GDPR Statement - Expresso

Expresso and the General Data Protection Regulation

Expresso is a division of Pulse Business Software Limited

How the GDPR affects your Expresso Installation

June 2019

Version: 2.2

Author: Riaan van Rooyen


The General Data Protection Regulation (GDPR) was passed into law by the European Union Parliament in April 2016, with enforcement date beginning May 25, 2018.

This document tells you how your company’s use of Expresso is affected by the General Data Protection Regulation.

Where your Expresso is Hosted

Your Expresso installation is hosted on Microsoft’s Azure platform in UK South (London).


Data in Your Expresso Installation about your employees, customers and suppliers

The personal information stored in your Expresso Installation is under your control (In GDPR terms, you are the controller and processor), and can include:

  • Names, surnames, physical addresses, e-mail addresses, telephone numbers of your employees, customers and suppliers.
  • User names and passwords (encrypted).
  • Any information you or your employees record in its data fields
  • Attachments (files) uploaded by you or your employees

You should have your own GDPR policies and procedures in place relating to your storage and processing of customer and supplier data, because your business may have multiple data repositories and processes besides your Expresso installation.

If you use your Expresso installation to e-mail or send text messages to customers, you should ascertain that they have consented to the communication.


Data in Pulse Business Software’s support portal about you and your employees

In order to support you and your team, Pulse Business Software holds information about you and your employees (but not your customers or suppliers). The information we hold is:

  • Names, Surnames, E-mail Addresses, Telephone Numbers
  • User names and passwords (encrypted).

We do not share this information with any other companies or individuals.

Personal data will be destroyed on request, but we will be unable to support an Expresso user whose personal data is not on record.

This data is stored in secure data centres in the UK and South Africa. The specific data centre addresses are available on request. Please e-mail

By continuing to use Expresso, you consent to this information being kept by Pulse Business Software. If you would like us to provide you with the specific information held relating to your company, please e-mail, and it will be provided to you in Microsoft Excel or CSV format.

Shared Data Security Responsibilities

As a Hosted service provider (cloud provider), we take responsibility for the following:

  • Physical Security
  • Host infrastructure
  • Network controls
  • Application level Controls

Your responsibilities are:

  • Identity & access management
  • Data classification & accountability

What this means is that your business takes responsibility for granting, revoking and changing access rights to log in to your installation of Expresso, as well as remaining accountable for personal data that you store and process in your Expresso installation.

Notification, Records Maintenance, Reporting

Notification of personal data breach to a competent supervisory authority

Should a data breach occur, in which personal information is compromised, Expresso will report such breach to you and the relevant authority within 72 hours.

Maintain Record of Processing Activities

Where personal data is processed by Expresso Business Software, an audit trail is recorded.

Data Protection Impact Assessments

The data stored and processed by Expresso is not likely to result in a risk to the rights and freedoms of individuals. However, as new processes are developed, the impact of these processes will be assessed to establish their effect on individuals. If relevant, an Impact Assessment statement will be included in the release notes of newer versions of the software.