Data Security Notice

01 Scope of this notice

This notice covers the information you provide through our website and, more importantly, the data and system access you grant us during a consulting engagement. It complements our Privacy Policy, which deals specifically with personal information, and the confidentiality terms set out in each engagement agreement.

02 Principle of least access

We request only the access genuinely required to perform the agreed work, and only for as long as the work lasts. Where read-only access is sufficient, we ask for read-only access. We prefer scoped, time-limited, and individually attributable credentials over shared or standing ones, and we encourage clients to provision access that can be cleanly revoked.

03 How we handle credentials and access

• Credentials are stored only where necessary, in protected form, and never in plain text in casual locations such as email bodies or chat messages.
• We use multi-factor authentication on accounts that support it.
• Access granted for an engagement is returned or revoked promptly when the engagement ends, and we ask clients to confirm revocation on their side.
• We do not retain client credentials after a project closes.

04 Protecting information at rest and in transit

Information shared with us is transmitted over encrypted channels wherever the platform allows, and stored on protected systems. Working devices are kept up to date, protected by full-disk encryption and screen locks, and secured with current security software. We minimise copies of client data and remove working copies when they are no longer needed.

05 Confidentiality

Everything we learn about your environment during an engagement is treated as confidential. We use it solely to deliver the agreed work, we limit it to the people who need it to do that work, and we do not disclose it to anyone outside your organization except where you direct us to or where the law requires. Confidentiality obligations continue after the engagement ends.

06 Service providers

We rely on a small set of reputable providers for functions such as email, file storage, and website hosting. We choose providers that maintain strong security practices, and we configure the services we use with security in mind. These providers act on our instructions and are not permitted to use client information for their own purposes.

07 Incident response

No set of measures can eliminate risk entirely. If we become aware of a security incident affecting information you have shared with us, we will act quickly to contain it, assess what happened, and notify affected parties as required by law and by the terms of the engagement. We will share what we know, what we are doing about it, and what, if anything, you should do.

08 Your part

Security is shared. You can help keep an engagement safe by granting access through proper channels rather than informal ones, by using individual accounts rather than shared logins, by removing our access promptly when work concludes, and by telling us as early as possible if you suspect a credential has been exposed. We are glad to advise on any of this as part of our work.

09 Changes to this notice

As our tools and practices develop, and as the threat landscape changes, we may update this notice. The date at the top of the page shows the most recent revision.