Red Flag Alert Technology Group Data Security Notice

Red Flag Alert Technology Group Data Security Notice

Security Notic

This Security Notice is incorporated into and made a part of any Red Flag Alert’s Information Security Management System and as such an Agreements that RFA may have with its Vendors and Clients RFA. RFA maintains a comprehensive documented security program that is based on industry standard security frameworks including ISO 27001 and ISO 27018 (the “ISMS”). Pursuant to the Security Program, RFA implements and maintains administrative, physical, and technical security measures to protect its Data and internal systems and processes and Support Services and the security and confidentiality of Customer Content (including any Customer Personal Data that may be contained therein) (each as defined in the Agreement) under RFA’ control that is processed by RFA in its provisioning of its Services (the “ISMS”). RFA’ compliance with this Notice shall be deemed to satisfy any more general measures included within any Agreement, including the Specific Terms. In accordance with its Security Program, RFA will, when any Customer Content is under its control: (i) comply with the Security Measures identified below with respect to such Customer Content, and (ii) where relevant, keep documentation of such Security Measures. RFA regularly tests and evaluates its Security Program and may review and update this Security Notice at any time without notice, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection afforded to Customer Content by these Security Measures.

  1. Deployment Model

    1. Shared Responsibility. RFA operates in a shared responsibility model, where both RFA and the Customer maintain security responsibilities. This is covered in more detail in our Documentation.

    2. Architecture. RFA is a hybrid platform-as-a-service offering. The components responsible for managing and controlling the Platform Services are referred to as the ‘RFA Control Plane’ and are hosted within a RFA Cloud Service Provider account. The compute resources that perform data processing operations are referred to as the “Data Plane”. For certain Cloud Service Providers, the Data Plane may either be deployed in the Customer’s Cloud Service Provider account (known as the ‘Customer Data Plane’) or, for RFA Serverless Compute, in a RFA-controlled Cloud Service Provider account (known as the ‘RFA Data Plane’).  Data Plane shall refer to both Customer Data Plane and RFA Data Plane unless otherwise specified.

    3. Compute Resources. Compute resources are created and coordinated by the RFA Control Plane and deployed into the Data Plane. Compute resources are launched as new virtual machines that leverage the latest base image and RFA source code and do not have data from previous machines. When compute resources terminate, the data on their local hard drives is overwritten by RFA or by the Cloud Service Provider.

4. Data Storage of Customer Content.

      1. Customer Data and Customer Results.
        1. Customer Control. Most Customer Data is stored within the Customer’s own Cloud Service Provider account at rest or within other Systems under Customer’s control.  Customer may choose where this Customer Data resides (other than the DBFS root, which is deployed into a storage bucket within the applicable Cloud Service Provider in the region in which the Data Plane is deployed).
        2. RFA Control.  Small amounts of Customer Data may be stored within the RFA Control Plane, including Customer Results and metadata about Customer Data (e.g., contained within the metastore). RFA offers Customers options regarding the storage of certain Customer Content within the Platform Services (e.g., the location of Customer Results created by the use of interactive notebooks).
      2. Customer Instructional Input. Customer Instructional Input is stored at rest within the RFA Control Plane.
  1. RFA’ Audits & Certifications. RFA uses independent third-party auditors to assess the RFA Security Program at least annually, as described in the following audits, regulatory standards, and certifications:
    1. ISO 27001
    2. ISO 27018
    3. ISO 9001
    4. Cyber Essentials +
  2. Administrative Controls
    1. Governance. RFA’ Chief Compliance Officer in conjunction with the Chief Technical Officer leads the RFA’ Information Security Program and develops, reviews, and approves (together with other stakeholders, such as Legal, Human Resources and Finance as well as IT) RFA’ Security Policies (as defined below).
    2. Change Management. RFA maintains a documented change management policy, reviewed annually, which includes but is not limited to, evaluating changes of or relating to systems authentication.
    3. ISMS; Policies and Procedures. RFA has implemented a formal Information Security Management System (“ISMS”) in order to protect the confidentiality, integrity, authenticity, and availability of RFA' data and information systems, and to ensure the effectiveness of security controls over data and information systems that support operations. The RFA Security Program implemented under the ISMS includes a comprehensive set of privacy and security policies and procedures developed and maintained by the security, legal, privacy, and information security teams (“Security Policies”). The Security Policies are aligned with information security standards (such as ISO 27001 and Cyber Essentials +) and cover topics including but not limited to: security controls when accessing RFA Services and Systems; confidentiality of Customer Content; acceptable use of company technology, systems and data; processes for reporting security incidents; and privacy and security best practices. The Security Policies are reviewed and updated annually.
    4. Employee Training. Employees receive comprehensive training on the Security Policies upon recruitment and refresher trainings are given annually. Employees are required to certify and agree to the Security Policies and Employees who violate the Security Policies are subject to disciplinary action, including warnings, suspension and up to (and including) termination.
    5. Employees Screening and Evaluation. All Employees undergo background checks prior to onboarding (as permitted by local law), which may include, but are not limited to, criminal record checks, employment history verification, education verification, and global sanctions and enforcement checks. Employees are required to sign confidentiality agreements.
    6. Monitoring & Logging. RFA employs monitoring and logging technology to help detect and prevent unauthorised access attempts to its network and equipment.
    7. Access Review. Active users with access to the Systems and Services are reviewed at least quarterly and are promptly removed upon termination of employment. As part of the Employees offboarding process, all accesses are revoked and data assets are securely wiped.
    8. Third Party Risk Management. RFA assesses the security compliance of applicable third parties, including vendors and sub-processors, in order to measure and manage risk. This includes, but is not limited to, conducting a security risk assessment and due diligence prior to engagement and reviewing external audit reports from critical vendors at least annually. In addition, applicable vendors and sub-processors are required to sign a data processing agreement that includes compliance with applicable data protection laws, as well as confidentiality requirements.
  3. Physical and Environmental Controls
    1. RFA Offices. RFA has implemented administrative, physical, and technical safeguards for its office. These include, but are not limited to, the below:
  1. Visitors are required to sign in, acknowledge and accept an NDA, and be escorted by RFA Employees while on premises
  2. RFA Employees use allocated and recorded key fobs to access the offices
  3. Key fobs and security passwords are not shared or loaned to others without authorisation
  4. Equipment and other RFA-issued assets are inventoried and tracked
  5. Office Wi-Fi networks are protected with encryption, wireless rogue detection, and Network Access Control

Systems & Network Security
5.1 Platform Controls.

5.1.1 Isolation. RFA leverages multiple layers of network security controls, including network-level isolation, for separation between the RFA Control Plane and Customer Data Plane, and between Workspaces within the RFA Data Plane.
5.1.2 Firewalls & Security Groups. Firewalls are implemented as network access control lists or security groups within the Cloud Service Provider's account. RFA also configures local firewalls or security groups within the Customer Data Plane.

5.2 Hardening. 

5.2.1 RFA employs industry standards to harden images and operating systems under its control that are deployed within the Platform Services, including deploying baseline images with hardened security configuration such as disabled remote root login, isolation of user code, and images are regularly updated and refreshed.

5.2.2 For Systems under RFA control supporting the production data processing environment, RFA tracks security configurations against industry standard baselines such as CIS and STIG.


5.3 Encryption.

5.3 .1    Encryption of data-in-transit. Customer Content is encrypted using cryptographically secure protocols (TLS v.1.2 or higher) in transit between (1) Customer and the RFA Control Plane and (2) the RFA Control Plane and the Data Plane.  Additionally, depending on functionality provided by the Cloud Service Provider, Customers may optionally encrypt communications between clusters within the Data Plane

5.3.1 Review. Cryptographic standards are periodically reviewed and selected technologies and ciphers are updated in accordance with assessed risk and market acceptance of new standards.


5.3.2 Customer Options; Responsibilities. Customers may choose to leverage additional encryption options for data in transit within the Customer Data Plane or RFA Data Plane as described in the Documentation. Customer shall, based on the sensitivity of the Customer Content, configure the Platform Services and Customer Systems to encrypt Customer Content where appropriate.


5.4 Monitoring & Logging
5.4.1 Intrusion Detection Systems. RFA leverages security capabilities provided natively by Cloud Service Providers for security detection.
5.4.2 Generation. RFA generates audit logs from Customer’s use of the Platform Services. The logs are designed to store information about material events within the Platform Services.
5.4.3 Integrity.  RFA stores audit logs in a manner designed to protect the audit logs from tampering.
5.4.4 Retention. RFA stores audit logs for at least one year.


5.5 Penetration Testing. RFA conducts third-party penetration tests at least annually, employs in-house offensive security Employees, and also maintains a public bug bounty program.


5.6 Vulnerability Management & Remediation. RFA regularly runs authenticated scans against representative hosts in the SDLC pipeline to identify vulnerabilities and emerging security threats that may impact the Data Plane and RFA Control Plane. RFA will use commercially reasonable efforts to address critical vulnerabilities within 14 days, high severity within 30 days, and medium severity within 60 days measured from, with respect to publicly declared third party vulnerabilities, the date of availability of a compatible, vendor-supplied patch, or for internal vulnerabilities, from the date such vulnerability is confirmed.


5.7 Patching.

5.7.1 Control Plane. RFA deploys new code to the RFA Control on an ongoing basis.

5.8 Corporate Controls.
5.8.1 Access Controls Authentication. RFA Employees are authenticated through single sign-on (SSO), 802.1x (or similar) where applicable, and use a unique user ID and password combination and multi-factor authentication. Privileges are consistent with least privilege principles. Security Policies prohibits Employees from sharing or reusing credentials, passwords, IDs, or other authentication information. Role-Based Access Controls (RBACs). Only authorised roles are allowed to access systems processing customer and personal data. RFA enforces RBACs (based on security groups and access control lists) and restricts access to Customer Content based on the principle of 'least privilege' and segregation of responsibilities and duties.


5.9 Pseudonymization. Information stored in activity logs and databases are protected where appropriate using a unique randomized user identifier to mitigate risk of re-identification of data subjects.

 5.10 Workstation Controls: RFA enforces certain security controls on its workstations used by Employees, including:

    1. Full-disk encryption
    2. Anti-malware software
    3. Automatic screen lock after 15 minutes of inactivity
    4. Secure VPN

Incident Detection & Response
6.1 Detection & Investigation. RFA’ dedicated Detection engineering team deploys and develops intrusion detection monitoring across its computing resources, with alert notifications sent to the Security Incident Response Team (SIRT) for triage and response. The SIRT employs an incident response framework to manage and minimise the effects of unplanned security events.

6.2 Security Incidents; Security Breaches. “Security Breach” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data under RFA control. A “Security Incident” is any actual or attempted breach of security that does not rise to the level of a Security Breach. A Security Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents. RFA maintains a record of known Security Incidents and Security Breaches that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed Security Incidents are investigated by security, operations, or support Employees; and appropriate resolution steps are identified and documented. For any confirmed Security Incidents, RFA will take appropriate, reasonable steps to minimise product and Customer damage or unauthorised disclosure. All incidents are logged in an incident tracking system that is subject to auditing on an annual basis.

6.3 Communications & Cooperation. In accordance with applicable data protection laws, RFA will notify Customer of a Security Breach for which that Customer is impacted without undue delay after becoming aware of the Security Breach, and take appropriate measures to address the Security Breach, including measures to mitigate any adverse effects resulting from the Security Breach.

7 Backups, Business Continuity, and Disaster Recovery

7.1 Business Continuity and Disaster Recovery. RFA Business Continuity (BC) and Disaster Recovery (DR) plans are reviewed, and drills are conducted annually.

7.2 Data Resiliency. RFA performs backups for the RFA Control Plane (including any Customer Instructional Input stored therein), generally managed by the Cloud Service Provider capabilities, for data resiliency purposes in the case of a critical systems failure.

7.3 No Data Restoration. Due to the hybrid nature of the RFA Platform, RFA does not provide backup for Customer Content, and RFA is unable to restore an individual Customer’s Instructional Input upon request. To assist Customers in backing up Customer Instructional Input, RFA provides certain features within the Platform Services.

7.4 Customer Managed Backups. Customers retain ownership of their Customer Content and must manage their own backups, including to the extent applicable, enabling backup within the Systems in which the Customer Data is stored


8 Data Deletion.
8.1 On termination. On termination of any existing contracts and agreements with RFA requires full deletion of all data provided by RFA to its clients.


9 Secure Software Development Lifecycle (“SDLC”)
9.1 Security Design Review. Feature designs are assessed by security Employees for their security impact to the RFA Platform, for example, additions or modifications to access controls, data flows, and logging.
9.2 Security Training. Architects are required to take Secure SDLC training.
9.3 Change Control. RFA’ controls are designed to securely manage assets, configurations, and changes throughout the SDLC.
9.4 Code Scanning. Static and dynamic code scans are regularly run and reviewed.
9.5 Penetration Testing. As part of the Security Design Review process, certain features are identified and subjected to penetration testing prior to release.
9.6 Code Approval. Functional owners are required to approve code in their area of responsibility prior to the code being merged for production.
9.7 Multi-Factor Authentication. Accessing the RFA code repository requires Multi-Factor Authentication.
9.8 Code Deployment. Production code is deployed via automated continuous integration / continuous deployment pipeline processes.  The release management teams are separated from the engineering teams that build the product.
9.9 Production Separation. RFA separates production Platform Services Systems from testing and development Platform Services Systems.

10 Certificates

ISO and all other certificates are provided upon request and as part of any auditing process.


Last Modified August 2022

What we use your personal data for Our legitimate reasons
To provide contractual services to our clients For the performance of our contract with our clients or to take steps at their / your request before entering into a contract
Preventing and detecting fraud against you / our clients or us For our legitimate interests or those of a third party, i.e. to minimise fraud that could be damaging for you / our clients and/or us
Conducting identity checks to verify the identity of our clients Any other screening necessary Other processing necessary to comply with professional, legal and regulatory or other obligations that apply to our business, e.g. under health and safety regulations or rules issued by our professional regulator or the government To comply with our legal and regulatory obligations, e.g. our anti-money laundering obligations
Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g. policies covering information security For our legitimate interests or those of a third party, i.e. to make sure we are following our own internal procedures to enable us to deliver the best service to you / our clients
Ensuring the confidentiality of commercially sensitive information For our legitimate interests or those of a third party, i.e. to protect our intellectual property and other commercially valuable information to comply with our legal and regulatory obligations
Updating and enhancing our client records For the performance of our contract with you / our clients or to take steps at your request before entering into a contract to comply with our legal and regulatory obligations
Marketing our services to: - existing and former clients - third parties who have previously expressed an interest in our services - third parties with whom we have had no previous dealings For our legitimate interests or those of a third party, i.e. to promote our business to existing and former clients
External audits and quality checks For our legitimate interests or a those of a third party, i.e. to maintain our accreditations which demonstrates our service is of the best possible quality and standard to comply with our legal and regulatory obligations

a) Data must be processed lawfully, fairly and in a transparent manner in relation to individuals. Red Flag Alert Technology Group has a legitimate interest in processing personal data on decision-makers and budget holders in medium-to-large businesses in the United Kingdom. The information is acquired from publicly available sources as well as direct contact with the companies in question. As a result, where personal data is processed in situations where data subjects should reasonably expect future processing, the data subject's interests and fundamental rights do not trump the data controller's interest.

b) Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data is collected solely for the purpose of compiling a database of business contacts to be used by Red Flag Alert Technology Group and its Client’s and Approved Third Parties for business-to-business marketing.

(c ) Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The data collected is limited to names of senior managers and directors, their job titles, company addresses, company landline telephone numbers and corporate email addresses.

(d) Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Red Flag Alert checks all information to ensure that it is kept accurate and up-to-date. 

(e) Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
When someone leaves a position, their name and contact information are removed from the database. The data may, however, be utilised for suppression reasons, i.e. to prevent it from being added to the database again.

(f) Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data is only used by Red Flag Alert to offer legitimate business services that are relevant to the professional role of the data subject. Red Flag Alert operates a rigorous data security environment as part of its Data Governance Framework.

(g) Individuals have the right to see, correct, restrict access to or remove their personal information.
For subject access requests, use the contact details shown above. All requests for data to be removed or amended will be dealt with promptly.

(h) Complaints. Individuals have a right to complain to the Information Commissioner if they believe that there is a problem with the way their data is being used.

Follow this link to contact the ICO

This Website


  • We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
  • Where we need to perform the contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.
  • Where you have given your explicit consent to receive marketing communications from us

1. Privacy Protection

We understand the importance of safeguarding personal information collected from our customers, future customers, and website users. In compliance with GDPR, we will only use the information we acquire about you lawfully. This website can be accessed and browsed without revealing any personal information.

2. Data Collection

We collect information about you so that we can send you information about our products and services. All information is collected and used purely for the purpose of providing you with a service, and it is handled and stored in line with GDPR rules.

If you register on our site, if you contact us with comments or particular requests, or if you send a business card or other data to any of our staff, we collect personally identifiable information about you. The elements of your data that we collect may include:

  • forename and surname
  • title
  • company name
  • company address, phone and/or fax number
  • corporate email address
  • other information specific to the nature of our interaction

We also collect anonymous information which is not unique to you such as:

  • IP address
  • Browser Type
  • Access times
  • Referring URL

3. User Access and Control of Your data

Using the contact information provided above, you may request a copy of the personal information we have about you, as well as the ability to correct it if necessary. If you wish to withdraw your consent to our use of your data at any time, please contact The Data Protection Officer at the address listed above.

4. Data Use

We use your data to provide you with information about our products and services that we believe may be of interest to you.

5. Cookies

Cookies are used to make it easier for you to navigate our website. Cookies are small pieces of data that a website saves on your computer's hard drive, in order for it to know who you are. Cookies are used by the majority of websites. Cookies cannot be used to identify you on their own. Cookies are also used to track how visitors interact with our website. The data is used to create reports and to help us improve the site. The cookies collect anonymous information about site visitors, such as the number of visitors, where they came from, and which pages they visited. By continuing to use our website, you consent to our placing these sorts of cookies on your computer. You may prevent us from storing a cookie on your computer by setting your browser so that it will not accept cookies.

6. Data Disclosure

As detailed in the table below, we may be required to disclose your personal data with our third-party service providers. Your personal information may also be shared with third parties to whom we sell, transfer, or merge parts of our business or assets. Alternatively, we could try to buy or merge with other companies. If our company changes hands, the new owners may continue to use your personal information in the same manner as described in this privacy policy. 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

7. Third-Party Links

Links to third-party websites, plug-ins, and programmes may be found on this website. Third parties may collect or share data about you if you click on those links or enable those connections. These third-party websites are not under our control, and their privacy policies are not our responsibility. We advise you to read the privacy policies of every website you visit after leaving ours.

8. The Data We Collect About You

Personal data, often known as personal information, refers to any information about a person that can be used to identify that person. It excludes data from which the identity has been deleted (anonymous data). Different types of personal data about you may be collected, used, stored, and transferred by us, which we have categorised together as follows:

  • 8.1 Identity Data includes first name, last name, username or similar identifier, your business email address and IP address where appropriate and your company name and number.
  • 8.2 Contact Data includes billing address, delivery address, email address, telephone numbers and fax numbers.
  • 8.3 Crime / Offence Data includes information about criminal convictions and offences, for example, fraud or offences committed by a director or officer of a company, or directors’ disqualification information. This is information which is publicly available from official sources such as Companies House, the Insolvency Service and court records.
  • 8.4 Financial Data includes bank account and payment card details.
  • 8.5 Transaction Data includes details about payments to and from you and other details of services you have purchased from us.
  • 8.6 Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • 8.7 Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses.
  • 8.8 Usage Data includes information about how you use our website and services.
  • 8.9 Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

9. Data from a Third Party. 

It is your responsibility to ensure that:  you have an appropriate legal basis to share such personal data with us; and (ii) the third-party data subject reads and understands this Privacy Policy when you provide us with a third party's personal data (for example, any personal data relating to your employees, officers, and/or agents). We shall not be held liable to any third parties if you do not follow this rule.

Aggregated Data, such as statistical or demographic data, may be collected, used, and shared for any reason. Aggregated Data may be derived from your personal data, but it is not deemed personal data in the eyes of the law because it does not expose your identity directly or indirectly. We may, for example, aggregate your Usage Data to determine the percentage of people that utilise a certain website feature. However, if we combine or connect Aggregated Data with your personal data in such a way that the combined data can be used to identify you directly or indirectly, we recognise the combined data as personal data and handle it in line with this privacy policy. 

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).

10. Security

We continue to place a high priority on the security of your data. We've put in place technological and security policies, guidelines, and methods to secure the personal data under our control, whether online and offline, against unauthorised access, improper use, alteration, unlawful or unintentional deletion, and loss. All our "personal user data" is restricted in our offices when we're not online. Only Red Flag Alert workers have access to this information. However, keep in mind that no data transmission via the internet can be guaranteed to be completely safe. While we make every effort to protect your data, we cannot guarantee or promise the security of any information you submit us or that we store.

11. Data Retention

How long will you use my personal data for?

We will only keep your personal data for as long as it is necessary to fulfil the reasons for which it was acquired, including to comply with any legal, accounting, or reporting obligations. We consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements when determining the appropriate retention period for personal data. 

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

If you fill out a form on our website requesting information or provide details of your business email address, we will typically preserve your Identity, Contact, Marketing, and Communications Data for twelve months after your request, unless you express a desire to hear from us after that time-period has expired or where you have engaged RFA in providing a service to you as a client.

Unless you opt-out of receiving marketing from us, we will generally keep your Marketing and Communications Data for up to twelve months after your service contract finishes or expires (in which case we will keep a record of your opt-out request on our suppression list).

12. Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. You have the right to:

Request access to your personal data.
Request correction of your personal data.
Request erasure of your personal data.
Object to processing of your personal data.
Request restriction of processing your personal data.
Request transfer of your personal data.
Right to withdraw consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

12.1 You have the right to:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

You will not be charged a price to view your personal information (or to exercise any of the other rights).

If your request is manifestly baseless, recurrent, or exorbitant, we may charge a fair fee. In certain cases, we may also refuse to comply with your request.

12.2 What we may need from you

We may need to ask you for further information to verify your identity and validate your right to access your personal data (or to exercise any of your other rights). This is a security step to ensure that personal information is not shared with anybody who does not have permission to receive it. We may also call you to obtain further information about your request in order to expedite our answer.

12.3 Time limit to respond

Within one month, we aim to respond to all legitimate requests. If your request is extremely difficult or you have made a number of requests, it may take us longer than a month to respond. We will alert you and keep you updated in this case.

12.4 Request that we correct the personal information we have on you. This allows you to change any missing or erroneous information we have about you, albeit we may need to verify the veracity of the new information you submit.

12.5 Request that your personal data be erased. This allows you to request that we erase or remove your personal data if there is no compelling reason for us to keep it. You also have the right to request that we delete or remove your personal data if you have successfully exercised your right to object to processing (see below), if we have unlawfully processed your data, or if we are forced to erase your personal data by local legislation. Please keep in mind that we may not always be able to comply with your request for erasure due to specific legal reasons that will be communicated to you at the time of your request, if relevant.

12.6 Object to the processing of your personal data if we are relying on a legitimate interest (or those of a third party) and there is something about your circumstances that makes you want to object to processing on this ground because you believe it violates your basic rights and freedoms. You also have the right to object if your personal data is being processed for direct marketing purposes. We may be able to show that we have compelling legal grounds to handle your information that outweigh your rights and freedoms in some situations.

12.7 Request that your personal data be restricted from being processed. This allows you to request that we halt the processing of your personal data in the following circumstances: (a) if you want us to verify the data's accuracy; (b) if our use of the data is unlawful but you do not want us to erase it; (c) if you need us to keep the data even if we no longer require it because you need it to establish, exercise, or defend legal claims; or (d) if you have objected to our use of your data but we need to.

12.8 Request that your personal data be transferred to you or a third party. We shall give your personal data in a structured, frequently used, machine-readable manner to you or a third party you specify. This privilege only applies to automated information that you gave us permission to use or if we utilised the information to fulfil a contract with you.
Where we rely on consent to process your personal data, you can withdraw your consent at any time. However, the lawfulness of any processing carried out before you withdraw your consent will not be affected. We may not be able to offer you with some products or services if you withdraw your consent. If this is the case, we will notify you when you withdraw your consent.

13. International Transfers

Except as stated in this policy, we do not transfer your personal data outside the European Economic Area (EEA). Where we transfer personal data outside the EEA we will ensure appropriate safeguards are in place to protect that data. Please ask if you require details of specific safeguards.

14. Third Parties With Whom We May Share Your Data:

We may share your data with third parties who provide services on our behalf.

All our third-party service providers are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.

We may also share your personal data with third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property or safety of our site, our users, and others.

Where your data is shared with third parties, we will seek to share the minimum amount necessary.


Authenteq Tarbena GmbH

AWS (Amazon Web Services)

Blue Tahiti Software Ltd


Companies House

Connell Data Ltd


Dun & Bradstreet Ltd

GB Group Ltd (GBG)

Google Ireland Ltd


Information Network Services Ltd


Microsoft Ireland Operations Ltd

Microsoft Azure Microsoft Ireland Operations Ltd

Microsoft Ltd


Santander Charges 

The Compliance Engineers


Tech City Labs Ltd

Tora Digital 

Trust Payments Ltd


Xero (UK) Ltd

Zen Internet Ltd

Registry Trust 

AHR Consultants             

15. Privacy Support

If you have any questions or comments about privacy, please contact us at the above address



Last Modified August 2022