Data Protection Policy
ECS Technology Solutions
1. Purpose
ECS Technology Solutions ("the Company") is committed to safeguarding all personal data it processes while delivering managed IT, cloud, and security services to our customers. This policy establishes the principles, roles, and controls that ensure personal data are collected, stored, transmitted, shared, and disposed of lawfully, fairly, transparently, and securely across all environments we manage—whether on-premises, in Microsoft 365, AWS, Azure, Google Cloud, or other third-party platforms.
2. Scope
This policy applies to:
- People: All employees, contractors, and third parties who process personal data on behalf of ECS Technology Solutions.
- Systems: All information systems (servers, endpoints, SaaS, PaaS, IaaS, on-prem, network devices) under the Company's control or management.
- Data: Any personal data (customer, employee, partner, or end-user) processed by ECS Technology Solutions in the course of providing services.
3. Definitions
| Term | Meaning (abridged) |
|---|---|
| Personal Data | Information that can identify a living individual directly or indirectly. |
| Processing | Any operation performed on personal data (collection, storage, alteration, transfer, deletion, etc.). |
| Data Subject | The individual identified or identifiable by personal data. |
| Controller / Processor | Entity that determines the purposes & means of processing / processes on another's behalf. |
| Special Category Data | Sensitive data (e.g., health, biometrics, racial or ethnic origin) requiring extra protection. |
| Sub-Processor | Third party engaged by the Company to process personal data. |
4. Data Protection Principles
ECS Technology Solutions follows these core principles:
- Lawfulness, Fairness & Transparency: Process only on a valid legal basis and communicate clearly with data subjects.
- Purpose Limitation: Use personal data only for explicit, legitimate purposes.
- Accuracy: Keep personal data accurate and up-to-date.
- Integrity & Confidentiality: Apply appropriate security controls to protect personal data.
- Accountability: Demonstrate compliance with this policy at all times.
Note: Data minimisation and storage-limitation principles are not adopted due to current technical constraints.
5. Legal Bases for Processing
Every service or project must document its lawful basis for processing (e.g., contract, consent, legal obligation). Records are maintained within the relevant project or service documentation.
6. Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Owner / CEO | Provides overall direction and resources; approves this policy. |
| Chief Technology Officer (CTO) | Implements technical controls; ensures secure architecture across cloud/on-prem. |
| Information Security Manager | Operates security operations centre (SOC); manages incident response; enforces vulnerability management. |
| Service Delivery Managers / System Owners | Ensure processing activities under their remit comply with this policy. |
| All Staff & Contractors | Complete monthly training; follow this policy; report incidents promptly. |
7. Data Classification & Handling
| Classification | Examples | Handling Rules |
|---|---|---|
| Public | Marketing website content | No restrictions. |
| Internal | Internal policies, project documentation | Share within Company via access-controlled systems. |
| Confidential | Customer names, emails, ticket notes | Encrypt at rest & in transit; restrict on need-to-know; log access. |
| Highly Confidential | Health data, payment card info, credentials | Strong encryption (AES-256 preferred; if unavailable, best-available algorithm); MFA; store only in approved secrets managers; continuous monitoring; IAM controls mandatory. |
8. Data Subject Rights
ECS Technology Solutions recognises and fulfils data subject rights (access, rectification, erasure, restriction, portability, objection, automated decision-making). Requests must be submitted as an email to support@ecs.rocks; a ticket is generated automatically and tracked to closure within 30 calendar days.
9. Security Measures
- Encryption: AES-256 is the standard; where unavailable, use the strongest algorithm supported by the platform. Data in transit must use TLS 1.3 or equivalent.
- Identity & Access Management (IAM): Utilise IAM wherever available. Systems containing Highly Confidential information must be governed by IAM with least-privilege roles and MFA enforced.
- Secrets Management: AWS Secrets Manager, Azure Key Vault, Keeper, and Hudu are the approved tools. Secrets are never stored in plaintext or embedded in code. Rotation is automated where possible.
- Vulnerability & Patch Management: Real-time vulnerability scanning. Critical patches are deployed immediately upon validation; all other patches follow the next maintenance window.
- Endpoint Security: EDR/AV on all managed devices; device encryption; remote wipe capability.
- Network Security: Segmented networks, firewalls, and intrusion detection/prevention. (VPN solutions are not part of the core security stack.)
- Logging & Monitoring: Centralised log aggregation (SIEM) with 30-day retention by default; real-time alerts for anomalous activity.
- Third-Party Risk Management: Due diligence and annual reassessment of sub-processors.
- Secure Development Lifecycle: Code reviews, dependency scanning, secret-checking, automated tests.
- Backup & DR: Automated backups, encrypted, off-site replication; documented RTO/RPO.
10. Data Retention & Disposal
Personal data stored within Company-controlled systems are retained indefinitely unless deletion is requested by a data subject, required by contract, or mandated by law. When data are deleted, they are securely destroyed (crypto-shred, secure erase) or anonymised. Paper records are cross-cut shredded.
11. Incident Response & Breach Notification
- Detect & Contain: SOC analyses alerts, isolates affected systems, revokes credentials.
- Assess: Determine scope, data types, and risk.
- Notify: Inform affected customers and, where legally required, supervisory authorities "without undue delay." Notifications are coordinated by the Information Security Manager and CTO.
- Remediate & Learn: Eradicate root cause, recover services, perform post-incident review.
12. Training & Awareness
- Monthly security & data-protection training and phishing simulations delivered via KnowBe4.
- Remedial training assigned for simulation failures.
13. Monitoring & Audit
- Continuous compliance checks via automated tooling (AWS Config, Intune, CIS benchmarks).
- Internal audits at least annually; findings reported to the Owner/CEO with remediation plans.
14. Policy Review
The CTO reviews this policy at least annually—or sooner if laws, regulations, or business processes change—and submits revisions to the Owner/CEO for approval.