PocketSurvey Ltd - Our Commitment to Security and Operational Resilience

PocketSurvey Ltd - Information Security Policy

Effective Date: May 9, 2025
Reviewed: Annually (or more frequently if required)

1. Purpose

This policy outlines PocketSurvey Ltd's commitment to protecting its information assets and ensuring the confidentiality, integrity, and availability of all data, systems, and services. It aims to minimise risks from security threats, comply with relevant regulations (e.g., GDPR), and maintain trust with our clients and partners.

2. Scope

This policy applies to all employees, contractors, temporary staff, and any third parties who access PocketSurvey Ltd's information systems or handle company data, regardless of location or device.

3. Key Principles

• Confidentiality: Only authorised individuals shall have access to sensitive information.
• Integrity: Information shall be accurate, complete, and protected from unauthorised modification or destruction.
• Availability: Information and systems shall be accessible to authorised users when needed.

4. Policy Statements

• Data Protection: All personal and sensitive data will be handled in accordance with the UK GDPR and other relevant data protection laws. Data will be collected, processed, and stored securely and only for legitimate business purposes.
• Access Control: Access to company systems, networks, and data will be granted based on the principle of "least privilege" - users will only have access to the information and resources necessary to perform their job functions. All access will be authenticated and regularly reviewed.
• Password Management: All users must use strong, unique passwords for all company systems and accounts. Passwords must meet minimum complexity requirements and be changed regularly. Multi-factor authentication (MFA) will be implemented where possible.
• Device Security: All company-issued devices (laptops, mobile phones, etc.) must be protected with appropriate security measures, including strong passwords/biometrics, encryption, and up-to-date antivirus/anti-malware software. Personal devices used for work (BYOD) must also adhere to company security standards.
• Network and Cloud Security: Our data and operations primarily leverage secure cloud services (such as Google Workspace) which provide their own robust security measures, including data encryption, access controls, and threat detection. All devices accessing these services must maintain up-to-date operating systems and security patches. Secure internet access is paramount, and public Wi-Fi networks should be used with caution, preferably via a Virtual Private Network (VPN) where sensitive data is involved.
• Email and Internet Usage: Users must exercise caution when opening emails, clicking links, or downloading attachments, especially from unknown sources. Phishing attempts and suspicious activities must be reported immediately. Internet usage should be for legitimate business purposes.
• Data Backup and Recovery: Critical business data will be regularly backed up to secure, off-site locations. A disaster recovery plan will be in place and tested periodically to ensure business continuity.
• Incident Response: All security incidents (e.g., data breaches, malware infections, lost devices) must be reported immediately to [Designated Person/Department, e.g., IT Support/Management]. A clear process for responding to, investigating, and resolving security incidents will be followed.
• Employee Training and Awareness: All employees will receive regular security awareness training to educate them on best practices, common threats, and their responsibilities under this policy.
• Third-Party Security: Third-party vendors or service providers who access our systems or handle our data must demonstrate adequate security controls and comply with our security requirements.
• Regulatory Compliance: PocketSurvey Ltd complies with applicable UK and EU data protection and IT security regulations, including UK GDPR. While we strive to meet best practices globally, we do not claim full compliance with all international security regulations.

5. Compliance and Enforcement

All employees are responsible for adhering to this policy. Non-compliance may result in disciplinary action, up to and including termination of employment, and potential legal consequences.

6. Policy Review

This policy will be reviewed at least annually, or more frequently if there are significant changes in technology, threats, or regulations.

Privacy Policy

Our comprehensive Privacy Policy details how PocketSurvey Ltd collects, uses, protects, and manages your personal data. It also outlines your rights regarding your data. For full details, please visit our dedicated policy page:

PocketSurvey.org/privacy-policy.htm

Health and Safety Policy

PocketSurvey Ltd is committed to providing a safe and healthy working environment for all its employees, contractors, and visitors. As a small, remote-first company primarily using home offices, our policy focuses on promoting good ergonomic practices, identifying and mitigating common home office risks, and ensuring awareness of emergency procedures. All staff are encouraged to report any health and safety concerns to the CEO immediately.

Data Protection Policy (GDPR)

PocketSurvey Ltd is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO registration number ZA333198) and process personal data lawfully, fairly, and transparently. Our comprehensive privacy practices are detailed in our Privacy Policy available at pocketsurvey.org/privacy-policy.htm.

As a SaaS provider of property inspection and compliance applications, we process property-related data including addresses, survey data, and photos. We leverage Google Workspace's secure cloud infrastructure with encryption at rest and in transit, role-based access controls, and detailed audit logs. All company devices are encrypted to protect data. We conduct Data Protection Impact Assessments (DPIAs) to identify and minimise risks, and data is retained for the duration of client subscriptions or projects, then securely deleted in line with our data retention policy.

Individuals have the right to access, rectify, erase, restrict processing, and port their personal data. We respond to all data subject requests within one month. James Holroyd (CEO) holds overall accountability for data protection compliance, with specific duties assigned to all staff. Any queries or requests should be directed to the CEO immediately. We review this policy annually and provide all staff with regular data protection and cyber security training. In the event of a data breach, we will notify affected individuals and the ICO within 72 hours where required by law.

Software and Asset Management Policy

PocketSurvey Ltd ensures all software used is legally licensed and kept up-to-date with security patches through automated updates where possible (e.g., for operating systems and Google Workspace applications). Company-issued laptops and mobile devices are inventoried, encrypted, and their security posture is regularly monitored. Disposal of devices follows secure data wiping procedures.

Change Management Policy

PocketSurvey Ltd implements a streamlined change management process for significant alterations to our IT systems and cloud configurations. Changes are planned, reviewed, and approved by the CEO or a designated lead, with communication to affected staff to minimize disruption and ensure security integrity.

Insurance Details

PocketSurvey Ltd holds comprehensive insurance coverage to protect our operations and stakeholders. We maintain £2 million in public liability insurance and £10 million in employer liability insurance.

For transparency, please find links to our insurance documentation below:

• Public Liability Insurance: PocketSurvey.com/files/PL-Certificate.pdf
• Employer Liability Insurance: PocketSurvey.com/files/EL-Certificate.pdf