Client Data Processing Notice
This notice explains how Letchworth Garden City IT t/a LGCIT (“LGCIT”, “we”, “us”, “our”) processes personal data when delivering IT services to our business clients (“you”, “your”).
We are registered with the Information Commissioner’s Office (ICO) under registration number ZB793093.
Our role
When we deliver IT services to you, we act as a data processor on your behalf. You remain the data controller — you decide what personal data we process and why. This notice describes how we handle that data.
Our role as a processor applies to the IT systems and services we manage for you under our service agreement. For the purposes of our own website and business administration, we act as a controller — see our Privacy Policy for details.
What data we process
As part of delivering our services, we may process the following categories of personal data:
- Contact and account data — names, business email addresses, phone numbers, and job roles of your staff who interact with us or use the systems we manage
- IT system data — device names, operating system versions, IP addresses, hardware inventories, software inventories, event logs, and configuration data collected through our remote monitoring tools
- Authentication data — usernames, account identifiers, and security group memberships (we do not store passwords unless expressly agreed as part of a password management service)
- Communications data — emails, support tickets, and correspondence sent to us regarding your IT systems
- Backup data — copies of files, databases, and system states as part of agreed backup services, which may contain personal data incidental to your business operations
- Security data — alerts, threat intelligence, and forensic data generated by endpoint detection and response (EDR) and other security tools
We process only the personal data necessary to deliver the agreed services. We do not actively mine, analyse, or use your data for any purpose other than service delivery.
Lawful basis
Our processing of your data is governed by the contract between us (the service agreement). UK data protection law permits this as “processing necessary for the performance of a contract.”
Where we monitor systems for security purposes (threat detection, intrusion prevention), we rely on legitimate interest — both yours and ours — in protecting your IT environment from harm.
How we use your data
We process personal data solely for the purpose of delivering the IT services agreed in our service agreement, including:
- Providing helpdesk and technical support
- Monitoring your IT systems for faults, performance issues, and security threats
- Applying patches, updates, and configuration changes
- Managing user accounts and access permissions
- Performing backups and data restoration
- Managing software licences and subscriptions
- Procuring and configuring hardware
- Maintaining records for billing and service improvement
We do not use your data for marketing, profiling, automated decision-making, or any purpose outside the scope of our service agreement.
Sub-processors
We use the following sub-processors to deliver our services. Each has been reviewed for appropriate data protection safeguards.
| Sub-processor | Service | Data processed | Location of processing | Safeguards |
|---|---|---|---|---|
| Microsoft Corporation | Microsoft 365 (Exchange Online, SharePoint, Teams, Azure AD) | Email, documents, user accounts, authentication data | UK / EU / US | EU SCCs + UK Addendum; Microsoft EU Data Boundary |
| NinjaRMM LLC | Remote monitoring and management (RMM) | Device inventory, event logs, performance data, software inventory | US / EU | EU SCCs + UK Addendum |
| Datto Inc. (Kaseya) | Backup and disaster recovery | Backup data (files, databases, system images) | UK / US | EU SCCs + UK Addendum |
| Datto Inc. (Kaseya) | Remote access (CentraStage) | Remote session logs, device identifiers | US / EU | EU SCCs + UK Addendum |
| N-able Cove | SaaS backup | Backup data (files, databases, system states) | UK / US | EU SCCs + UK Addendum |
| Eve Wholesale | Telephony services | Call records, phone numbers, voicemail | UK | UK-based; no international transfer |
| Bitdefender | Endpoint detection and response (EDR) | Security events, file hashes, process data | US / EU | EU SCCs + UK Addendum |
| Bitdefender | Managed detection and response (MDR) | Security alerts, threat intelligence, incident response data | US / EU | EU SCCs + UK Addendum |
We review our sub-processors periodically. If we add or replace a sub-processor, we will notify you in accordance with our service agreement.
N-able Cove is used for SaaS backup only and will be decommissioned by 30 June 2026. A replacement backup provider will be communicated in advance of this date.
International transfers
Some of our sub-processors are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, specifically:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, together with the UK Addendum issued by the ICO, or
- The International Data Transfer Agreement (IDTA) where applicable
Where a sub-processor stores data in the EU, the European Commission’s adequacy decision for the EU remains applicable for transfers from the UK under the “bridging mechanism” in UK GDPR.
Security measures
We maintain a comprehensive security programme to protect your data. This includes:
- Multi-factor authentication (MFA) enforced on all administrative access to client systems and our own infrastructure
- Encryption in transit — TLS for all web-based services, encrypted channels for RMM and backup traffic
- Encryption at rest — BitLocker (or equivalent) on all company devices; encrypted storage for backup data
- Access controls — least-privilege access for our technicians, with role-based permissions and quarterly access reviews
- Audit logging — all administrative actions within our RMM and management tools are logged and retained
- Staff training — annual data protection and security awareness training for all staff
- Device security — company-managed devices with enforced security policies, endpoint protection, and automatic updates
- Incident response — documented incident response plan tested periodically
Data retention
We retain your personal data only for as long as necessary to deliver our services and meet legal obligations.
| Data type | Retention period |
|---|---|
| Support tickets and correspondence | Duration of the service agreement, plus 6 months |
| Monitoring and management data | 90 days, aggregated data retained for service improvement |
| Backup data | Retained per the backup schedule in your service agreement; deleted within 90 days of contract termination |
| Billing and contract records | 6 years after the end of the financial year to which they relate (HMRC requirement) |
Data deletion on contract end
When our service agreement ends:
- We will provide you with a copy of your data in a commonly used format within 30 days of your request.
- We will securely delete or anonymise the personal data we hold, except:
- Backup data, which will be deleted within 90 days (backups are on a rotation and cannot be selectively deleted earlier)
- Billing and contract records, which we are legally obliged to retain for 6 years
Data breaches
In the event of a data breach affecting your personal data, we will:
- Notify you without undue delay and within 72 hours of becoming aware of the breach
- Provide details of the nature of the breach, the categories of data affected, and the approximate number of records
- Outline the measures taken or proposed to address the breach
- Cooperate fully with you and the ICO as required
Your rights
As the data controller, you (or your data subjects) have the following rights under UK data protection law:
- Right of access — request a copy of the personal data we process on your behalf
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — ask us to delete data (subject to the retention periods above)
- Right to restriction of processing — ask us to limit processing
- Right to data portability — ask for a copy of your data in a machine-readable format
- Right to object — object to processing based on legitimate interest
To exercise any of these rights, please contact us at hello@lgcit.co.uk. We will respond within one month.
If you are not satisfied with our response, you have the right to complain to the ICO — see contact details below.
Complaints
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ico.org.uk
Tel: 0303 123 1113
Contact
For any questions about this notice or how we handle personal data, contact our data protection lead:
Email: hello@lgcit.co.uk
Phone: +44 (0) 1462 533500
Post: LGCIT, 79 Kyrkeby, Letchworth Garden City, Hertfordshire, SG6 2PG
Changes to this notice
We may update this Client Data Processing Notice from time to time. We will notify you of any material changes in accordance with our service agreement.