GDPR &

Data Protection Statement

GDPR-aligned data protection

GDPR & Data Protection Statement

iWorks applies practical, real-world data protection measures across all systems, combining secure infrastructure, controlled access, and GDPR-aligned processes.

iWorks is committed to protecting personal data and ensuring compliance with the General Data Protection Regulation (GDPR) and applicable Irish data protection legislation. This statement outlines how iWorks operates both as a data controller (in relation to its own website and communications) and as a data processor (in relation to client systems and bespoke software platforms).

1. Role of iWorks

iWorks operates in two capacities:

Data Controller: For data collected via the iWorks website (e.g. contact enquiries).
Data Processor: For systems developed and/or managed on behalf of clients, where data is processed strictly under client instruction.

2. Data Collection (iWorks Website)

When users submit enquiries via the iWorks website, personal data such as name, email address, and message content is transmitted directly via email (Google Workspace).

No personal data is stored within the website database.
Enquiry emails are retained only for as long as necessary to respond to the request.
Non-relevant communications are routinely deleted within a short period.

3. Email & Communication Security

iWorks uses Google Workspace for email communications, with the following security measures in place:

Two-factor authentication (2FA) enabled
Access restricted to authorised devices
Password-protected account access

4. Website Hosting & Analytics

The iWorks website is hosted on infrastructure located within the European Union (Amazon Web Services, Ireland), managed at server level.

Google Analytics is used to monitor website usage and improve services. No additional tracking technologies are used. No personally identifiable data is intentionally collected through analytics tools.

5. Client Systems & Data Processing

iWorks develops and manages both standard websites (e.g. WordPress) and bespoke software platforms. These systems may be hosted on shared environments or dedicated infrastructure (e.g. AWS EC2, RDS, S3).

All client data is processed strictly under the instruction of the client, who remains the Data Controller.

6. Data Security Measures

iWorks implements appropriate technical and organisational measures to protect data, including:

Encrypted data storage (including field-level encryption where appropriate)
Secure database access with IP-based restrictions
HTTPS enforced across all systems
Authentication controls, including password policies and account lockouts
Optional integration with secure authentication providers (e.g. Microsoft OAuth)
Role-based access controls within applications
Logging and audit capabilities for system activity

7. Infrastructure Security

Where systems are hosted on AWS infrastructure, the following controls are typically applied:

Restricted database access (limited to specific IP addresses)
IAM-based access management
Private storage of files (e.g. S3 with no public access)
Secure API-based access to stored resources
All infrastructure is configured to follow the principle of least privilege.

8. Access to Data

Access to live production data is limited and controlled. iWorks typically operates separate development/test and production environments.

Test environments use non-production or controlled data
Production data is accessed only when necessary (e.g. support, debugging, client request)

9. Backups & Recovery

iWorks implements structured backup and recovery processes, including:

Point-in-time database backups (typically 7 days, configurable)
Nightly database snapshots stored securely in private S3 storage
Periodic server (EC2) backups
Version-controlled code repositories and local backup systems

Backup retention periods can be adjusted based on client requirements.

10. Data Retention

Data retention policies for client systems are defined and controlled by the client. iWorks provides guidance during system design to ensure that retention policies are technically achievable and do not compromise data integrity.

11. Incident & Breach Management

In the event of a suspected or confirmed data incident, iWorks will:

Notify the client without delay
Investigate system logs and access records
Contain and secure the affected system
Identify the root cause
Implement corrective actions (which may include patching, code fixes, or system restoration where appropriate)

Recovery actions are determined based on the nature and scope of the incident to ensure full resolution.