Quesmedia Sites
Effective date: 1 May 2018
Quesmedia is a registered trading name of Nick Thornley, number 018179B. All first person pronouns in this document should be taken to mean "Nick Thornley trading as Quesmedia"
Quesmedia Sites (also referred to as the "Service") is the name of a hosted website platform provided by Quesmedia. You may use the Service to create or publish your own sites, products or services ("Site"/"Sites").
Quesmedia takes privacy and security seriously, you can read our own Privacy and Security Policy here.
Please note this Policy does not cover data collected and published by the owners of the site ("Quesmedia Sites Site Owners" or "You"/"Your") including but not limited to content added via the Content Management System, appearing for example as Pages or Blog Posts, and content contained within the site templates or collected by custom site features.
Please refer to the site's own policies for any additional information.
Maximum retention period of the Cookies we set is the user session.
HTTP Cookies ("Cookies") are small pieces of text that a website can store with a visitor's web browser when they view a page, if the browser is set to allow it. The web browser will then send the cookie data back to the website when another page is visited.
By default Quesmedia Sites websites set just two Cookies:
HTTP_IS_RETINA contains a flag (1 or 0) set based on whether the visitor's display has a "retina" high pixel density screen. The Site then uses this information when serving certain image assets so larger more detailed images downloaded if the visitor can make use of them.
PHPSESSID contains a randomly generated value, set on the first page visited in a browsing session. This value is used by the Site to determine when subsequent request are made from the same user. This is essential for the proper handling of form submissions, user specific alerts and to enable the provision of authenticated user sessions.
Sites may use the following third party services that themselves may set Cookies: Google Analytics, Google ReCaptcha and Cloudflare.
Maximum retention period of non aggregated Google Analytics data is 26 months, resetting on activity.
Google Analytics may be used to monitor basic site activity, which helps us and Quesmedia Sites Site Owners understand user behaviour and improve the Sites and Service. For authenticated user sessions only an anonymised per user identifier is used by the Analytics tracking code to aggregate an Account's activity across multiple devices/browsers.
Google Analytics Cookies are set under a Site's domain by the Google Analytics code. You can identify Google Analytics Cookies as their names start with __gtm.
Google ReCAPTCHA may also be used by Sites on forms to protect against spam and can set Cookies.
Here are some useful links:
Some Sites make use of the services offered by Cloudflare to improve performance, reliability and increase security.
Cloudflare Cookies may be set under the Site's domain by Cloudflare. These are essential for Cloudflare's security features. Cloudflare currently uses a cookie named __crduid.
View Cloudflare's privacy policy here.
Maximum retention period is the lifetime of the Site and related backups
Contact Form Submissions are captured and stored by the Site and generate two emails:
The Personally Identifiable Information ("PII") contained within submission is: the provided email address, the IP Address that made the submission, the message content of the submission and any provided contact number information.
Maximum retention period is the lifetime of the Site and related backups
CMS Login attempts are captured and stored by Sites for the purpose of support and system security. The PII that may be stored is: the provided username (only if it exists on the system), a globally (per Site) salted hash of the provided username, the IP Address that made the login attempt and the User-Agent information provided in the HTTP request headers. The system also logs whether the attempt was successful.
Maximum retention period is the lifetime of the Site and related backups
User Account data is stored to provide authentication session functionality. The PII stored is the Account's: designated full name, username, email address, salted (per Site and per Account) and hashed password and the Account's role (e.g. editor or administrator) along with the date and time when the Account was created, the date and time the Account was last active and the location path within the Site where the Account was last active (e.g. /pages/id/123).
Maximum retention period is the lifetime of the Site and related backups
CMS Audit Logs capture information about Accounts activity (creating/editing/deleting content and changing Site settings). These logs help us provide support and identify malicious activity. The PII contained within these logs is the Account's: username and IP Address along with the time and date and a description of the activity.
Example data:
2018-03-16T14:23:22+00:00 INFO (6): pages.id:130 update published => 1, datetime_published => 2018-03-16 14:23:22 [198.51.100.123] 6 [email protected] administrator]
From this we can derive the following information:
Maximum retention period is 12 months plus the lifetime of any related backups
We may log certain Site activity for the purpose of maintaining and improving Sites and Services. For example, we may log unexpected errors, warnings or notices so we can fix problems and be aware of potential issues.
Maximum retention period is 12 months plus the lifetime of any related backups
Server Logs are a valuable tool to help us manage the Service. By visiting a Site a log file entry may be generated that could contain the following PII: the IP Address making the request and the User-Agent and any HTTP Referer information provided in the HTTP Request Headers.
Example data from a web server access log:
198.51.100.123 - - [05/Apr/2018:09:10:16 +0100] "GET /example.txt HTTP/1.1" 200 3386 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"
From this we can derive the following information:
Maximum retention period is 12 months
Our data backup policy is simple. We make multiple backups of all our servers and data volumes, these are stored by DigitalOcean, our Cloud Hosting Provider, within their London based data centre. We use these backups, for example, to protect us from data loss in disaster recovery situations and help us minimise downtime during server migrations.
The Virtual Private Servers we use, provided by DigitalOcean, are referred to as "Droplets", and the Data Volumes as "Volumes". We do make use of DigitalOcean's Droplet monitoring software. Please visit https://digitalocean.com to view their policies, look for the sections related to their Droplet and Volume services.
You are responsible for making sure Your Sites comply with all relevant Data Protection and Security and Privacy laws and regulations.
We will act on any legitimate request for a copy of all personal and supplementary data held on our systems in compliance with GDPR. Once the identity of the person making the request has been verified, and if that request is legally valid, we will provide the data in a well structured and accessible format. Note that security sensitive information or information containing other user PII will be redacted.
Note that we will not check for data stored within backups unless there is legitimate need to do so.
A request may be made to us to erase personal data. Once we have been able to verify the identity of the person making the request, and if that request is legally valid, we have procedures and methods in place to erase the information.
While it is impossible to declare any service completely secure, we are committed and passionate about keeping all personal information safe. Quesmedia Sites servers are configured with a bare minimum attack service mentality and measures such as firewalls, intrusion prevention software and monitoring in place to protect against intruders.
All Quesmedia Sites are served over HTTPS using TLS to provide both secure server–server and server–client communication. Where communication is proxied via Cloudflare, strictly enforced TLS is used.
We protect Accounts from brute force attacks with rate limiting and automated Account locking. Passwords are one-way encrypted using bcrypt before being stored and are required to satisfy our password rules to ensure high-entropy.
Cleartext user password information is always sent over secure channels and never stored or logged. We also make sure not to store cleartext username information with login attempts where there may be a chance password data was accidentally entered in the wrong field.
If you have a concern or information regarding the security of our sites and systems, we want to know. Please email [email protected].
If you have sensitive information to share please do not include it with your initial contact, we will work with you to ensure the information is transferred to us in the most appropriate and secure way.
We may modify this Policy from time to time, and will publish the most current version on our site. To help you we include the last updated/effective date at the start of the document.
version 1.0