GDPR Compliance

EHS Genesis is built with data protection at its core. Here's how we protect your data and support your GDPR obligations.

UK & EU GDPR Compliant

Fully compliant with UK GDPR, the Data Protection Act 2018, and the EU GDPR. All data hosted in the UK and EU — never on US infrastructure.

AES-256 Encryption

Sensitive personal data is protected with AES-256 encryption in our PII Vault. All connections are encrypted in transit via HTTPS/TLS.

You Are the Controller

Your organisation is the data controller for all employee and incident data processed within the platform. We act solely as your data processor.

Rights Requests

Tools to manage data subject rights are built into the platform under Admin > GDPR. We respond to all rights requests within one calendar month.

Controller and Processor Roles

Your Organisation

Data Controller

Your organisation determines the purposes and means of processing employee data, incident data, health data, and all other personal data within the platform. You are the data controller for this data.

EHS Protect Ltd

Data Processor

We process personal data solely on your instructions, as set out in our Terms of Service. We do not use your data for our own purposes or share it with third parties beyond what is necessary to operate the platform.

Data Subject Rights

Under UK GDPR, individuals have the following rights regarding their personal data. To exercise any right, contact privacy@ehsgenesis.com.

Article 15

Right of Access

Request a copy of personal data we hold about you.

Article 16

Right to Rectification

Request correction of inaccurate personal data.

Article 17

Right to Erasure

Request deletion of personal data, subject to legal retention obligations.

Article 18

Right to Restriction

Request that we restrict processing in certain circumstances.

Article 20

Right to Portability

Request your data in a structured, machine-readable format.

Article 21

Right to Object

Object to processing based on legitimate interests.

Article 22

Automated Decision-Making

We do not make automated decisions with legal or significant effects. All AI outputs require human review.

If you are a platform user and wish to exercise rights regarding data processed within the platform, please contact your organisation's administrator in the first instance — they are the data controller for that data.

Data Processing Agreement

Our Terms of Service establish the data processing relationship between EHS Protect Ltd (processor) and your organisation (controller) in accordance with Article 28 of the UK GDPR.

Enterprise customers who require a standalone Data Processing Agreement (DPA) — for example, to satisfy procurement requirements or regulatory obligations — can request one by contacting us. The DPA covers:

  • Subject matter, nature, and purpose of the processing
  • Categories of personal data and data subjects
  • Technical and organisational security measures
  • Sub-processor details and safeguards
  • Data subject rights assistance obligations
  • Breach notification procedures
  • Return and deletion of data on contract end
Request a DPA

Data Hosting and Sovereignty

Your data stays in the UK and EU.

All customer data is hosted exclusively on IONOS infrastructure — a German-owned company (Frankfurt Stock Exchange listed) with data centres in Frankfurt, Germany, and London, United Kingdom. No data is hosted on AWS, Azure, or Google Cloud. Your data is not subject to the US CLOUD Act, FISA Section 702, or Executive Order 12333.

Hosting Provider

IONOS SE — German-owned, Frankfurt Stock Exchange listed

Data Centre Locations

Frankfurt, Germany & London, United Kingdom

Applicable Law

EU GDPR and German BDSG — no US cloud jurisdiction