Security policy
and data processing lifecycle
Last updated: June 2025
1. Regulatory foundation
We operate under UK GDPR and the Data Protection Act 2018, ensuring all personal data processing is compliant.
2. Data processing lifecycle controls
a. Data collection and receipt
We only collect data necessary for providing services (e.g. emails, project assets, analytics) and inform clients about purposes and lawful bases (e.g. contractual necessity, consent, legitimate interest).
b. Storage and access controls
Personal and business data are held securely using appropriate technical and organisational measures, designed to prevent unauthorised access, alteration, loss, or disclosure.
c. Use and processing
Access to data is restricted to those who need it (e.g. internal team members, trusted third-party service providers under contract). All processing activities are documented and lawful.
d. Transmission and sharing
When sharing data with third-party providers (e.g. IT support, accountants), we use secure channels and ensure they are bound by data protection obligations to preserve confidentiality and integrity.
e. Retention and disposal
Data is retained only as long as needed for its original purpose or legal/regulatory requirements (e.g. accounting). Upon expiry of retention periods, personal data is securely deleted or anonymised.
3. Supporting measures
Technical safeguards such as encryption (whole‑disk, TLS), access logging and routine backups.
Organisational measures, including staff training, internal policies, and regular reviews to ensure continuing effectiveness.
All third-party vendors are evaluated to ensure compliance with our security expectations.
4. Assurance and governance
We review and update our privacy and security policies periodically (last update: June 2025) and communicate any significant changes proactively.
Data subject rights (e.g. access, rectification, erasure) are actively supported, with processes in place for responding to requests promptly.
Contact us
If you have any questions about this Security and data processing policy or how we handle your personal data, please contact us at:
Outthought
Fuel Studios
Pottergate
Norwich. NR2 1DX
