Procurement & Compliance
Supplier Information
Infrastructure, data residency, security, and UK GDPR documentation for evaluating teams
Supplier Information
| Business Details | |
|---|---|
| Trading name | Archives Hosting UK |
| Contact | Matthew Bruton, Archivist & Technical Consultant |
| info@archiveshosting.co.uk | |
| Website | archiveshosting.co.uk |
| Specialisation | Managed hosting for open-source archival and library software — AtoM, ArchivesSpace, eScriptorium, Archivematica, IIIF |
| Clients served | Religious archives, county record offices, university special collections, diocesan archives, charities |
Infrastructure & Data Residency
Server location
Production servers are located in Linode/Akamai data centres within the European Economic Area. UK institutions whose data residency requirements demand UK-soil storage can be accommodated — please discuss at enquiry stage.
Infrastructure
All managed hosting instances run on dedicated or isolated virtual machines. Shared tenancy (where one client's data is on the same machine as another's) is not used for archival catalogue data. Each client's database, file storage, and application configuration is isolated at the OS level.
Backups
Daily automated database backups with at least 30-day retention. Weekly full-instance snapshots. Backups are stored in a separate geographic location from the production server. Restoration is tested on request.
Uptime
We target 99.5% monthly uptime for hosted catalogue instances. Planned maintenance windows are communicated in advance by email.
Security Practices
| Control | Status |
|---|---|
| TLS encryption in transit (HTTPS) | Standard All hosted instances |
| Encryption at rest | Standard All storage volumes encrypted |
| SSH key-only access | Standard Password login disabled on all servers |
| Firewall (UFW/iptables) | Standard Minimal open ports (80, 443, client-specific) |
| Intrusion detection / fail2ban | Standard Automated blocking of brute-force and probe attempts |
| OS security patching | Standard Applied within 7 days of release for critical CVEs |
| Application updates | Standard AtoM, ArchivesSpace, eScriptorium kept on current stable releases |
| Penetration testing | Planned Annual third-party pentest (2026/27) |
| Cyber Essentials certification | Planned Certification in progress |
| G-Cloud listing | Planned Application in progress |
Access controls, incident response procedures, and supplier security questionnaire responses are available on request for tendering purposes.
UK GDPR & Data Protection
Archives Hosting UK acts as a data processor in respect of any personal data held in hosted catalogue systems. The institution (archive, diocese, university, or council) remains the data controller and is responsible for determining the purposes and lawful basis for processing.
A Data Processing Agreement (DPA) compliant with Article 28 of UK GDPR is available and is signed with all clients before a hosted service goes live. The DPA template below may be used as the basis for that agreement, or institutions may substitute their own standard supplier DPA.
Data Processing Agreement — Template
This template reflects the standard terms offered by Archives Hosting UK. It is provided for transparency and to assist procurement teams in assessing compliance before a formal engagement begins. The signed agreement will be countersigned by Matthew Bruton on behalf of Archives Hosting UK.
Parties
Data Controller: [Institution name and registered address]
Data Processor: Archives Hosting UK, operated by Matthew Bruton (info@archiveshosting.co.uk)
Subject Matter and Duration
The Processor provides managed hosting for open-source archival software (AtoM, ArchivesSpace, eScriptorium, or other agreed platforms) on behalf of the Controller. This DPA remains in effect for the duration of the hosting agreement and for the period required by law thereafter.
Nature and Purpose of Processing
Storing, making available, and backing up archival catalogue data entered by or on behalf of the Controller, including any personal data contained in archival descriptions, authority records, accession records, or digitised documents.
Types of Personal Data
Names of persons referenced in archival records; dates of birth or death where held; names and contact details of archival researchers (where the Controller uses the hosted system's researcher registration module); photographs or digitised documents containing personal data. Sensitive categories of data (health, ethnicity, religion) may be present in historical records.
Processor Obligations
| Obligation | How Met |
|---|---|
| Process only on documented instructions | Processor will not access, export, or process the Controller's data except as required to provide and maintain the hosted service, or as instructed in writing by the Controller |
| Ensure confidentiality | Staff and contractors with access to hosted systems are bound by confidentiality obligations |
| Implement appropriate technical and organisational measures | Encryption in transit and at rest, SSH key access, firewall, automated intrusion detection, patching — as described in the Security Practices section above |
| Assist with subject access requests | Processor will provide reasonable assistance in locating and extracting data required to respond to data subject rights requests |
| Breach notification | The Processor will notify the Controller without undue delay (and within 72 hours where possible) of any personal data breach affecting the hosted system |
| Sub-processors | Infrastructure is hosted on Linode/Akamai (EEA data centres). No other sub-processors have access to Controller data. The Controller will be notified of any change to sub-processors at least 30 days in advance |
| International transfers | Data is stored and processed within the EEA. No transfers to third countries are made without the Controller's prior written consent |
| Audit and accountability | The Processor will provide reasonable assistance to the Controller in meeting its accountability obligations and will make available information necessary to demonstrate compliance with this Agreement |
| Deletion or return on termination | On termination of the hosting agreement, the Processor will provide a full data export in an agreed open format (SQL dump, CSV, EAD XML, or equivalent) and will then delete all copies of the Controller's data within 30 days unless longer retention is required by law |
Signatures
For the Controller: _________________________ Date: _________
For the Processor (Archives Hosting UK): Matthew Bruton Date: _________
Certifications & Frameworks
We are a small specialist supplier. The table below gives an honest picture of where we currently stand against common UK public sector procurement requirements.
| Requirement | Status |
|---|---|
| UK GDPR Article 28 DPA | Available now |
| Cyber Essentials | In progress — certification expected 2026 |
| Cyber Essentials Plus | Planned — following CE certification |
| ISO 27001 | Not held — available from sub-processor (Linode/Akamai) |
| G-Cloud (Crown Commercial Service) | Application in progress |
| Public Contracts Regulations 2015 / PCR2006 compliance | As a supplier below the PCR threshold, standard procurement rules apply. We can participate in direct award or mini-competition processes below OJEU/FTS thresholds |
For institutions that require Cyber Essentials or G-Cloud listing before engagement is possible, we are happy to discuss timeline and to be included on a shortlist for when certification is complete. Contact us at info@archiveshosting.co.uk.
Business Continuity
We recognise that as a small supplier, business continuity is a legitimate procurement concern. The following measures are in place:
- Data portability is guaranteed. All hosted systems use open formats and open-source software. At any point — including on contract termination — clients can receive a full export of their data in standard formats (SQL, EAD XML, CSV, METS/PREMIS, ALTO XML). You are never locked into our hosting.
- Self-hosting is always an option. Because the underlying software (AtoM, ArchivesSpace, eScriptorium) is open-source, any institution can take their data export and stand it up on their own infrastructure or with another provider. We can provide migration assistance for this if required.
- 30-day termination notice period with full data export included as standard in all agreements.
- Documented infrastructure. Full server configuration documentation is maintained so that a handover to another provider or in-house team is possible with reasonable notice.
Request Documents or Ask a Question
If you need a completed supplier questionnaire, a signed DPA, specific security documentation, or have a procurement question not answered here, please contact us directly.