Statement of Compliance for the GDPR
Commitment Statement
The EU’s General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights of EU individuals over their data and creating a uniform data protection law across Europe.
Patchworks supports the GDPR and has put the appropriate policies, procedures, and safeguards in place to ensure that our Integration Platform as a Service (iPaaS) complies with the applicable GDPR regulations as a Data Processor.
How Patchworks iPaaS Processes the Personal Data that you Control
Patchworks Integration Platform as a Service (iPaaS) handles personal data when transmitting and/or transforming customer and order data between eCommerce, Enterprise Resource Planning (ERP), Warehouse Management Systems (WMS), Customer Relationship Management (CRM), Email Service Providers (ESP) and other systems and platforms.
All data is transmitted and received via secure communication methods, and, where appropriate, data is encrypted.
Where Patchworks iPaaS transmits and/or transforms customer/contact data independently (i.e., not as part of a shipping notification, order update or other associated service), email addresses are stored for logging and matching purposes.
Personal Data is retained, from the point of initial transmission/transformation, for up to 6 months from the end of the client’s relationship with Patchworks Media Ltd. Personal Data can be deleted more frequently. For any access, update or deletion requests with regard to your customers’ personal data, please email info@patchworks.co.uk
To make our customers’ ongoing GDPR compliance easier, users of Patchworks Tapestry can request that Patchworks search for, export, update, and/or delete personal data about their customers stored in their individual iPaaS databases.
Upgrade pathways for customers on v4 and v5 have been offered to customers once the functionality has successfully rolled out to Tapestry instances.
Who Else Processes Your Customers’ Personal Data?
If you haven’t already done so, we strongly recommend contacting your other key suppliers. Whilst we are not in a position to provide an exhaustive list, it will include companies that work with you on the following:
| Provider | Service | Location |
| AWS | Analytics | EU( London) |
| Cloudflare | DDOS, Threat Mitigation | UK |
| Atlassian | Process & Project Management | EU |
| Vercel | Infrastructure | UK |
| MailGun | EU, US | |
| DevTeam | Support & Dev | Philippines |
Patchworks as a Data Controller
In addition to our role as a Data Processor for our iPaaS, Patchworks also acts as a Data Controller in the course of our own business operations. Where contacts at our clients, partners, and prospects have freely provided their information, we may store some or all of the following personal data: forename, surname, job title, company name, phone number, mobile number, address, and email address.
All personal data is stored and processed using modern, cloud-based technologies, with encryption, security, and auditing measures in place as standard. Data is retained in accordance with the lawful bases defined under the GDPR. For a copy of our Retention Schedule, or for any questions regarding data portability, security, or auditing, please get in touch by emailing security@wearepatchworks.com or calling +44 (0) 115 727 0404.
A Note on Data Protection
Thank you for your interest in Patchworks’ approach to the General Data Protection Regulation (GDPR). Patchworks maintains an ongoing commitment to safeguarding customer, partner, and employee data in line with UK and EU data protection legislation. Below are answers to the most common questions about our approach to GDPR compliance.
Legal Disclaimer
The information contained in this document is for general information purposes only. Whilst every effort has been made to ensure accuracy, Patchworks assumes no responsibility for errors or omissions. This document does not form part of any contractual documentation, does not bind Patchworks in any way, and should not be relied upon as legal advice. Patchworks reserves the right to update this information at any time without prior notice.
Frequently Asked Questions
Yes. Under the GDPR, Patchworks operates as a Data Processor, as we transmit and handle personal data between your connected systems. You should include Patchworks in your Record of Processing Activities (ROPA) and ensure a Data Processing Agreement (DPA) is in place. You can download our DPA from the Documents section of our Security & Compliance page.
Yes. Patchworks is a Data Controller in respect of personal data held about its customers, partners, suppliers, and employees, where that data has been freely provided. This includes details such as names, job titles, company names, and contact information.
Yes. Patchworks has an established data protection programme with board-level accountability. This programme is continuously reviewed and updated to reflect changes in legislation and best practice.
Yes. We determine and document the lawful basis for each type of data processing we carry out. This is recorded within our Data Process Mapping registers and reviewed on an ongoing basis.
Where consent is determined to be the appropriate lawful basis, Patchworks obtains it in line with GDPR requirements. Our consent processes are reviewed regularly to ensure continued compliance.
Yes. Our data retention schedule is documented within our Data Process Mapping registers. Following the end of a customer relationship, we may retain personal data for up to 10 years for the following reasons: to respond to questions or complaints, to demonstrate fair treatment, or to meet applicable legal and regulatory requirements. Data may be retained beyond this period only where legally required. Individuals may request erasure at any time by contacting us at info@wearepatchworks.co.uk.
Yes. Patchworks can encrypt, pseudonymise, and anonymise personal data where appropriate as part of a risk-based approach to data management.
No. Patchworks does not handle, store, or process special categories of personal data as defined under Article 9 of the GDPR.
Yes. We have completed personal data and process mapping across the organisation, documenting all instances where personal data is captured, how it is stored, and the legal basis for processing. This is held in a central system and maintained as the organisation evolves.
Patchworks makes its full Privacy Notice available to customers, partners, suppliers, and employees. We communicate with individuals using a layered approach, in line with ICO best practice, providing clear and accessible information at the point of data collection.
Yes. All erasure requests are handled by the Patchworks team promptly and in line with GDPR requirements. Requests can be submitted by emailing info@wearepatchworks.co.uk.
Yes. We can provide personal data in a portable, machine-readable format (such as CSV) in accordance with the right to data portability under the GDPR.
Yes. We have documented processes for updating and correcting personal data, both as a Data Controller and as a Data Processor acting on behalf of other Controllers.
Yes. All changes to the Patchworks platform that affect the handling or processing of personal data are assessed using Data Privacy Impact Assessments (DPIAs). IT security requirements are embedded into our standard operating procedures, supported by ongoing staff training and a culture of data awareness.
In some cases, yes. Where personal data is processed outside the EEA, Patchworks ensures it is afforded equivalent protection through appropriate safeguards, including Standard Contractual Clauses (SCCs) or transfers to countries with adequate data protection frameworks recognised under UK and EU law.
Yes. All Patchworks staff, contractors, and subcontractors receive data protection training tailored to their role, on an ongoing basis. Training is updated to reflect new regulatory and legislative requirements as they arise.
Yes. Patchworks has a formal Data Breach Policy in place. In our capacity as a Data Processor, the relevant Data Controller will be notified without undue delay in the event of a breach. As a Data Controller, Patchworks has reporting obligations to the ICO and will meet those within the required timeframes.
