Is Purple Seven a data processor or a data controller?

For our clients, we act as a data processor meaning that we process your customer  data on your behalf, in accordance with our Standard Terms and Conditions.

For our staff and job applicants, we are a data controller. 

Have you appointed a Data Protection Officer?

Any queries about our data protection policies and processes can be directed to Data Privacy Manager

How do you comply with the requirements of the GDPR principles?

Data security is at the very core of who we are and what we do. Having the largest dataset of consumers and arts & culture behaviour comes with a significant responsibility to ensure that we have world class security in place.

But security isn’t just about ensuring that the data is stored in a secure location. It’s about ensuring that all areas of potential risk are mitigated against to the highest level to ensure that our clients data will always be safe.

We’ve invested heavily in a highly secure infrastructure. We have our own private cloud, use two factor authentication, our staff are well trained, we have robust polices in place, we have a professional firm proactively and constantly monitoring for unusual activity, you are empowered to raise concerns without judgment or recrimination, we stay up-to-date with the latest legislation and threats, and above all we are never complacent.

When our clients send us their data, they can be sure that we will safeguard it just as well as they do – and in the majority of cases we provide a far superior level of security.

Will I be notified in the event of a breach?

If we discover a breach, the data controller concerned will be notified. We have a robust breach management procedure that all our staff are familiar with. 

If you discover a breach involving your usage of our systems, we ask that you contact us at the earliest opportunity so that we can help contain the impact.

email us or call 0203 0211 644 

How do you handle subject access requests?

Purple Seven acts as a data processor on behalf of its clients so we are not able to process SARs on your behalf. If we receive a SAR from one of your customers we will forward the request to you. 

We have available a number of audit reports within Vital Statistics that may assist you in responding to a SAR. 

How do you ensure you meet the privacy by design requirements?

User Systems

Security and privacy has been built into all our systems from the beginning of Purple Seven and have been upgraded over time. 

Client accounts have unlimited users, each with their own login credentials so there is no financial reason for a client to share login details and we strongly discourage this. 

Each client can nominate an Administrator for their account who can manage all user accounts - creating   new ones and deleting old ones as staff change. 

NEW IN 2018 We have introduced user permission profiles so an Administrator can decide if users are able to see and / or download customer data. This adds a further level of checks and balances for your organisation to manage your customer data. 

P7 Infrastructure

The infrastructure on which our client systems are accessed is cloud based. As such, no customer data is ever downloaded or stored onto local computers. 

Access to the infrastructure is only available to trained staff at Purple Seven and, on occasion, sub-contractors working under contract with Purple Seven. All are trained and experienced in their fields or data analysis or software development. 

All 'back end' systems require two factor authentication to be accessed.

Where is my data stored?

Our data infrastructure is provided by Millennia IT

Millennia only uses data centres in the UK so you are assured that your data will not be held globally.  

All data centres are accredited to ISO9001:2008 and ISO27001:2013 and all have redundant 10Gbit/s fibre connections.

Servers are located in the UK: 


DC4 Leicester, Iomart Hosting Ltd, 16 Berkley St, Leicester, LE1 4AT


Iomart Nottingham, 2-6 Fishergate, Nottingham, NG1 1FY

Millennia's server infrastructure benefits from:

Should I have a Data Sharing agreement with you?

No. Purple Seven is a data processor and acts only on your behalf. As such, you require a Processing Agreement and this is encapsulated within our Standard T&C's. This document sets out the purpose for us having the data, what we will do with it, how it is managed while we have it and what happens at the end of the agreement. 

Purple Seven does not share your data unless you instruct us to. If that is the case, for example you share information with Touring Companies or your regional Audience Development Agency, the sharing agreement explaining what you will share, the legal basis and purpose for the share etc, will be between your organisation and the recipient of your data.

We will ask you to complete a Data Sharing Instruction which is a brief form outlining your instruction to us to share your data. This will be kept on file as part of our audit process. 

What is the journey of my data?

We have developed a small software application called the Daily Data Extractor (DDX) that is compatible with most ticketing systems in use in the UK. 

Overnight, every night it transfers customer and ticketing data from your ticketing server  - which might be hosted by your ticketing provider or local) to our secure servers.  

Data is extracted using the automated software from the ticketing database. You are able to restrict access to the database tables that we are allowed to read from. Software extracts data, encrypts and compresses before sending securely over SSL. Data is sent via SSL tunnel to a webservice hosted on our private domain. This is secured by an SSL certificate providing 2048 bit encryption.

On our servers, your organisation has its own database that can only be accessed by trained Purple Seven staff or by nominated members of your team through a front end application (if you have a subscription with us).