Data Security Policy

Introduction

This Data Security Policy sets out the principles and commitments that underpin our approach to managing information securely across all areas of our business. It reflects our organisation’s dedication to protecting data assets—whether physical or digital—from unauthorised access, loss, disclosure, alteration, or destruction.

The purpose of this policy is to:

  • Establish a clear and consistent framework for securing data, in line with our business objectives and risks. 
  • Define responsibilities for employees, contractors, and third parties in safeguarding sensitive information. 
  • Demonstrate our commitment to compliance with relevant data protection laws and industry regulations. 
  • Promote a security-first culture that prioritises awareness, accountability, and continuous improvement in data protection practices.

This policy applies to all forms of data, regardless of format or location, and is designed to protect the confidentiality, integrity, and availability (CIA) of information assets. 

It is aligned with leading security frameworks, including applicable legal requirements such as the UK Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

Security is a shared responsibility. Everyone within the organisation has a role to play in maintaining a secure environment, and this policy serves as the foundation for the rules, procedures, and behaviours expected of all individuals handling organisational data.

 

Scope

This policy applies to all individuals, systems, and processes that interact with or manage data on behalf of the organisation. It is mandatory for:

  • All employees (permanent, temporary, and contract staff), 
  • Contractors, consultants, and interns, 
  • Third-party service providers and business partners with access to organisational data, 
  • Any other individuals or entities acting on behalf of the organisation.

This policy governs the handling, processing, transmission, storage, and disposal of data across all physical and digital environments within the organisation, including but not limited to:

  • On-site corporate offices, 
  • Remote working environments, 
  • Mobile devices and endpoints, 
  • Cloud-based platforms and services, 
  • Third-party managed systems and infrastructure.

It applies to all categories of data created, received, stored, or transmitted in the course of business operations, including:

  • Public Data: Information that is authorised for public release and poses no risk if disclosed. 
  • Internal Data: Operational data not intended for public dissemination but not classified as sensitive. 
  • Confidential Data: Proprietary or sensitive business data whose unauthorised disclosure could harm the organisation or individuals. 
  • Personally Identifiable Information (PII): Any data that can be used to identify an individual, either alone or in combination with other data.

This policy is global in scope and must be adhered to in all jurisdictions where the organisation operates, taking into account local data protection laws and regulatory requirements.

 

Data Classification

Effective data security begins with accurate data classification. All information assets must be categorised based on their sensitivity, value, and legal or regulatory obligations. This classification determines the level of protection and handling procedures required.

Classification Levels

The organisation recognises the following data classification levels:

  • Public
     Information intended for public dissemination. Disclosure poses no risk to the organisation.
    Examples: marketing brochures, published reports, job advertisements. 
  • Internal
     Non-sensitive information restricted to internal use. Unauthorised disclosure may cause limited inconvenience or reputational harm.
    Examples: internal emails, meeting notes, standard operating procedures. 
  • Confidential
     Sensitive business information requiring protection from unauthorised access. Disclosure could result in financial loss, reputational damage, or breach of contractual obligations.
    Examples: client contracts, financial records, proprietary strategies. 
  • Personally Identifiable Information (PII)
     Any data that can directly or indirectly identify an individual. This includes sensitive personal information that must be protected in accordance with applicable privacy laws.
    Examples: names, addresses, National Insurance numbers, health records. 

Responsibilities

  • All employees and third parties must understand the classification system and apply it appropriately to the data they handle. 
  • Data owners are responsible for assigning the correct classification level to data under their control. 
  • Information Security and Compliance teams are responsible for providing guidance, training, and oversight. 

Handling Requirements

Each classification level requires distinct handling controls, which may include:

Classification Access Control Storage Requirements Transmission Disposal
Public Open access No restrictions Unrestricted Standard deletion
Internal Limited access Company-controlled systems Secure email or file transfer Approved deletion procedures
Confidential Role-based access Encrypted storage Encrypted transmission Secure wiping/shredding
PII Strict access controls Encrypted & access-logged Encrypted with compliance safeguards Certified data destruction

 

Access Control

Access controls are fundamental to safeguarding the confidentiality, integrity, and availability of our information assets. This section outlines the policies and procedures for managing access to organisational systems and data, ensuring that only authorised individuals have appropriate levels of access based on their roles and responsibilities.

Access Control

The Access Control measures include:

  • Defined Roles and Responsibilities: Clearly delineates access rights based on job functions, ensuring that individuals have access only to the information necessary for their duties. 
  • Implements the Principle of Least Privilege: Access rights are granted to the minimum extent necessary, reducing the risk of unauthorised access or data breaches. 
  • Regularly Reviews Access Rights: Access permissions are reviewed periodically, especially when an employee’s role changes or upon termination of employment.
     

User Authentication and Authorisation

To verify user identities and control access:

  • Secure Authentication Methods: We utilise strong authentication mechanisms, including complex passwords and, where appropriate, biometric verification. 
  • Multi-Factor Authentication (MFA): We implement MFA for accessing sensitive systems and data, adding an extra layer of security through authenticator apps and SMS verifications. 
  • Session Management: We ensure devices enforce automatic session timeouts, screen-locks and re-authentication requirements after periods of inactivity. 

User Access Management

Procedures are in place to manage user access effectively:

  • User Registration and De-registration: Formal processes for granting and revoking access rights, ensuring timely updates to access permissions. 
  • Access Approval: Access requests are subject to approval by designated senior management, based on the user’s role and necessity. 
  • Monitoring and Logging: All access to systems and data is logged and monitored to detect and respond to unauthorised access attempts. 

Physical and Environmental Security

Physical access to facilities and systems is controlled to prevent unauthorised access:

  • Access Controls: Secure areas are protected by access control mechanisms including key management and security system access. 
  • Visitor Management: Visitors are required to be escorted in restricted areas. 
  • Equipment Security: Measures are in place to protect equipment from environmental threats and unauthorised access.

Third-Party Access

Access by third parties is managed carefully:

  • Contractual Agreements: Third parties with access to organisational data must sign agreements outlining their security responsibilities. 
  • Access Restrictions: Third-party access is limited to the minimum necessary and is monitored for compliance. 
  • Periodic Reviews: Access rights of third parties are reviewed regularly to ensure continued necessity and compliance. 

 

Data Storage & Transmission

All organisational data is stored and managed using secure, cloud-based infrastructure provided by reputable third-party service providers. This model ensures that data benefits from enterprise-grade security, continuous availability, and compliance with internationally recognised standards.

 

Secure Cloud-Based Data Storage

All files and data, regardless of classification, are hosted on approved cloud platforms (e.g. Google Cloud) that adhere to strict data security and privacy standards.

Key storage practices include:

  • Encryption at Rest: All data is encrypted using industry-standard encryption algorithms (e.g. AES-256) as per the cloud provider’s security protocols. 
  • Provider Compliance: Cloud services used must hold certifications such as ISO/IEC 27001, SOC 2, and comply with UK GDPR, the UK Data Protection Act 2018, and other applicable regulations. 
  • Geographical Controls: Data residency and localisation requirements are enforced by selecting appropriate data centre regions. 
  • Redundancy and Availability: Cloud platforms provide automated redundancy, failover mechanisms, and high availability to ensure data resilience. 

The organisation retains responsibility for defining access rights and configuring security controls within the cloud environment.

Access Control within Cloud Platforms

  • Centralised Access Management: User access to cloud-hosted data is controlled via a centralised identity and access management (IAM) platform, integrated with single sign-on (SSO) and multi-factor authentication (MFA). 
  • Role-Based Access: Access to data is granted based on clearly defined user roles and the principle of least privilege. 
  • Audit and Monitoring: All access and administrative actions within cloud systems are logged and regularly reviewed to detect anomalies or unauthorised activity. 
  • Third-Party Access: External collaborators may only access designated areas of the cloud environment with explicit approval, time-bound access, and under monitored conditions. 

Secure Data Transmission

  • Encryption in Transit: All data transmitted between users and the cloud environment is encrypted using secure protocols such as TLS 1.2 or higher, ensuring confidentiality during transfer. 
  • Secure File Sharing: Approved tools and platforms are used for sharing data externally, with link expiry, password protection, and access logging enabled where appropriate. 
  • Mobile and Remote Access: Access to cloud services from mobile devices or remote locations is protected through secure channels. 

Data Lifecycle and Retention

  • Storage Boundaries: Users must not download or store sensitive data outside the approved cloud systems unless explicitly authorised. 
  • Retention Policies: Data is retained in accordance with organisational policy and legal obligations. Archival and deletion are automated where possible. 
  • Secure Disposal: Data that reaches the end of its lifecycle is securely deleted using the cloud provider’s certified deletion processes.

Password Policies

Passwords remain a foundational element of digital identity and access security. In conjunction with multi-factor authentication (MFA), strong password practices are enforced to prevent unauthorised access to cloud-based systems and sensitive organisational data.

These policies apply to all users accessing company systems, services, or data, whether on-site or remotely.

Password Strength Requirements

All passwords used to access organisational systems must meet the following minimum requirements:

  • Minimum Length: At least 12 characters. 
  • Complexity: Must contain a mix of: 
    • Upper and lower-case letters, 
    • Numbers, 
    • Special characters (e.g., !, @, £, %). 
  • Avoid Common Passwords: Passwords must not contain dictionary words, sequential patterns (e.g., 123456), or easily guessable personal information (e.g., name, birthdate). 
  • Unique per Account: Users must not reuse passwords across different systems or services.

Password Storage and Management

  • Encrypted Storage: Passwords must never be stored in plain text. They must be hashed using secure cryptographic algorithms (e.g., bcrypt or SHA-256 with salt). 
  • Password Managers: Employees are encouraged to use approved password management tools to securely store and generate strong passwords. 
  • No Credential Sharing: Password sharing between users is strictly prohibited. 

 

Password Rotation and Expiry

  • Rotation Period: Passwords must be changed every 180 days, or sooner if there is any indication of compromise. 
  • Forced Reset: Passwords must be reset immediately if suspected to be exposed, weak, or compromised. 
  • Change on First Use: System-generated or temporary passwords must be changed upon first login. 

Failed Login Handling and Lockout

  • Login Attempt Limits: User accounts are locked after five consecutive failed login attempts. 
  • Lockout Duration: Accounts remain locked for a defined cooldown period (e.g., 15 minutes) or until reactivated by authorised IT personnel. 
  • Reset Process: Users must follow the secure password reset process, which includes identity verification. 

Administrative and Privileged Accounts

  • Stronger Requirements: Passwords for administrative or privileged accounts must exceed baseline requirements (e.g., 16+ characters, passphrases preferred). 
  • PAM Enforcement: Use of Privileged Access Management (PAM) solutions is required to secure and monitor these credentials. 
  • Dedicated Accounts: Administrators must use separate accounts for privileged tasks versus routine access.

User Education and Awareness

  • Regular training is provided on: 
    • Identifying and avoiding phishing attempts,
    • Best practices for creating secure passwords,
    • Use of password managers and MFA. 

Security Training & Awareness

Ensuring that all employees, contractors, and relevant third parties are well-informed about security risks and best practices is essential for maintaining a strong defence against data breaches and cyber threats. This section outlines the organisation’s commitment to continuous security education and awareness.

Employee Training Programs

  • Mandatory Induction Training:
    All new starters must complete a comprehensive security training module during onboarding, covering topics such as:

    • Data classification and handling,
    • Password and access control policies,
    • Phishing awareness and social engineering risks,
    • Cloud security responsibilities. 
  • Role-Based Training:
    Tailored security training is provided based on job functions, with more advanced or specialised training for roles involving system administration, data handling, and third-party management. 
  • Ongoing Education:
    Regular refresher courses are mandated for all personnel at least annually, ensuring knowledge remains current and aligned with emerging threats and regulatory updates.

Periodic Awareness Campaigns

  • Regular Campaigns:
    Quarterly campaigns are run to reinforce key security messages, such as:

    • Recognising phishing and scam emails,
    • Reporting suspicious activity,
    • Protecting sensitive data in cloud environments,
    • Secure use of mobile and remote working tools. 
  • Engaging Materials:
     Use diverse formats — videos, quizzes, newsletters, posters, and interactive workshops — to maintain engagement and cater to different learning styles. 
  • Simulated Exercises:
    Conduct simulated phishing campaigns and social engineering tests to measure awareness and response effectiveness, followed by targeted coaching for individuals or teams as needed. 

Third-Party Awareness

  • Security Briefings:
     Contractors and third-party vendors must receive relevant security training aligned with their access and responsibilities. 
  • Access Conditions:
     Completion of security training may be a prerequisite for access to sensitive systems or data.

Reporting and Feedback

  • Open Reporting Culture:
     Encourage prompt reporting of security incidents, near misses, and suspicious activities without fear of reprisal. 
  • Feedback Loops:
     Provide channels for employees to ask questions or provide feedback on security policies and training effectiveness, facilitating continuous improvement.

Incident Response

Effective incident response is crucial to minimise the impact of security breaches, protect organisational assets, and ensure swift recovery. This section defines the procedures and responsibilities for identifying, reporting, managing, and resolving security incidents.

Incident Reporting Procedures

  • Immediate Reporting:
     All employees, contractors, and third parties must report any suspected or confirmed security incidents without delay through designated channels. 
  • Reporting Channels:
    • Report to: Shane Appleyard
    • Hotline or direct phone line for urgent incidents: 07429650456
    • Email to the dedicated security team address: help@foxaai.co.uk 
  • Incident Description:
     Reports should include:

    • Nature of the incident,
    • Time and date of detection,
    • Systems and data potentially affected,
    • Actions taken so far. 
  • Confidentiality:
     All reports are treated confidentially to encourage openness and avoid delay.

Incident Classification and Prioritisation

  • Severity Levels:
     Incidents are categorised based on impact and urgency (e.g., Low, Medium, High, Critical). 
  • Criteria Considered:
    • Data sensitivity involved,
    • Number of users/systems affected,
    • Potential for data loss, leakage, or corruption,
    • Regulatory and legal implications. 
  • Triage Process:
     The incident response team conducts initial triage to prioritise resource allocation. 

Escalation Protocols

  • Defined Escalation Paths:
     Incidents are escalated according to severity and impact: 

    • Low severity: Handled by IT support or system owners, 
    • Medium severity: Escalated to security team for investigation, 
    • High/Critical severity: Immediate escalation to senior management, legal, and compliance teams. 
  • External Reporting:
     When required by law or contractual obligations, incidents must be reported to: 

    • Affected customers or partners,
    • Law enforcement, as appropriate. 

Incident Response Team Responsibilities

  • Detection and Analysis:
    Identify the root cause and scope of the incident using logs, monitoring tools, and forensic techniques. 
  • Containment and Mitigation:
     Implement measures to contain the incident and prevent further damage (e.g., isolating affected systems, revoking access). 
  • Eradication and Recovery:
     Remove threats, restore affected systems to normal operation, and verify integrity. 
  • Post-Incident Review:
     Conduct a thorough review to document lessons learned and update controls to prevent recurrence. 

Communication and Coordination

  • Internal Communication:
     Provide timely updates to stakeholders, ensuring clear and accurate information flow during incidents. 
  • External Communication:
     Manage communications with customers, partners, media, and regulators to maintain transparency and trust. 

Documentation and Reporting

  • All incidents and actions taken must be documented comprehensively in an incident log. 
  • Incident reports should include timelines, decisions, outcomes, and recommendations for improvements.

 

Security Audits & Assessments

Regular security audits and vulnerability assessments are critical to verifying the effectiveness of our security controls, identifying weaknesses, and ensuring ongoing compliance with internal policies and external regulations.

Audits of Security Controls

  • Scheduled Audits:
     Comprehensive audits of security controls, policies, and procedures shall be conducted at least annually by qualified internal auditors or independent third parties. 
  • Scope of Audits:
     Audits cover all relevant domains, including: 

    • Cloud infrastructure and configurations,
    • Access control mechanisms,
    • Data encryption and key management,
    • Incident response effectiveness,
    • Compliance with regulatory requirements (e.g., GDPR) 
  • Reporting and Remediation:
     Findings shall be documented and communicated to senior management with clear remediation plans, deadlines, and responsibilities.

Vulnerability Assessments

  • Regular Scanning:
     Automated vulnerability scans of network, cloud environments, applications, and endpoints must be conducted at least quarterly. 
  • Penetration Testing:
     Annual penetration testing by accredited third-party specialists shall be performed to simulate real-world attacks and uncover hidden vulnerabilities. 
  • Risk-Based Prioritisation:
     Identified vulnerabilities are prioritised for remediation based on severity, exploitability, and potential business impact. 
  • Remediation and Verification:
     Corrective actions must be implemented promptly, with follow-up scans or tests to verify effectiveness.

Compliance Audits

  • Regulatory Compliance:
    Conduct periodic compliance audits to confirm adherence to applicable legal and regulatory obligations such as GDPR. 
  • Policy Compliance:
    Verify that organisational policies and employee practices conform to stated security policies.

Data Backups

Reliable data backup procedures are essential to ensure data integrity, availability, and resilience against data loss from cyberattacks, system failures, or accidental deletion. Our approach leverages the robust backup and version control capabilities inherent in the third-party cloud service providers we use to store and manage organisational data.

Backup and Version Control by Service Providers

  • Inherent Backup Solutions:
    Backups and data redundancy are provided as integral features by our trusted third-party cloud providers. These providers ensure continuous data protection through automated backups, snapshots, and versioning of files and databases. 
  • Version Control:
    Cloud services maintain version histories of files and data objects, enabling recovery of previous versions and protection against accidental changes or ransomware attacks.

Disaster Recovery Integration

  • Aligned with Provider Capabilities:
    Our disaster recovery plans incorporate the inherent backup and versioning features of our cloud providers, enabling rapid data restoration and business continuity. 
  • Testing and Validation:
    Periodic testing of data restoration from provider backups and versions is conducted to validate recovery processes.

Physical Security

While our data primarily resides in secure cloud environments, robust physical security controls remain essential to protect any on-premises infrastructure, hardware, and facilities that support our operations.

Physical Access Control

  • Restricted Access Areas:
    Access to areas with office computers is strictly limited to authorised personnel only.
  • Visitor Management:
     All visitors must be accompanied by authorised staff, and subjected to security standards.
  • Surveillance:
    Continuous CCTV monitoring and recording of sensitive areas to deter and detect unauthorised access.

Protection of Hardware

  • Secure Installation:
    Critical hardware, such as office computers, is housed in locked, environmentally controlled rooms. 
  • Environmental Controls:
    Implement temperature, humidity, and smoke detection sensors to protect hardware from damage. 
  • Equipment Disposal:
    Secure procedures for the disposal or repurposing of hardware ensure data is irretrievably destroyed.

 

Privacy Policies

Protecting personal data is a cornerstone of our commitment to privacy and compliance with applicable laws and regulations. While this Data Security Policy outlines overarching principles, a dedicated and detailed Privacy Policy is maintained and available for reference at: /policies/privacy-policy.

Commitment to Privacy

  • We prioritise the lawful, fair, and transparent processing of personal data in accordance with global privacy regulations such as the UK GDPR. 
  • Personal data is collected and used strictly for legitimate business purposes, minimising data collection to only what is necessary.

Handling and Protection of Personal Data

  • Personal Identifiable Information (PII) is classified and handled with the highest confidentiality and security standards. 
  • Data subject rights—including access, correction, and deletion—are respected and facilitated as described in the dedicated Privacy Policy. 
  • Data processing agreements are established with third parties processing personal data on our behalf to ensure consistent protection. 

Compliance and Accountability

  • Regular reviews ensure ongoing compliance with evolving privacy laws and regulations. 
  • Privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) are conducted for new projects or data processing activities involving personal data. 

Training and Awareness

  • Employees receive targeted training on data privacy principles and their role in safeguarding personal data. 

 

Compliance

Maintaining compliance with all applicable laws, regulations, and industry standards is critical to our organisation’s integrity and trustworthiness. This section outlines our commitment and procedures to ensure ongoing compliance with data security requirements.

Declaration of Commitment

  • Our organisation is fully committed to adhering to all relevant data protection laws, regulations, and industry best practices, including but not limited to: 
    • UK GDPR and related data protection legislation,
    • The Data Protection Act 2018,
    • The Network and Information Systems Regulations (NIS),
    • Relevant sector-specific regulations.

Regulatory Monitoring and Updates

  • We maintain an active monitoring process to stay informed of changes in legal and regulatory requirements that affect data security and privacy. 
  • Policies, procedures, and controls are reviewed and updated promptly to reflect any changes in legislation or industry standards.

Internal Compliance Audits

  • Regular internal audits are conducted to assess adherence to data security policies and regulatory requirements. 
  • Non-compliance issues identified during audits are addressed through corrective action plans.

Training and Awareness

  • Employees and contractors receive ongoing training to understand their compliance obligations and how to fulfil them effectively. 
  • Compliance awareness campaigns reinforce the importance of data security and regulatory adherence.

Documentation and Reporting

  • Comprehensive documentation of compliance efforts, audit findings, and corrective actions is maintained for accountability and transparency. 
  • Regulatory reporting obligations are fulfilled accurately and within required timeframes.

 

Enforcement

Ensuring adherence to our Data Security Policy is vital for maintaining a secure and compliant environment. This section outlines the enforcement mechanisms, consequences for non-compliance, and disciplinary actions.

Consequences for Violations

  • Any violation of this policy, whether intentional or accidental, may result in disciplinary action, up to and including termination of employment or contract. 
  • Violations that compromise data security or lead to breaches may also result in legal action, including criminal prosecution where applicable. 

Disciplinary Actions

  • Disciplinary measures will be applied fairly and consistently in accordance with organisational HR policies and relevant employment laws. 
  • Actions may include:
    • Formal warnings,
    • Suspension of access rights,
    • Mandatory retraining on data security,
    • Termination of employment or contractual agreements.

Reporting and Investigation

  • All suspected violations must be reported promptly through designated channels.
  • Reported incidents will be thoroughly investigated by the appropriate internal teams to establish facts and determine the appropriate response.

Enforcement Oversight

  • A designated team or officer will oversee enforcement of the policy, ensuring that compliance is monitored and violations are addressed promptly.
  • Enforcement activities will be documented to provide accountability and support continuous improvement.

Policy Review & Revision

To ensure continued relevance, effectiveness, and legal compliance, this Data Security Policy undergoes regular review and revision. It is essential that the policy reflects evolving security threats, business practices, technologies, and regulatory requirements.

Policy Effectiveness Review

  • Scheduled Reviews:
     The policy will be formally reviewed at least once per year by the designated security and compliance teams. 
  • Trigger-Based Reviews:
     Interim reviews will occur in response to: 

    • Significant changes in laws or regulations,
    • Major organisational changes (e.g., new systems, service providers),
    • Security incidents or audit findings that indicate gaps in the policy,
    • Technological advancements impacting current practices. 
  • Effectiveness Assessment:
     Policy reviews will evaluate the effectiveness of existing controls, identify weaknesses, and recommend updates to improve coverage and clarity.

Communication of Revisions

  • Internal Communication:
     Any revisions to the policy will be clearly communicated to all employees, contractors, and relevant third parties. This may include:

    • Email notifications,
    • Policy briefings or workshops,
    • Updated documentation in shared platforms or intranet systems. 
  • Acknowledgement of Changes:
     All employees must acknowledge significant policy revisions to confirm they have read and understood the updated requirements.

Contacts

For all matters relating to data security—including reporting incidents, seeking guidance, or raising concerns—employees, contractors, and authorised third parties should use the following designated contacts and reporting channels.

Designated Security Contacts

  • Data Protection Officer (DPO):
     Name: Billie-Jo Spridgeon
     Email: billiejo.spridgeon@prosureproperty.co.uk
     Phone: 07342043618
     Responsible for overseeing data protection strategy, privacy compliance, and responding to data subject requests. 
  • Information Security Manager:
     Name: Shane Appleyard
     Email: help@foxaai.co.uk
     Phone: 07429650456
     Responsible for handling technical security incidents and managing access control, audits, and encryption compliance. 
  • IT Support Desk:
     Email: help@foxaai.co.uk
     Phone: 07429650456
     First point of contact for general IT and access-related security queries or issues.