Data protection policy
Data Processing Agreement
Shireburn have been working to ensure that we process personal data in accordance with Data Protection Law, namely the Maltese Data Protection Act (Chapter 440 of the Laws of Malta) as amended and, as of 25 May 2018, the General Data Protection Regulation (GDPR), the Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union.
This regulation has strengthened the rationale behind some of our existing procedures and processes, required us to strengthen others and has ensured that we place data privacy right at the forefront of our operations.
In preparation for the introduction of GDPR, we have made an assessment of our position and taken action to ensure compliance. We have audited the data that we hold, both data about our clients, prospects, suppliers and others, but also any retention of data from our clients.
Here is a list of technical and organisational measures we have at Shireburn:
We have implemented the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR including the updating of our processes, policies and procedures including our terms of service, our privacy policy, our legal policy and our data retention policy. We have also published our list of sub-processors and, as far as is possible, we have confirmed their compliance with our data protection requirements.
We have trained all our staff about the objectives of GDPR, the obligations and responsibilities imposed by the law and the updated policies and procedures related to all things related to data protection.
We have a large number of clients, some of whom use our software products on their own premises but others use our Shireburn Indigo platform which is a hosted and managed service. Others utilise our services for managing their networking and assisting them in their IT infrastructure. All of these have different implications for everything from data processing responsibilities, data storage, data storage location obligations and data retention.
We have prepared the Shireburn Data Processing Agreement (DPA), which comprehensively addresses data protection obligations across our client base and will be executed with our clients. You may review the document and complete the electronic signature process via the following link: Shireburn Data Processing Agreement.
Shireburn is fully aware of the philosophy of GDPR to protect the privacy of data subjects and we subscribe to this philosophy. We will continue to place the privacy of our clients at the forefront of our activities.
Data retention policy
Personal data will be retained by Shireburn in accordance with the data retention policy of Shireburn as defined in the table below as it relates to different data types:
Data key | Retention policy |
|---|---|
Client’s personal data shared with authorised staff for the purposes of the provision of implementation and support services | 30 days |
Data managed in Shireburn on-premises software | Managed by the client |
Data managed within Shireburn Indigo and other Software-as-a-Service | 60 days following termination of the subscription agreement |
Personal data stored related to contracts, billing, procurement and similar administrative processes to enable the on-going relationship between Shireburn and the client | 10 years from termination of the relationship |
Personal data related to correspondence, proposals, actions and opportunities | Up to 6 years after termination of the relationship with client |
Personal data of users registered on Help Desk services. Applicable from 21 October 2019 | 3 years from last contact on Help Desk |
Shireburn shall hold the client’s personal data only as long as is necessary to provide the services, including administration, accounting, marketing and reporting in the context of a legitimate business interest, and subject to:
- the rights of a data subject in terms of the Data Protection Law, such as requests for data access or deletion;
- any legal requirement for data retention as specified in any other law of the Republic of Malta, including laws including but not limited to social security, income tax, value added tax, employment and industrial relations etc.
- a request by an authorised Governmental or regulatory authority for an additional retention period
Modifications to this data retention policy can be effected by Shireburn publishing the new policy at this page and giving the client 10 days’ notice of such change. as long as, in the event that the client is not in agreement with such change, the client shall have the right to terminate the services without penalty.
Sub-contractors / sub-processors
Shireburn uses a number of specialised service providers as sub-contractors or sub-processors to assist it in delivering an optimal level of service to our clients. In so doing, we ensure the competence, reliability and professionalism of these sub-contractors. We also enter into agreements that ensure the obligations that we have assumed with respect to our clients are, at a minimum, also assumed by these sub-contractors/sub-processors.
The table below outlines the list of the current sub-contractors that we use specifically to process our data, in each case identifying the purpose of the processing that they do and the hosting location. Not all these sub-contractors/sub-processors may be relevant to you, as they may be limited to processing data related to different Shireburn products.
Sub-contractor/ sub-processor | Purpose | Location of hosting | Transfer Mechanism |
|---|---|---|---|
Product management, customer feedback | United States of America | EU-U.S. DPF | |
Issue management, document repository, source code repository, project management, timesheet management | Germany & Ireland | EEA Hosting | |
Third-party payment processor | United States of America | Standard Contractual Clauses (SCCs) | |
Feature flag management | United States of America | EU-U.S. DPF | |
Data analytics | Germany | EEA Hosting | |
Data analytics | United States of America | Standard Contractual Clauses (SCCs) | |
Business analytics, cloud services | United States of America | EU-U.S. DPF | |
Product analytics | Republic of Ireland | EEA Hosting | |
Customer communication | United States of America | EU-U.S. DPF | |
Cloud hosting, analytics | The Netherlands & Ireland | EEA Hosting | |
Customer and internal communications, business analytics, project management, remote access, document repository and all modules of Office 365 for business | The Netherlands & Ireland | EEA Hosting | |
Internal collaboration | Republic of Ireland | EEA Hosting | |
Subscription and billing management | United States of America | EU-U.S. DPF | |
Email service provider | United States of America | EU-U.S. DPF | |
Business continuity | Malta | EEA Hosting | |
Third-party payment processor | United States of America | EU-U.S. DPF | |
Recruitment management | Germany | EEA Hosting | |
Customer support, customer and internal communications, business analytics, project management, digital signing, remote access, document repository and all modules of Zoho One | The Netherlands & Republic of Ireland | EEA Hosting |
Change log
Date
Details
17-Dec-2025
Hosting location for Atlassian Pty Ltd services migrated from the United States to the European Union (EU).
17-Nov-2025
Embedded privacy policy links within sub-processor names, added Transfer Mechanism column, revised sub-processor names to reflect their full legal names, and removed ZKTeco Europe. No new sub-processors introduced.
19-Apr-2024
Introduced The Esports Network Ltd (Jobhound).
22-Oct-2022
Introduced Datadog, Inc. (Datadog).
20-Dec-2021
Introduced Aha! Labs Inc. (Aha!).