Contents
1. Introduction
2. Our promise to you
3. Data protection
4. Cyber Essentials
5. Protecting your information
6. Secure Infrastructure
7. Employee training and awareness
8. Incident response preparedness
9. Incident response preparedness
10. Compliance and standards
11. Declaration
Introduction
At That Little Agency (TLA), we take the security and confidentiality of our client’s information very seriously. As a small business, we understand that trust is essential, and we are fully committed to safeguarding your data through strong, responsible security practices.
Information is a key asset for TLA and our clients, and protecting this asset is vital for our organisation. Information is precious to any business, and we understand that you rely on us to ensure that the information we handle remains safe and secure.
We trust each of our employees to look after the best interests of the business, our employees and clients at all times. And respect our requirement for information security and confidentiality. Good security is a commercial necessity.
Our promise to you
At TLA, protecting your information is not just a policy – it’s part of who we are. We continuously review and strengthen our security practices to ensure your data remains safe and private.
If you have any questions about how we protect your information, don’t hesitate to contact us at data@www.thatlittleagency.co.uk.
Data protection
We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal information to those with a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures to deal with any suspected data security breach. We’ll notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Cyber Essentials
We’re working towards Cyber Essentials accreditation and will have this by the end of June 2025. In the meantime, we’ve undergone an audit against the key areas and can confirm that we:
- Have a firewall in place to secure our Internet connection;
- Choose the most secure settings for our devices and software;
- Control who has access to our data and services;
- Protect ourselves from viruses and other malware;
- Keep our devices and software up to date.
We’re happy to undergo further information security audits. We understand that Cyber Essential is rapidly growing into an industry standard. Once we have the Cyber Essential certificate, we’ll be happy to share this with you.
For more information on Cyber Essentials, visit www.cyberessentials.ncsc.gov.uk
Protecting your information
We implement stringent measures to ensure that all client data is handled securely:
Encryption
All sensitive information is encrypted both in transit (using SSL/TLS protocols) and at rest.
Data access
Access to client data is strictly limited to authorised personnel based on role necessity.
Data retention
We retain client data only for as long as necessary to fulfil our business obligations or comply with legal requirements.
Access control and authentication
We employ strict controls to prevent unauthorised access:
- All employee accounts are protected by strong passwords and Multi-Factor Authentication (MFA) wherever possible.
- Our systems are designed to follow the principle of Least Privilege, ensuring that only essential personnel have access to sensitive information.
Secure infrastructure
Regular backups
Client data is backed up daily and securely stored.
System monitoring
Our systems are regularly monitored and updated to protect against evolving threats.
Secure remote access
Any remote access to our systems is conducted via secure VPNs and encrypted channels.
Employee training and awareness
Every team member undergoes regular cybersecurity training to stay informed on best practices, including:
- Identifying phishing attempts and social engineering tactics.
- Safe handling of client data.
- Immediate reporting and response to any potential security incidents.
Incident response preparedness
While we work diligently to prevent incidents, we are prepared to act swiftly and transparently in the unlikely event of a data breach:
- We have clear procedures in place to contain and investigate incidents.
- We are committed to promptly notifying affected clients if their information is ever compromised.
Compliance and standards
We strive to align our policies and practices with recognised standards and regulations such as:
- General Data Protection Regulation (GDPR)
- Other relevant privacy laws based on client location or industry.
Declaration
This statement was last reviewed, updated and approved on 31st January 2025.
