HOME / COMMUNITY Switch to knowledge base

Data Protection Compliance with GDPR

  1. In which country is my data physically stored? Is my data ever backed up servers in a different country?

  2. Are your computing services ISO 27001 and 27017/2718 compliant?

  3. Are your services GDPR compliant?

Gdpr updates
GDPR Upcoming Regs

Hi @rdavis131

I’m waiting confirmation from a colleague about your queries - just want to be sure I’m giving you the correct information, as I’m not familiar with GDPR

In the meantime, I would like to make you aware of these other topics regarding security of QuickFile that you may find useful:

Either myself or my colleague will update this thread shortly.

  1. All accounting data is situated on UK servers. We also utilise Amazon Web Services for hosting files stored in our document manager. The AWS data center is based in Ireland.

  2. Our data center is ISO 27001 compliant. The latter two are still relatively new and the final versions were only recently published. We will certainly be looking into this.

  3. General Data Protection Regulation (GDPR) is a EU directive that will come into effect on 25th May 2018, during the run up to this we will be looking at the specific provisions made.

Exporting all data with complete text and all invoice lines

As GDPR is nearly upon us i wondering if you can confirm that you are compliant


Hi @Hunnypot

We are working and testing all updates to ensure we will be GDPR compliant by the time it becomes law in May.

As per my colleagues post above, all accounting data is stored on UK based servers, with some parts stored in Ireland with AWS.


thank you obviously getting complaint at this end so just wanted to tick that off and add it to the documents that i need in case the IOC come to visit


Hello there,

Just wanted to ask for an update on your GDPR compliance please? I notice that this conversation was some time ago and since we only have a few months to go I wanted to see how compliance was going with Quickfile. I’m sure many other users are thinking the same especially as we are all trying our best to meet this new law with our businesses.

Kind regards


Hi Sandra,

We are currently working in collaboration with a law firm to update our terms of service and privacy policy. We’ve also completed ~75% of the back-end changes to support the specific provisions within GDPR. We remain on track to have everything in place by 25th May.



In light of the upcoming GDPR changes I wonder if you could help with the following queries
Do you have a GDPR statement and what measures are in place for you to be compliant with GDPR by May 2018?
Where is the data we input stored?
Do you have a data protection officer?
Do you inform me when you transfer data?
What controls do you have in place to reduce risk? /What are your risk management processes?
Who can access the data that you hold?
Do you have security breach notifications in place?
Do you adhere to Binding Corporate Rules (BCRs)?
What measures are in place for you to be compliant with GDPR by May 2018?

I look forward to your reply.



Hello @opengenius

You should have seen a notification when you recently logged into your account regarding our updated policies which should address some of your queries.

I’ve also merged your posts into an existing thread for GDPR which hopefully answers some of your queries too. However, please do let us know if we can help further.

In case you haven’t yet seen the notification, you can find our updated Privacy Policy here:
Privacy Policy

(correct at time of posting)



I am sorry but I may have missed those notifications. Are they available to view now and if so where would I find them?

Many thanks



They appear when you log in you should see it. I don’t believe there is a way to bring it back up once you’ve acknowledged it, but for reference, this is what it looks like:


The two links go to the following pages:


Hi there,
Could we please get an update on how you’re doing with GDPR compliance? I’m most concerned about being able to pass on the rights that GDPR codifies (rights to erasure, portability, etc.) to my clients.
Many thanks,


Hi @Jenii_Lowe

Everything regarding this should be covered above or in the privacy policy (also linked above). But please don’t hesitate to let us know if you have any additional questions.


Thank you, but your privacy policy only informs users of their own rights to erasure, portability, etc that I would expect from any EU provider. I’m more curious as to what QF allows me to do if a client of mine wishes to exercise those rights? And how to perform those actions in QF? I know you’re GDPR compliant, but I need to make sure I am too in using QF - if that makes sense!


AIUI you aren’t prevented from holding normal accounting information in any way. The only issue that I can think of as a layman is with named contacts within a client organisation and, as long as you are only holding those that are required for the performance of your contract with them then there shouldn’t be an issue.

If that wasn’t the case you could have people demanding to have their unpaid invoices deleted. (I suspect that some chancer in this world will try though)

Memo to self - I still need to write my own privacy policy,


Hi @Jenii_Lowe

As @FolkLondon points out, with accounting records you’re actually required to keep these for a minimum of 6 years by HMRC (see here) so data like invoices (with client details) shouldn’t be deleted as such.

All data within your account is exportable to a .CSV format which is a common machine readable format and supported by many different packages (for portability). The client portal would also allow your clients to view the data you store related to them.

If the time comes that you wish to use a different package and delete your data from QuickFile, then upon request, we will delete any data held on your account.

However, if you are uncertain on any aspect of GDPR in regards to the data you hold, I would advise you to seek professional advise on this to ensure everything is correct.

I hope this helps!


I’ve checked the new updated policies as above but it talks about the data you hold as a Data Controller and I can’t find anything about you acting as a Data Processor.

I would understand that you are the Data Controller for the details you hold on our account with you, but where I enter my client details onto your software I am the Controller and Quickfile is the Processor. Do you have a Controller to Processor Data Processing Addendum to your main TCs and Cs.

As a controller who uses a processor we need that in place with you to ensure that we are adhering to the new legislation. Sorry if I’m misunderstanding this.
Thank you.


Hi @Alison

As we are acting as your Data Controller we have an obligation to inform you how we collect, store and process your personal data in line with GDPR. Our privacy policy does not extend any specific rights or remedies to your client and therefore we do not include any addendum to our privacy policy that addresses this question.

Typically what you would do here is publish a list of your own sub-processors, where QuickFile would feature. We have our own list of sub-processors here, although I don’t believe this is a strict requirement under GDPR, it does help to better inform customers on where data is stored and processed.

We will also be providing additional tools to help you comply with any exercising of rights posed by your customers under GDPR. Although as my colleague has mentioned, due to the types of documents we process on your behalf (e.g. invoices and financial transaction) the scope for requesting erasure is trumped by your obligation to retain financial records for tax purposes.

Another thing to note is that when clients are removed from QuickFile, the associated contacts (name, email, telephone number) are physically deleted. We will also be providing some additional tools to allow export of personal data from the client control panel.

I hope that answers your question, but please get back to us if you have any doubts.


Thank you everybody for your responses cc: @QFMathew

@FolkLondon - I know I’m probably going overboard in worrying about this, one would think that keeping essential accounting stuff comes under “legitimate use”. I did crack a smile at your hypothetical chancer though! Hopefully nobody’s going to try that!

Great question @Alison, and great response @Glenn. Please keep us updated as to the additional tools you’re planning!