Website Privacy

This includes:

  • IP address that you are connecting to this site with (this is show at the bottom of each page for your benefit)
  • Time of access
  • Details of which version of browser used e.g. “Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2”
  • Which pages your IP address accessed e.g. “GET /index.php/admin HTTP/1.1”
  • Referrer IP (the site that brought you to this one, if avalible)

This information is collected/held by every website on the world wide web that you connect to, most of it is required for the WWW to operate the way it does.

 

2018-05-25 Update: we used to use google fonts, this meant that every time you came to our site a service provided by google would make the fonts that this site uses available to your device, we decided that your privacy was unnecessary being breached by this, so now all fonts are provided directly from this site using a secure connection. The cost of doing this is that the site now takes slightly longer to load. (Most sites still provide Google/Adobe/Apple et al with your IP address using this mechanism)

2018-06-01 Update: The Referrer IP that is passed to the next site you visit from this one was, we felt providing too much information to the next site, so now, we don’t provide this.

You can email us via our website forms of directly.

What we use this information for

This information is used to help us:

  • Determine which pages get the most views
  • Which pages fail to load
  • Determine if an unauthorised access is being attempted
  • Which referrer is referring to us [Twitter, Facebook…]

“We” are unable identify you personally using just this information 

Where your data is stored

  • Our host (UK Web Solutions) stores this site and its access logs (as described above) in an ISO 27001 accredited data center in the UK and is subject to UK and EU data protection law and other relevant law.

Retention

  • Log files which hold the information described above are held for up to 6 month in the secure data centre after which we have no access.
  • Our host is required by law to hold logs which we have no access to for up to 1 year.
  • IP addresses of those systems that have attempted to gain unauthorised entry to this site are retained for blocking and analysis purposes, and may be passed on to law enforcement as this is breach of the Computer Misuse Act 1991 in the UK.
  • We don’t retain your name, email address or message on this web site if you use the email form, this held by our email service provider, please see the email privacy policy.

Keeping your data secure

  • Transmitting information over the internet is inherently not secure.
  • We use https (TLS) to encrypt the data sent between your browser and this web site, this ensures up to a point that it can’t not be interfered with, this is however not 100% secure.
  • Any data you transmit is at your own risk, it is in public domain as soon as it leaves your network.
  • Information gained from your use of this website will not be shared with any other organisations by ourselves.

Disclosing your information

  • We will only release the base information that is held as described above if we are legally forced to do so but not otherwise.
  • Our host is required to retain information for longer under the Regulation of Investigatory Powers Act (RIPA) which we have no control or influence over.

Cookie Policy

We do not place cookies on your system.

If you find any being set, please report it to us.

Privacy

Aggress Ltd does not hold any personal information outside of that which it absolutely needs to provide your business with services. We operate B2B and do not work with consumers.

What data we hold

When you email/work with us we will store information about you and your business, these detail include – for basic interaction:

  • your name
  • email address(s)
  • telephone number(s)
  • billing/payment information (when you become a client)
  • engagement source (website, email, telephone, referral…)

If you purchase a service from us we will ask you for further information in order to provide that service. Once a contract is in place we may contact you in future about the service you used, or about services directly related, we do not need your consent to do this but we will respect your right opt out of further non essential contact.

What we use this information for

We use this information to provide you with our service offering and thus:

  • allow us to reply to your email
  • inform you of our services within the context of the services used and provided by us

If you do not want to be contacted about our services after your initial enquiry please let us know by call, email, face to face or letter. If you do not want us to contact you or reply to your contact please don’t contact us!

Data retention

Before you become a paying client paying we will retain your correspondence for a maximum of 1 year.  When you become a customer we will hold data that we must retain to meet our statutory responsibilities (such as details of invoices sent to you, VAT related details) up to 6 + 1 years. For the Cyber Essentials Scheme we are required under contract to retain a copy of your report and any log files for a period of 6 years after the date of certification. For other services we will retain details other than those that are statutory requirements for a period of typically 1 year, some may be held longer where be believe it is in ‘our’ legitimate interests or ‘your’  best interestes to do so.

Where your data is stored

Email

We currently use Google G Suite for business to handle our email, contacts and calendar, and in some situation for file sharing with clients that also use this service. Please see the following link for Google’ Compliance Google Compliance Statements. We keep a close watch on our compliance requirements and will move or remove your information where a supplier that processes it for us does not meet the compliance requirements of the UK/EU (if you are a UK or EU citizen). Where we use a service based out of the UK/EU we ensure that they are registered with Privacy-Seal or/and Binding corporate rules or Model contract clauses are in place. When you become a customer your business information is stored in our ‘paid for’ accounts package, this a UK company and stored on UK servers, in an ISO 27001 accredited data centre, they are compliant with UK Data Protection Law.

Service Related information

Each customer record held by us for Cyber Essentials Basic/Plus that is commercially confidential or sensitive in electronic from is encrypted with AES 256, and the key held in an encrypted password manager. The encrypted files are backed up to multiple separate encrypted storage mediums. Paper copies are held only where necessary in a locked metal filing cabinet, within code locked internal room within our alarmed access controlled office. Where possible paper copies are scanned and stored as above, the paper copy is then cross cut shredded using a level 3 device.

Disclosing your information

We only allow access to your data when required by law, we do not and will never sell your details. We do not allow services such as Facebook, Twitter, LinkedIn, Snapchat and other social media platforms access to our contacts database and suggest you do likewise. We may contact you using LinkedIn, Twitter or Facebook (if you are already a member), no personal or commercial damaging information will be passed via these channels by ourselves, if you choose to pass information of those categories we will suggest a different medium.

Our email host (Google) has access to your details in order to provide its email and contacts and calendar service to us, we do not use third party add ons that may use or have access to your data, as paying user of Google GSuite your emails to and from us are not scanned for marketing data. All future add-ons are/will be check that they comply with UK/EU privacy law. We are evaluating CRM systems that comply with GDPR and the DPA and will add details when we have found a compliant one!

Keeping your data secure

We use TLS connections and 2FA (two factor authentication) to access our email accounts on secured devices. All backups are secured using AES 256, all keys are stored using AES 256. Information we hold is access controlled, backed up, encrypted and stored in the UK.

Transparency

If our systems are ever compromised, we promise to inform our clients immediately where their data may of been compromised, and will self-report to the Information Commissioner’s office. An incident would include any breach of security leading to the  alteration, unauthorised disclosure of, or access to, your identifiable personal or corporate data. We will notify affected users first, and then publish details of the breach on this site.

We do not use third party advertising companies to provide advertisements or allow third party advertisers to track your browsing.

Compliance

Aggress Ltd, as a Cyber Security and data protection consultancy company take security seriously, to that end we have been externally audited to Cyber Essentials Plus and IASME Governance Gold standard. We are currently working with ISO 9001:2015 and ISO 27001:2013 systems but have not gained external accreditation.

IASME Governance Gold Standard

The IASME Standard This information assurance audit is repeated annually, and covers many aspects of ISO 27001.

Cyber Essentials Plus

The same service we offer to our clients was conducted by an external auditor Terabyte IT, this is repeated annually. We also carry out our own tests frequently.

Data Protection

We have been certified as being GDPR Ready as of November of 2017, David Evans is certified to access GDPR Readiness in association with IASME. We actively work helping businesses complying with GDPR and the Data Protection Act 2018.

Insurance

The following aspects are insured

  • Public and Products Liability
  • Professional Indemnity
  • Employee Liability

Aggress Ltd will only collect personally identifiable data, such as your name, address, telephone number, or email address, when it is voluntarily submitted to us at this website or as part of providing our services to your business. This information will be collected through an online form or when you contact Aggress Ltd regarding any other matter. Where you have made available a business card we may use the information to contact you and that information may be added to our contacts list.

Change of Privacy Policy

If we are going to use your personally identifiable information in a manner different from that stated at the time of collection through this Web site, we will notify you via email. You will have a choice as to whether or not we use your information in this different manner. In addition, if we make any material changes in our privacy practices that do not affect user information already collected through our site, we will post a prominent notice on our web site notifying users of the change.

Access to Your Information

Right to be Informed

We hold only what is needed for the purpose of the service you have chosen, or where you have provided the data.

Erasure/Right to be forgotten

If you would like us to delete any information we have about you, we shall do so at your request unless its part of a condition of using one of our services, or we are legally required to retain it, we will ask you to verify your identity before we take any action. In the event you do not want to be contacted by us any more, just let us know by any means (we would appreciate if you told us why), we will confirm that your request has been received and that will be the final intentional communication from us.

Access, Rectification

You can obtain the types of personal data we hold about you at any time, we will respond to your request to access within 1 Month. At anytime you can ask as to make changes to ensure what we hold is accurate (subject to any legal requirements). Before we are able to provide you with any information or correct any inaccuracies, we will ask you to verify your identity.

Restrict Processing

We hold only what is needed for the purpose of the service you have chosen, or where you have provided the data, no non-essential processing is carried out.

Automating Processes or Profiling

We may at times do a high level background checks of potential clients (Profiling), this involves using public domain registries such as but not limited to companies house. This a manual task, and is only done to protect our interests and reputation and is within our legitimate interests to do so, if you object to this please take your business elsewhere.

Data Portability

We hold only what is needed for the purpose of the service you have chosen, or where you have provided the data, personal data is limited to what you have provided, which you are welcome to have back.

Right to object

We don’t operate a mail list directly other than for highly technical clients who choose to get very occasional technical updates from us. You can object to being on this list at anytime. All other processing of personal data is required by to meet the needs of our contractual or legal obligations.

Other Obligations

Sales, Mergers and Acquisitions

In the event of a sale, mergers or acquisition all data will be transferred to the new entity, employee information will be passed under TUPE.

Cease trading or Administration

In the event of Aggress Ltd ceasing operations entirely all personal data will be retained in accordance with the law. Logs and data records will be retained as the obligations as a running entity, 6 years for Cyber Essentials Plus. Operational historical records will be retained as per company and taxation law.

Children

We do not intentionally collect information from persons under the age of 16.

Third Party Links and Advertisement

As a convenience to our visitors,  this site contains links to past or current clients and sources of information which we believe at the time of linking will be of benefit to our visitors. The privacy policies and procedures described here do not apply to those linked sites. We suggest contacting those sites directly for information on their own data collection and distribution policies.