Data Protection Policy
This document sets out how SecureITSimply collects, processes, stores, and protects personal data in the course of delivering its cybersecurity and IT services. It applies to all staff, contractors, clients, and data subjects who interact with our services or systems.
1. Purpose and Scope
This Data Processing Policy (“Policy”) establishes the principles, responsibilities, and procedures that govern how SecureITSimply (“the Company”, “we”, “us”, “our”) processes personal data. It supports our compliance with applicable data protection laws, including:
- The Digital Personal Data Protection Act, 2023 (DPDP Act) — India
- The General Data Protection Regulation (EU) 2016/679 (GDPR) — European Union & UK
- The Information Technology Act, 2000 and IT (Amendment) Act, 2008 — India
- Other applicable national and international data protection frameworks
This Policy applies to all personal data processed by SecureITSimply, whether held in electronic or physical format, across all business functions including sales, service delivery, HR, and marketing.
2. Key Definitions
Term | Definition |
Personal Data | Any information relating to an identified or identifiable natural person (‘Data Subject’), including name, contact details, location, IP address, or any identifier. |
Processing | Any operation performed on personal data, including collection, recording, storage, use, disclosure, erasure, or destruction. |
Data Controller | The entity that determines the purposes and means of processing personal data. SecureITSimply acts as a Controller for client and employee data. |
Data Processor | An entity that processes personal data on behalf of a Controller. SecureITSimply may act as a Processor when delivering managed security services. |
Data Subject | The individual to whom personal data relates — clients, website visitors, employees, prospective customers. |
Consent | Freely given, specific, informed, and unambiguous indication of a Data Subject’s agreement to processing of their personal data. |
Data Breach | A security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. |
Sub-processor | A third party engaged by SecureITSimply to process data on behalf of a client Controller. |
3. Data Protection Principles
SecureITSimply adheres to the following core principles when processing personal data:
Principle | Our Commitment |
Lawfulness, Fairness & Transparency | We process data only on a valid legal basis and always inform data subjects how their data is used. |
Purpose Limitation | Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. |
Data Minimisation | We collect only the data that is adequate, relevant, and limited to what is necessary for the stated purpose. |
Accuracy | We take reasonable steps to ensure data is accurate and kept up to date, rectifying inaccuracies without delay. |
Storage Limitation | Data is retained only for as long as necessary to fulfil the purpose for which it was collected or as required by law. |
Integrity & Confidentiality | Data is processed in a manner that ensures appropriate security, including protection against unauthorised access, loss, or destruction. |
Accountability | We take responsibility for complying with these principles and maintain evidence of our compliance activities. |
4. Legal Bases for Processing
We process personal data only when we have a valid legal basis to do so. The bases we rely on include:
4.1 Contract Performance
Processing is necessary to enter into or perform a contract with the data subject — for example, delivering managed security services to clients or processing payroll for employees.
4.2 Legal Obligation
Processing is required to comply with a legal obligation, such as tax reporting, regulatory filings, or responding to lawful requests from authorities.
4.3 Legitimate Interests
We process data where it is in our legitimate interests to do so and those interests are not overridden by the rights and freedoms of the data subject. Examples include fraud prevention, network security monitoring, and marketing to existing clients.
4.4 Consent
Where required by law (e.g., marketing communications to prospects, cookies), we obtain explicit, freely given, and revocable consent from the data subject prior to processing.
4.5 Vital Interests
In exceptional circumstances, we may process data to protect the vital interests of individuals, for example in a health and safety emergency.
5. Categories of Personal Data Processed
Category | Examples | Primary Purpose |
Identity Data | Full name, job title, company name | Service delivery, account management |
Contact Data | Email address, phone number, postal address | Communication, support, billing |
Financial Data | Invoice details, bank account references, GST/PAN numbers | Billing, statutory compliance |
Technical Data | IP addresses, log data, device identifiers, system credentials (hashed) | Security monitoring, incident response |
Usage Data | Website analytics, portal activity, service usage patterns | Service improvement, support |
Employee Data | HR records, performance data, compensation, background checks | Employment contract fulfilment, legal compliance |
Special Category Data | Health information (if relevant to employment), only where legally required | Occupational health, statutory obligations |
Client End-User Data | Data processed within client environments as part of managed security services | Contractual service delivery on behalf of clients |
Special category data (sensitive personal data) is processed only where strictly necessary, with explicit consent or another valid legal basis, and with enhanced safeguards applied.
6. How We Collect Personal Data
SecureITSimply collects personal data through the following means:
6.1 Direct Collection
- Website enquiry forms, contact and demo request submissions
- Email correspondence and telephone calls
- Client onboarding forms and service agreements
- Employee recruitment applications and HR processes
- Event registrations and webinar sign-ups
6.2 Automated Collection
- Website cookies and tracking technologies (see our Cookie Policy)
- Security monitoring tools and SIEM systems during service delivery
- System and application log files
6.3 Third-Party Sources
- Publicly available sources such as LinkedIn, company websites, and industry databases
- Referrals from existing clients or partners
- Background check providers (for employees and contractors)
7. Purposes of Processing
We process personal data for the following primary purposes:
Purpose | Legal Basis | Retention Period |
Responding to enquiries and providing quotations | Legitimate interests / Contract | 3 years from last contact |
Delivering contracted cybersecurity & IT services | Contract performance | Duration of contract + 7 years |
Invoicing, billing, and financial record-keeping | Legal obligation | 7 years (statutory) |
Security incident detection and response | Contract / Legitimate interests | 1 year from incident closure |
Employee onboarding and HR administration | Contract / Legal obligation | Duration of employment + 6 years |
Marketing communications (existing clients) | Legitimate interests | Until opt-out or 3 years inactivity |
Marketing communications (prospects) | Consent | Until consent withdrawn |
Compliance, audit, and regulatory reporting | Legal obligation | As required by applicable law |
Website analytics and performance optimisation | Consent (cookies) / Legitimate interests | As per Cookie Policy |
8. Data Sharing and International Transfers
8.1 Authorised Recipients
We may share personal data with the following categories of recipients:
- Sub-processors and service providers who support our IT infrastructure (e.g., cloud hosting, email, CRM, ticketing systems)
- Professional advisors including legal counsel, accountants, and auditors
- Regulatory bodies and law enforcement agencies where required by law
- Clients — to the extent necessary to report on security incidents involving their data
8.2 Sub-processor Requirements
We enter into Data Processing Agreements (DPAs) with all sub-processors before allowing them to process personal data on our behalf. These agreements require sub-processors to:
- Process data only on our documented instructions
- Implement appropriate technical and organisational security measures
- Notify us promptly of any data breaches
- Delete or return data at the end of the engagement
8.3 International Data Transfers
Where personal data is transferred outside India or the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the relevant regulatory authority
- Adequacy decisions recognising the destination country’s data protection standards
- Binding Corporate Rules or other approved transfer mechanisms
We maintain a register of all international data transfers and the safeguards applied.
9. Data Subject Rights
SecureITSimply respects the rights of individuals with respect to their personal data. Subject to applicable law and certain exemptions, data subjects have the following rights:
Right | Description | Response Timeframe |
Right of Access | Request a copy of personal data we hold about you (Subject Access Request) | 30 days |
Right to Rectification | Request correction of inaccurate or incomplete personal data | 30 days |
Right to Erasure | Request deletion of personal data where no longer necessary or where consent is withdrawn | 30 days |
Right to Restriction | Request that we limit processing of your personal data in certain circumstances | 30 days |
Right to Data Portability | Receive your personal data in a structured, machine-readable format (where applicable) | 30 days |
Right to Object | Object to processing based on legitimate interests or for direct marketing | Immediate (for marketing) |
Right to Withdraw Consent | Withdraw consent at any time where processing is consent-based; withdrawal does not affect prior lawful processing | Immediate effect |
Right not to be Profiled | Not to be subject to solely automated decision-making that produces legal or significant effects | 30 days |
To exercise any of these rights, data subjects should submit a written request to: privacy@secureitsimply.com. We will verify the identity of the requester before processing any request and may request additional information where necessary.
10. Technical and Organisational Security Measures
As a cybersecurity company, data security is central to our operations. We implement the following measures to protect personal data:
10.1 Technical Controls
- End-to-end encryption for data in transit (TLS 1.2 minimum) and data at rest (AES-256)
- Multi-factor authentication (MFA) enforced across all internal systems
- Role-based access control (RBAC) limiting data access to authorised personnel only
- Continuous security monitoring via SIEM and intrusion detection systems
- Regular vulnerability assessments and penetration testing
- Automated patch management and endpoint protection on all company devices
10.2 Organisational Controls
- All staff complete mandatory data protection and information security training annually
- Confidentiality and data protection clauses included in all employment and contractor agreements
- Documented data handling procedures and access request workflows
- Supplier and sub-processor due diligence conducted before engagement
- Physical security controls for any on-premises infrastructure
10.3 Privacy by Design
SecureITSimply embeds privacy by design and by default into all new systems, services, and processes. Data Protection Impact Assessments (DPIAs) are conducted for any high-risk processing activity before commencement.
11. Data Breach Detection and Response
11.1 Detection and Reporting
All staff are required to report suspected or confirmed data breaches immediately to the Data Protection Officer (DPO) via the internal incident reporting channel. A breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
11.2 Assessment and Notification
Upon becoming aware of a breach, the DPO will assess the risk to data subjects within 24 hours. Notification obligations are as follows:
- Regulatory authority (e.g., CERT-In, Data Protection Board of India, or ICO for UK/EU data): within 72 hours of becoming aware, where the breach is likely to result in risk to individuals
- Affected data subjects: without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- Affected clients (where we are acting as Processor): promptly, as specified in the applicable DPA
11.3 Documentation
All data breaches, regardless of whether notification is required, must be documented in our Breach Register. Records include: nature of the breach, data categories and volume affected, likely consequences, and remedial actions taken.
12. Data Retention and Secure Deletion
Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law or contract. Retention periods are specified in our Data Retention Schedule, which is reviewed annually.
12.1 End-of-Retention Actions
Upon expiry of the retention period, personal data is:
- Securely deleted from electronic systems using NIST-compliant data sanitisation methods
- Physically destroyed where held in paper or physical format (cross-cut shredding or certified destruction)
- Anonymised, where anonymised data serves a legitimate ongoing purpose
12.2 Client Data
Where SecureITSimply processes client data as a Processor, data is returned to the client or securely deleted within 30 days of contract termination, unless retention is required by law. Confirmation of deletion is provided in writing.
13. Roles and Responsibilities
Role | Responsibilities |
Management / Directors | Overall accountability for data protection compliance; approving this Policy and associated resources. |
Data Protection Officer (DPO) | Day-to-day oversight of data protection compliance; handling data subject requests; managing breach response; liaising with regulators; maintaining the data register. |
IT & Security Team | Implementing and maintaining technical security controls; conducting DPIAs; managing sub-processor security reviews. |
All Staff | Complying with this Policy and related procedures; completing mandatory training; reporting suspected breaches or compliance concerns promptly. |
HR Department | Ensuring employee data is processed in accordance with this Policy; managing data subject access requests from employees. |
Sales & Marketing | Ensuring marketing activities comply with consent requirements; maintaining accurate CRM records and opt-out preferences. |
14. Our Role as a Data Processor
When SecureITSimply delivers managed security services, we frequently process personal data on behalf of our clients, who act as Data Controllers. In this capacity, we:
- Process data strictly in accordance with documented client instructions as set out in the applicable Data Processing Agreement (DPA)
- Refrain from processing client data for any purpose other than as instructed or required by law
- Ensure all personnel with access to client data are subject to confidentiality obligations
- Assist clients in meeting their obligations to respond to data subject requests
- Provide clients with all necessary information to demonstrate compliance and support audits
- Seek prior written approval from clients before engaging any new sub-processor
A standard DPA is available for clients upon request and is included as an addendum to all managed services contracts.
15. Cloud and Third-Party Service Usage
SecureITSimply uses the following categories of third-party services that may process personal data:
Category | Purpose | Safeguard |
Cloud Infrastructure (e.g., AWS, Azure) | Hosting, storage, compute | DPA in place; data residency controls applied |
CRM / Email Marketing | Client relationship management, communications | DPA in place; consent-based processing only |
IT Service Desk / Ticketing | Support and incident management | DPA in place; access restricted to authorised staff |
HR & Payroll Software | Employee data management | DPA in place; India-compliant provider |
Video Conferencing | Client and internal meetings | DPA in place; no recording without consent |
Background Check Providers | Employment screening | Explicit consent obtained from individuals |
A complete and up-to-date sub-processor register is maintained by the DPO and is available to clients upon request.
16. Policy Review and Updates
This Policy is reviewed at least annually by the Data Protection Officer and updated as necessary to reflect:
- Changes in applicable data protection legislation or regulatory guidance
- New processing activities or significant changes to existing activities
- Lessons learned from data breaches, audits, or data subject complaints
- Changes to the Company’s business operations or technology landscape
Material changes to this Policy will be communicated to all staff and relevant stakeholders. The current version is published on our intranet and, where appropriate, on our website.
17. Compliance and Enforcement
Compliance with this Policy is mandatory for all SecureITSimply personnel. Failure to comply may result in disciplinary action, up to and including termination of employment or contract, and may also give rise to legal liability.
Any concerns about data protection practices, including potential breaches of this Policy, should be raised with the DPO at the earliest opportunity. Whistleblowing protections apply to good-faith reports.
18. Contact and Data Protection Officer
For any questions, requests, or concerns regarding this Policy or the processing of personal data, please contact:
Data Protection Officer
SecureITSimply
General Enquiries: contact@secureitsimply.com
Website: www.secureitsimply.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India (for Indian residents) or your local supervisory authority (for EU/UK residents).