Website Privacy
This includes:
- IP address that you are connecting to this site with
- Time of access
- Details of which version of browser used e.g. “Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2”
- Pages your IP address accessed e.g. “GET /index.php/admin HTTP/1.1”
- Referrer IP (the site that brought you to this one, if available)
This information is collected/held by every website on the World Wide Web that you connect to, most of it is required for the WWW to operate the way it does.
2018-05-25 Update: we used to use google fonts, this meant that every time you came to our site a service provided by google would make the fonts that this site uses available to your device, we decided that your privacy was unnecessary being breached by this, so now all fonts are provided directly from this site using a secure connection. The cost of doing this is that the site now takes slightly longer to load. (Most sites still provide Google/Adobe/Apple et al. with your IP address using this mechanism)
2018-06-01 Update: The Referrer IP that is passed to the next site after you visit from this one was, we felt providing too much information to the next site, so now, we don’t provide this.
You can email us via our website forms or directly.
What we use this information for
This information is used to help us:
- Determine which pages get the most views
- Which pages fail to load
- Determine if unauthorized access is being attempted
- Which referrer is referring to us [Twitter, Facebook…]
Aggress Ltd is unable to identify you personally using just this information.
Where your data is stored
- Our host (UK Web Solutions) stores this site and its access logs (as described above) in an ISO 27001 accredited data centre in the UK and is subject to UK and EU data protection law and other relevant law.
Retention
- Log files which hold the information described above are held for up to 6 months in the secure data centre after which we have no access.
- Our host is required by law to hold logs which we have no access to for up to 1 year.
- IP addresses of those systems that have attempted to gain unauthorized entry to this site are retained for blocking and analysis purposes and may be passed on to law enforcement as this is breach of the Computer Misuse Act 1991 in the UK.
- We don’t retain your name, email address or message on this website if you use the email form, this held by our email service provider, please see the email privacy policy.
Keeping your data secure
- Transmitting information over the internet is inherently not secure.
- We use https (TLS) to encrypt the data sent between your browser and this website, this ensures up to a point that it can’t be interfered with, this is however not 100% secure.
- Any data you transmit is at your own risk, it is in public domain as soon as it leaves your network.
- Information gained from your use of this website will not be shared with any other organization by us directly.
Disclosing your information
- We will only release the base information that is held as described above if we are legally forced to do so but not otherwise.
- Our host is required to retain information for longer under the Regulation of Investigatory Powers Act (RIPA) which we have no control or influence over.
Cookie Policy
We do not place cookies on your system.
If you find any being set, please report it to us.
Privacy
Aggress Ltd does not hold any personal information outside that which it absolutely needs to provide your business with services. We operate B2B and do not work with consumers.
What data we hold
When you email/work with us we will store information about you and your business, these details include – for basic interaction:
- your name
- email address(s)
- telephone number(s)
- billing/payment information (when you become a client)
- engagement source (website, email, telephone, referral…)
If you purchase a service from us, we will ask you for further information in order to provide that service. Once a contract is in place we may contact you in future about the service you used, or about directly related services, we do not need your consent to do this, but we will respect your right to opt out of further contact.
What we use this information for
We use this information to provide you with our service offering and thus:
- allow us to reply to your email
- inform you of our services within the context of the services used and provided by us
If you do not want to be contacted about our services after your initial enquiry please let us know by call, email, face to face or letter. If you do not want us to contact you or reply to your initial contact, please don’t contact us!
Data retention
- Before you become a contracted client, we will retain your correspondence at our discretion for typically 2 years.
- When you become a customer we will hold data that we must retain to meet our statutory responsibilities (such as details of invoices sent to you, VAT related details) for at least 6 years.
- For the Cyber Essentials Scheme we are required under contract to retain a copy of your report and any log files for a period of 6 years after the date of certification.
- For other services we will retain details other than those that are statutory requirements for a period of typically 1 year, some may be held longer where we believe it is in ‘our’ legitimate interests or ‘your’ best interests to do so.
Where your data is stored
- We currently use Google Workspace Enterprise to handle our email, contacts, and calendar, and in some situations for file sharing with clients that also use this service. Please see the following link for Google’ Compliance Google Compliance Statements.
- We keep a close watch on our compliance requirements and will move or remove your information where a supplier that processes it for us does not meet the compliance requirements of the UK (We do not typically hold data of EU citizens).
- When we use a service based out of the UK, i.e US/EU, we ensure that they are registered with Privacy-Seal or/and Binding corporate rules or Model contract clauses are in place.
- When you become a customer, your business information is stored in our ‘paid for’ accounts package, this a UK company and stored on UK servers, in an ISO 27001 accredited data centre.
Service-Related information
- Each customer record held by us for Cyber Essentials Basic/Plus or that is commercially confidential or sensitive in electronic form is encrypted with AES 256, and the long key held in an encrypted password manager. Encrypted files are backed up to multiple separate encrypted storage mediums. Paper copies are held only where necessary in a locked metal filing cabinet, within lockable internal room within our alarmed and access-controlled offices. Where possible paper copies are scanned and stored as above, the paper copy is then cross-cut shredded using a Din level 3 device.
Disclosing your information
- We only allow access to your data when required by law, we do not and will never sell your details.
- We do not allow services such as Facebook, Twitter, LinkedIn, Snapchat and other social media platforms access to our contacts database and suggest you do likewise. You may contact us using LinkedIn, Twitter or Facebook and we may respond. No personal or commercial information will be passed via social media channels by ourselves, if you choose to pass or request information via one of those channels, we will suggest a different medium.
- Our email host (Google) has access to your contact details in order to provide its email, contacts and calendar services to us, we do not use third party add-ons that may use or have access to your data, as a business user of Google Enterprise your emails to us and those from us are not scanned for marketing data. All future add-ons or changes are/will be check to ensure that they comply with UK privacy law.
- We have evaluated many CRM systems that are based in the US, EU and UK that allege to comply with GDPR and the DPA and concluded that none do it well and also meet our needs, thus we have commissioned our own on-site CRM system to ensure our and your commercial data is protected.
Keeping your data secure
- We use TLS connections and 2FA (two-factor authentication) to access our online accounts on secured and encrypted devices.
- All backups are secured using AES 256, all keys are stored using AES 256.
- Information we hold is access controlled, backed up, encrypted, and stored in the UK.
Transparency
- If our systems are ever compromised such that your data is damaged or accessed without authorisation, we promise to inform you/our clients immediately, and will self-report to the Information Commissioner’s office as appropriate.
- An incident would include any breach of security leading to the alteration, unauthorised disclosure of, or access to, your identifiable personal or corporate data.
- We will notify affected users first, and then publish details of the breach on this site.
- We do not use third party advertising companies to provide advertisements or allow third party advertisers to track your browsing.
Compliance
Aggress Ltd, as a Cybersecurity and data protection consultancy company we understand the importance of security as you would expect, to that end we have been externally audited to Cyber Essentials Plus, IASME Cyber Assurance L2 standard and carry out frequent vulnerability tests. We are currently working with ISO 9001:2015 and ISO 27001:2013 systems but have not gained external accreditation due to the exorbitant ongoing cost of doing so, as these costs would have to passed on to our valued clients.
IASME Cyber Assurance L2, The IASME Cyber Assurance Standard covers many aspects of ISO 27001, but is more suited to the smaller business.
Aggress Ltd will only collect personally identifiable data, such as your name, address, telephone number, or email address, when it is voluntarily submitted to us at this website or as part of providing our services to your business. This information will may be collected through an online form or when you contact Aggress Ltd regarding any other matter. Where you have made available a business card we may use the information to contact you and that information may be added to our contacts list (but not mailing list).
Change of Privacy Policy
If we are going to use your personally identifiable information in a manner different from that stated at the time of collection through this Website, we will notify you via email. You will have a choice whether we use your information in this different manner. In addition, if we make any material changes in our privacy practices that do not affect user information already collected through our site, we will post a prominent notice on our website notifying users of the change.
Access to Your Information
Right to be Informed
We hold only what is needed for the purpose of the service you have chosen, or where you have provided the data.
Erasure/Right to be forgotten
If you would like us to delete any information we have about you, we shall do so at your request unless its part of a condition of using one of our services, or we are legally required to retain it. We will ask you to verify your identity before we take any action. In the event you do not want to be contacted by us again, just let us know by any means (we would appreciate if you told us why), we will confirm that your request has been received and that will be the final intentional communication from us.
Access, Rectification
You can obtain the types of personal data we hold about you at any time, we will respond to your request to access within 1 Month. At any time you can ask us to make changes to ensure what we hold is accurate (subject to any legal requirements). Before we are able to provide you with any information or correct any inaccuracies, we may ask you to verify your identity.
Restrict Processing
We hold only what is needed for the purpose of the service you have chosen, or where you have provided the data, no non-essential processing is carried out.
Automating Processes or Profiling
We may at times do a high level background checks of potential business clients (profiling), this involves using public domain registries such as but not limited to ‘Companies House’. This a manual task, and is only done to protect our interests and reputation, it is within our legitimate interests to do so, if you object to this please take your business elsewhere.
Data Portability
We hold only what is needed for the purpose of the service you have chosen, or where you have provided the data, personal data is limited to what you have provided, which you are welcome to have back.
Right to object
We don’t operate a mail list directly other than for highly technical clients who choose to get very occasional technical updates from us. You can object to being on this list at any time. All other processing of personal data is required by to meet the needs of our contractual or legal obligations.
Other Obligations
Sales, Mergers and Acquisitions
In the event of a sale, mergers or acquisition all data will be transferred to the new entity, employee information will be passed under TUPE.
Cease trading or Administration
In the event of Aggress Ltd ceasing operations entirely all personal data will be retained in accordance with the law. Logs and data records will be retained in keeping with the obligations of a running entity, i.e. 6 years for Cyber Essentials Plus.
Operational historical records will be retained as per company and taxation law.
Children
We do not intentionally collect information from persons under the age of 16.
Third Party Links and Advertisement
As a convenience to our visitors, this site contains links to past or current clients and sources of information which we believe at the time of linking will be of benefit to our visitors. The privacy policies and procedures described here do not apply to those linked sites. We suggest contacting those sites directly for information on their own data collection and distribution policies.
Our aim to deliver good value to our stakeholders and clients as we really do care.
If you feel you have not got the service to the standard you expected during the delivery of our offerings and you wish to complain, feel free to:
- Raise the issue directly with agent/assessor.
- Email ‘complaints @ aggress.co.uk’ (remove the spaces)
We will endeavour to resolve any issues which we have control or influence over within no more than 30 days, where an issue is outside our control we will do our best to work with you to gain satisfaction.
If you have an issue with a Cyber Essentials assessment result and wish to appeal, you have 30 days to do so from the report being issued. In the first instance please email or call to discuss the issue, where an error has been made we will seek to rectify it, however the NCSC/Cyber Partner (IASME) are the final arbiters on such issues.
- At all times we value your constructive feedback, we welcome all suggestions to make our offering and services better.
- We carry periodically customer satisfaction surveys which you are under no obligation to complete.
- We send these only to those clients that have engaged with us under contract and will relate to the service offering you received and as such they do not require consent, we of course will respect your right to opt out.
- Feel free to let us know if you would not like to take part at any time, or to give us direct feedback.
For other constructive feedback please email ‘feedback @ aggress.co.uk’ (remove the spaces)