ZYC-INFO-001 Information Security & Data Protection Policy

Purpose

To safeguard Zeyro’s information assets and ensure compliance with the UK data-protection regime (UK GDPR and Data Protection Act 2018) and the UK MiFID framework where relevant to client data and records. This policy defines how we protect, manage, and respond to risks involving information and personal data across our business operations.

Scope

Applies to all Zeyro staff, directors, contractors, and any third party with access to Zeyro’s systems — including Microsoft 365, the Atlassian Suite (Jira, Jira Service Management, Confluence), Rippling, and GitBook.

Policy Statement

Zeyro’s approach to information security is based on three principles:

  • Confidentiality – information is only accessible to authorised people.

  • Integrity – information is accurate and protected from unauthorised modification.

  • Availability – information and systems are accessible to authorised users when needed.

All personal data must be processed lawfully, fairly, and transparently, collected only for specific business purposes, minimised to necessity, kept accurate, and securely deleted when no longer needed.

Information Security Framework

1. System Security

  • All core data is stored in Microsoft 365 (SharePoint, OneDrive, Teams, Outlook) and the Atlassian Suite, protected with encryption in transit and at rest.

  • Multi-Factor Authentication (MFA) is required for all user accounts.

  • Access is role-based, reviewed quarterly, and revoked immediately upon termination.

  • All systems employ automated backups and cloud redundancy.

  • Devices must use password protection, automatic locking, and up-to-date antivirus software.

2. Data Handling

  • Access personal data only when required for legitimate business purposes.

  • Do not store company or client data locally unless temporary and encrypted.

  • Classify information as Public, Internal, or Confidential, and handle accordingly.

  • External sharing of personal data requires authorisation and a valid lawful basis under the UK data-protection regime.

3. Data Breach Response

  • A data breach includes any loss, unauthorised access, or alteration of personal data.

  • All suspected breaches must be reported immediately to the MLRO via [email protected].

  • The MLRO investigates and determines whether to report the incident to the ICO within 72 hours and, if required, to affected individuals.

  • A Breach Register is maintained in Confluence.

4. Data Subject Rights

  • Individuals have rights to access, correct, delete, restrict, or transfer their personal data.

  • Any request must be forwarded immediately to the MLRO.

  • Responses are coordinated within one month, in line with the UK data-protection regime.

5. Cloud & Third-Party Oversight

  • Only approved platforms — Microsoft 365, Atlassian Suite, Rippling, and GitBook — may store or process company data.

  • Vendors handling personal data must meet equivalent security and privacy standards, with contractual data-protection and audit clauses in place.

6. Staff Training

  • All staff complete onboarding and annual refresher training on information security and data protection.

  • Training records are maintained in Rippling and the Training Register.

7. Incident Management

  • Security or data incidents (e.g., phishing, lost devices, or unauthorised access) must be reported immediately to the MLRO.

  • The MLRO and operational lead will assess and document the incident.

  • Notification to regulators or clients will occur only when legally required.

8. Record Keeping and Retention

  • All records are retained and deleted according to ZYC-REC-001 Record Keeping & Data Retention Policy.

  • Evidence of training, access reviews, and incidents is retained for at least five years.

Roles and Responsibilities

  • All staff – safeguard information and report incidents or requests promptly.

  • Operational staff – implement access and security controls.

  • MLRO (SMF 16/17) – oversees compliance, breach management, and ICO engagement.

  • Board – approves this policy and reviews control effectiveness annually.

Review

This policy is reviewed annually or after any major system change, incident, or regulatory update.

Document Control

Field

Details

Policy Code

ZYC-INFO-001

Policy Title

Information Security & Data Protection Policy

Document Owner

Gareth Malna – MLRO (SMF 16 & 17)

Responsible Reviewer(s)

Zeyro Board

Version

v 1.0

Date Approved

October 2025

Next Scheduled Review

October 2026

Change History

v 1.0 (Oct 2025): Consolidated security and data-protection framework/

Classification

Internal policy – distributed to all staff; available to regulators on request.

PreviousOperations and InformationNextZYC-DATA-001 Record Keeping & Data Retention Policy

Last updated