top of page
Untitled design - 2025-12-28T154442.351.png

Information Security Policy

1. Purpose
​

This policy defines ScaleOps Search Ltd’s approach to safeguarding information assets, ensuring confidentiality, integrity, and availability while complying with UK GDPR and Data Protection Act 2018.

 

2. Scope

​

Applies to the owner, any employees, contractors, systems, cloud services, and any third parties processing data on behalf of ScaleOps.

 

3. Roles & Responsibilities

​

The Owner is accountable for implementing security controls, GDPR compliance, risk management, and incident response. Contractors must adhere to this policy. The policy is reflected in our contracts with clients, candidates and contractors.

 

4. GDPR Compliance & Consent

​

Candidate CVs or personal details are never sent to clients without the candidate’s explicit written permission. Consent is to be documented and stored securely. Candidates are informed of how their data will be used, and their rights under GDPR.

 

5. Data Storage & Handling

​

No candidate or client data is stored on laptops or local devices. All data is stored securely in approved cloud platforms (e.g., M365 or ATS) with MFA enabled. Data is only stored when absolutely necessary and for the minimum time required.

​

6. Access Control

​

Access is restricted to the Owner only. MFA and strong passwords are enforced on all systems. Permissions are reviewed quarterly.

 

7. Encryption

​

All data at rest in cloud storage is encrypted. Data in transit uses TLS. Sensitive files are never sent unencrypted; if password-protected files are used, passwords are shared via a separate channel.

 

8. Email & Phishing Protection

​

Verify any requests for payment or bank detail changes via a known channel. Secure portals or encrypted email for sensitive attachments is always used.

 

9. Data Retention & Deletion

​

Candidate data is retained only as long as necessary for recruitment purposes (typically 12–24 months, unless consent persists). Secure deletion is applied when data is no longer needed.

 

10. Backups & Business Continuity

​

Cloud services with versioning and automated backups are used. Restore tests are conducted semi-annually.

 

11. Supplier & Third-Party Management

​

Due diligence is performed on all suppliers handling data. Data Processing Agreements (DPAs) are in place where required.

 

12. Incident Response

​

Any suspected breach is reported immediately to the Owner. Incidents are logged, contained, assessed, and reported to the ICO and affected parties within statutory timelines if required.

 

13. Monitoring & Review

​

Audit logs are enabled on cloud services. Monthly reviews are conducted to check for suspicious activity. The policy is reviewed annually or after significant changes.

 

14. Training & Awareness

​

Owner stays up to date with GDPR and security policies and keeps records of necessary changes and any training that needs to be undertaken.

 

15. Governance

​

Non-compliance may result in disciplinary or contractual action. Related documents include Data Protection Policy, Records Retention Schedule, and Incident Response Plan.

 

Signed:

Amie Capron, Managing Director, ScaleOps Search Ltd

Date: 18th July 2025

​

Version: 1.0 | Effective from: 18th July 2025 | Approved by: Owner / Managing Director (Amie Capron)

bottom of page