Data Privacy & Security FAQ
Where does Willow360 store data?
Info Technology Supply Ltd, a company incorporated in England and Wales under number 2230502 whose registered office is at 2 Hobbs House, Harrovian Business Village, Bessborough Road, Harrow, HA1 3EX, England, United Kingdom trading as Willow360 and its authorised resellers who contract with a reseller's customer ("you") (together "Willow360") stores its data in Microsoft Azure servers located in the European Union. This includes customers’ personal data and the data that is processed on behalf of customers.
Why is my file data stored in my Willow360 account for only 30 days?
This is due to the Willow360 data retention policy for your account: In summary
- 30 days after completion of a workflow any files are removed from the Service
- Files shared securely by Willow360 are retained for 30 days from issue
- Workflow history is stored for up to two years
- For more information see Data Privacy at Willow360
Is there an option to have my data stored only within the USA or the UK?
Willow360 does not currently support this option.
Has Willow360 ever had to disclose data to UK/US or US authorities?
Willow360 has not received any data access request from EU data protection regulators nor from the UK's Information Commissioner nor the US government under Section 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333.
If such a request is received, Willow360 will use reasonable efforts: (1) to have the governmental authority request such data directly from you; and (2) to notify you of the request promptly, unless prohibited under the applicable law of the requesting government authority.
Does Willow360 sell or market the data to third parties in any way? Will you share my data without my consent?
No, Willow360 does not sell or market your data to third parties. Authorised resellers with whom customers contract to buy the Willow360 service will be supplied by you with personal data including for invoicing purposes. Data may be shared for essential services such as use of IT contractors or sub processors with carefully chosen third parties, but not for marketing purposes.
Does Willow360 have a vetting process for its sub processors?
Willow360 does vet sub processors. Any sub processors that become part of the service will undergo an internal legal and security review to assess how customer information is protected, from both privacy and security perspectives.
Will Willow360 sign my company’s DPA?
No. We do not sign DPAs from other companies.
May I use Willow360 with healthcare/medical data? And/or, will you sign my company’s BAA or similar such policy?
The use of regulated healthcare and medical data such as sensitive medical data under UK GDPR and in the USA like HIPAA is not supported on Willow360. Willow360 also does not as a matter of policy agree to sign USA or similar business associate agreements (BAAs) or equivalent agreements for handling protected health information (PHI) or other similar information.
What security certifications does Willow360 have and/or where can I find more information about Willow360’s security practices?
The creators of Willow360 hold ISO 27001 certification with independent third-party auditors. See further on the Willow360 website.