Privacy, security and availability and GDPR

Your information is kept confidential

  • Access control. Turbine enforces access control so that only authorised users within your company can see employee data (e.g. team leaders can only see their team’s information). Similarly, we restrict access within Turbine to a limited number of authorised personnel.
  • Data protection. We are subject to the UK’s Data Protection Act and GDPR. Our registration number is Z3184053. We take our responsibilities very seriously, for example with staff security training. For more information see our privacy policy.
  • Data sovereignty. Our servers are hosted by DigitalOcean in the Netherlands. We also use Amazon S3 for file storage and they are participants in the EU Safe Harbour programme.

Your information is secure

  • Encryption. We use SSL to encrypt ALL communications between your browser and our servers; the same technology that banks use to protect your credit card data.
  • Safe payments. We use Stripe to process credit card payments and GoCardless to process direct debits. We don’t store any credit card information on our system at all.
  • Physical protection. Our application is hosted in a state-of-the-art data centre with:
    • Internal and external HD CCTV cameras
    • Access control with biometric authentication
    • Intruder and door tampering alarms
    • 24/7 on-site staffing.

Turbine will be there when you need it

  • Redundancy. Our application is hosted in data centres with multiple, redundant data connections, carrier-grade routers, 24/7 network operations centres, duplicate power supplies, UPSs and generators.
  • Backup. We back up the application, website and data regularly throughout the day.
  • Monitoring. We have multiple, overlapping monitoring services for the application, including:
    • Website-level monitoring. If the site is unavailable for more than five minutes, senior Turbine staff get emails and text messages.
    • Application-level monitoring. We monitor the application performance and availability at a low level. Our system sends alerts if there are problems but it also allows us to track trends over time and take preventative action.


  • We have reviewed our platform and tool suppliers for GDPR compliance. Details as follows:
    • SendGrid (for application emails)
    • Stripe (for client payments)
    • DigitalOcean (for application hosting)
    • HubSpot (for marketing, website hosting and customer support)
    • AWS (for storing uploaded files)
    • GoCardless (for UK direct debit customers)
  • We may keep closed or expired accounts for up to five years in case a client wants to reactivate them, for example to retrieve information. We can permanently delete client accounts on request.
  • Turbine retains details of individual employees even after they have left their employer. There is a legitimate interest in doing so, for record-keeping and so on. However, there is an option to permanently delete them if required.