Data Management and Security Policy

Purpose: The purpose of this policy is to outline the principles and guidelines that ensure the safe and compliant collection, storage, transfer, and disposal of customer data during the implementation process.

Scope: This policy applies to all employees, contractors, and third parties who interact with or have access to customer data, processes, and digital assets stored in company provided tools for the execution of a customer engagement.

1. Data Collection: We will collect the data required for the Salesforce implementation process. All data collection activities will be transparent and logged against the provided customer repository (Notion & Google Drive), and we'll obtain consent from our customers before gathering any information. All requests and replies will be logged in our customer relationship management platform (Salesforce Sales Cloud).
2. Data Storage:
   • Salesforce Sales Cloud: Customer data stored here is encrypted at rest and in transit. We will utilise Salesforce's built-in security measures, such as shield encryption and auditing capabilities.
   • Basecamp: Sensitive data in Basecamp will be stored in private projects with access limited to essential personnel. We will adhere to Notion's best practices for security and privacy.
   • Google Drive: All files will be stored in designated folders with strict access controls. Sharing will be limited, and any shared file or folder will be encrypted.
3. Access Controls:
   
   • Only authorised personnel with a legitimate business need can access customer data.
   • Role-based access controls will be implemented across Salesforce, Notion, and Google Drive
   • Multi-factor authentication will be mandatory for all systems
4. Data Transfer
   • Data transfers within and outside the organisation will occur over encrypted channels or provided file repositories.
   • Any third-party integrations or APIs used during implementation will adhere to secure and compliant data transfer protocols.
5. Data Retention and Disposal
   • Customer data will be retained only for the period required for implementation and any subsequent support or as mandated by regulatory requirements.
   • Secure disposal measures, including digital shredding and deletion protocols, will be in place for data that no longer serves a business purpose
6. Training: Employees will receive regular training on this data management/security policy, ensuring they know their responsibilities and the best practices to follow.
7. ‍Audits and Assessments: We will undertake periodic internal audits and third-party assessments to ensure adherence to this policy and identify improvement areas. Any anomalies or breaches identified during these audits will result in immediate corrective action.
8. ‍Incident Response: An incident response team will be designated to manage and respond to any data breaches or unauthorised access incidents. All incidents will be thoroughly investigated, and affected customers will be notified per relevant regulations.
9. ‍Vendor Management: Vendors, including Salesforce, Miro, Notion, and Google, will be evaluated based on security practices. Any additional third-party vendors involved in the implementation process will be subject to the same scrutiny and expected to adhere to our data management and security standards.
10. Compliance: This policy aligns with major data protection regulations, including GDPR and CCPA. Continuous updates will be made to ensure adherence to evolving regulatory requirements.
    
    Review & Update: This policy will be reviewed annually and updated as needed to address changes in our operations or the regulatory landscape.