers and their services, acting as a data processor where we store data on behalf of a customer under a specific agreement. |
| Security, monitoring and management tooling | A managed stack of security and monitoring tools used to keep endpoints, servers and cloud services updated, backed up and monitored for suspicious activity. | Device identifiers, usernames, machine names, IP addresses, event and security logs and similar technical metadata. These tools are not used for marketing. | Typically data processor, acting on behalf of customers as part of our managed IT and security services. |
| Password management (Keeper) | A dedicated password management platform used to store and share credentials securely where we need access to customer systems, and for selected Cultrix internal accounts. | Encrypted login details and related notes for systems we manage; user names where those are part of a login. Passwords are stored encrypted and are not visible in plain text. | Data controller for our own vault structure and how we manage access; data processor where customer-specific credentials are stored to deliver our services under contract. |
| Finance and accounting systems | Systems used to issue invoices, track payments and manage our accounts, including integration with our bank and payment collection providers. | Billing contact names, addresses, email addresses and limited reference details required for invoicing and payment tracking. We do not store full card data. | Data controller, managing our own financial records in line with legal and regulatory requirements. |
| Development and deployment tools (including Git repositories) | Tools we use to develop and deploy software, including source code repositories and automation for moving changes between staging and live environments. | Source code and configuration for applications; user names and email addresses for developers; references to environment variables and connection details. Customer production data is not stored in our code repositories. | Data controller for development artefacts; any live customer data remains in hosted systems, not in repositories. |
Where data is stored
Our core hosting platform is based in UK datacentres. Many of the cloud services we use, such as Microsoft 365 and selected security platforms, are provided by large, well-established vendors using their own infrastructure.
Where a particular service allows data residency choices (for example, which region a tenant is provisioned in), this is managed at tenant or account level and may be determined by your contract with us or directly with the relevant service provider.
Full details of third-party providers, including links to their own privacy and security information, are set out on our Third parties and data sharing page.
When we are a controller and when we are a processor
We try to keep roles simple:
- We are a data controller for personal data we collect and use for our own purposes - for example, information about our staff, suppliers and customers, and how you use our own website.
- We are a data processor where we manage or host systems for you as part of a service (for example, hosting your website, administering your Microsoft 365 tenant, or managing endpoints).
Your contract with us and our Privacy and cookies policy set out these roles in more detail. Our Third parties and data sharing page explains how selected partners support us in each case.
How this supports our GDPR responsibilities
Knowing where data is held, and for what purpose, is a core part of our Information Security Management System and our GDPR compliance. The systems listed on this page are subject to:
- access control and least-privilege principles
- security monitoring and patch management
- backup and recovery processes where appropriate
- supplier due diligence and ongoing review
- documented procedures for onboarding and offboarding customers and staff
Behind the scenes, these systems are tracked in our internal registers and risk management processes. You do not need to manage any of that yourself - but we maintain it so we can answer questions quickly and keep your data safe in a consistent way.
Keeping this page up to date
Technology changes, and we occasionally add or retire systems to improve security, resilience or efficiency. When we make a material change to the systems that may affect how your personal data is processed, we will:
- update this page with clear, plain-English information
- update our Privacy and cookies policy if needed
- update our Third parties and data sharing page where relevant
If you are an existing customer and a change materially affects your contract with us, we will let you know through our usual communication channels.
Questions or concerns
If you have any questions about the systems we use, or how your data is handled within them, you can contact us using the details in our Privacy and cookies policy. We’ll give you a straight, honest answer in as much detail as you reasonably need.