GDPR Compliance

Last updated: January 2026

UK data hosting

All Buttress QMS data is hosted securely in the UK (AWS London region) to ensure full compliance with UK GDPR and data sovereignty requirements. Your data never leaves UK borders.

Our commitment to data protection

Buttress QMS is committed to protecting the privacy and security of your personal data. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Your rights under UK GDPR

Under data protection law, you have the following rights:

Right to be informed

You have the right to know how your personal data is being collected and used.

Right of access

You can request a copy of all personal data we hold about you.

Right to rectification

You can request that inaccurate personal data be corrected.

Right to erasure

You can request deletion of your personal data in certain circumstances.

Right to restrict processing

You can request that we limit how we use your data.

Right to data portability

You can request your data in a machine-readable format.

Right to object

You can object to processing of your data in certain circumstances.

Automated decision-making

You have rights regarding automated decisions and profiling.

Lawful basis for processing

We process personal data under the following lawful bases:

  • Contractual necessity — processing necessary to fulfil our contract with you.
  • Legitimate interests — processing necessary for our legitimate business interests.
  • Legal obligation — processing necessary to comply with legal requirements.
  • Consent — where you have given clear consent for specific purposes.

Data Processing Agreement (DPA)

We offer a standard Data Processing Agreement for all our customers. The DPA outlines:

  • The nature and purpose of data processing.
  • Types of personal data processed.
  • Our obligations as a data processor.
  • Your rights as a data controller.
  • Sub-processor arrangements.
  • Data breach notification procedures.

To request a copy of our DPA, email [email protected].

Security measures

We implement appropriate technical and organisational measures to protect your data:

  • AES-256 encryption for data at rest and in transit.
  • Mandatory SSL/TLS for all connections.
  • Role-based access controls.
  • Regular security audits and penetration testing.
  • Staff training on data protection.
  • Incident response procedures.

Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Quality management data is retained for the duration of your subscription plus 90 days to allow for data export.

International transfers

As all data is hosted in the UK, we do not routinely transfer personal data outside the UK. Where any transfer is necessary (e.g., for specific third-party integrations you enable), appropriate safeguards are in place.

Sub-processors

We use a limited number of sub-processors to provide our Service. A current list of sub-processors is available upon request.

Data Protection Officer

For any data protection queries or to exercise your rights, contact our Data Protection team at [email protected].

Supervisory authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed. ICO website: ico.org.uk.

Stop firefighting supplier quality.

Start your 60-day free trial. No card required. First NCR logged in under an hour.

Start free trial Book a demo