Company: Design Direct Web Solutions Ltd
Registered: United Kingdom
Established: 2012
Version: 1.0
Effective Date: 23 September 2025
1) Introduction & Scope
Design Direct Web Solutions ("Design Direct", "we", "us") delivers web, data, AI/ML, and digital platforms for clients in the UK and globally. Trust, privacy, and information security are foundational to our services. This whitepaper sets out our approach to safeguarding personal data, securing applications and infrastructure, and aligning with applicable laws and standards, including (as applicable to the engagement):
- UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
- EU General Data Protection Regulation (EU GDPR) where we act as processor for EU subjects
- Privacy and Electronic Communications Regulations (PECR) (cookies/marketing)
- Applicable client contractual and sector requirements
Scope: This document covers Design Direct's core operations, engineering and delivery processes, data handling, and controls across people, process, and technology. Client-specific addenda (e.g., sector rules, data residency, bespoke SLAs) are appended to Statements of Work (SoW) or Data Processing Agreements (DPA) as needed.
2) Our Privacy Commitment
We treat privacy as a fundamental right and follow these principles:
- Lawfulness, fairness, transparency: Clear purposes, lawful bases, and accessible notices.
- Purpose limitation: Process data only for specified, explicit purposes agreed with clients.
- Data minimisation: Collect and process the minimum required to deliver the service.
- Accuracy: Keep data accurate and up to date where feasible.
- Storage limitation: Retain data only as long as necessary for the stated purpose.
- Integrity & confidentiality: Protect data with appropriate security (technical & organisational measures).
- Accountability: Evidence our compliance through policies, training, and audit trails.
- Respect for data subject rights: Provide mechanisms to exercise access, rectification, deletion, restriction, portability, and objection rights.
3) Roles, Responsibilities & Governance
- Data Controller / Processor: We generally act as a processor for client data. For Design Direct's own marketing/HR data we are the controller.
- Executive Ownership: CEO & Board provide oversight for privacy and security risk.
- Data Protection Lead (DPL): Responsible for privacy governance, DPIAs, incident coordination, and regulatory liaison. (Contact: info@designdirect.co.uk)
- Security Lead (CISO‑function): Owns security policy, threat management, and assurance.
- Engineering Managers: Ensure secure SDLC, code quality, and environment controls.
- All Staff & Contractors: Mandatory privacy/security training and acceptable‑use adherence.
Governance cadences: quarterly risk review, monthly vulnerability posture review, change advisory board (CAB) for high‑risk changes, and annual policy review.
4) Lawful Bases & Processing Activities
We rely on lawful bases appropriate to each activity:
- Contract performance: To build, host, support, and maintain client solutions.
- Legitimate interests: Service improvement, fraud prevention, and security monitoring (assessed via Legitimate Interest Assessments as needed).
- Consent: Email marketing and optional cookies; parental consent where required for minors.
- Legal obligation: Record‑keeping, tax, and incident reporting where applicable.
Typical processing (as a processor for clients): customer accounts, authentication, transaction records, support communications, analytics (as configured), and integrations with third‑party providers chosen by the client.
5) Data Categories & Sensitivity
- Common personal data: names, contact details, IDs, usage logs.
- Special category data: Only processed if contractually required and with appropriate safeguards (e.g., encryption, access controls, DPIA, SCC/IDTA where transferred internationally). We advise avoiding special category data unless necessary.
- Children's data: Handled only under explicit client instruction with enhanced safeguards and verifiable consent mechanisms.
6) Data Flow & Residency
- Residency options: UK/EU hosting available upon request. By default we provision UK/EU regions for UK/EU clients unless otherwise agreed.
- Data transfer mechanisms: For international transfers (e.g., UK↔EU↔India, or sub‑processors outside the UK/EU), we implement appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs), plus Transfer Risk Assessments where required.
- India delivery centre: Our Kerala engineering centre operates under processor obligations, least‑privilege access, VPN, device management, logging, and contractual data protection terms.
7) Security Framework & Standards Alignment
We align our controls with recognised frameworks and best practices:
- ISO/IEC 27001/27002: Policy, risk management, asset controls, supplier security, business continuity (alignment, not a certification claim).
- NCSC & Cyber Essentials Plus controls: Baseline hardening, patching, malware protection, MFA, and secure configuration (alignment).
- OWASP ASVS & OWASP Top 10: Secure application design, coding, and testing.
8) Organisational Security
- Policies: Information Security Policy, Acceptable Use, Access Control, Secure Development, Incident Response, Backup & Recovery, Vendor Management, Mobile/Remote Work.
- Training & Awareness: Mandatory induction and annual refreshers; role‑based training for engineers (secure coding, secrets handling) and operations (phishing drills).
- Screening & Contracts: Background checks as permitted by law; NDAs and confidentiality clauses for all staff/contractors.
- Asset Management: Hardware and software inventories; device encryption; MDM for corporate endpoints; removal of access on leavers within 24 hours.
9) Technical Security Controls
- Identity & Access Management: SSO/MFA, role‑based access (RBAC), just‑in‑time elevated access for admin tasks, periodic entitlement reviews.
- Network Security: Segmented VPCs/VNETs, private subnets, security groups/NSGs, WAF/CDN for public apps, VPN/Zero‑Trust access for admin.
- Endpoint Security: Full‑disk encryption, EDR/anti‑malware, automatic patching, device posture checks.
- Encryption: TLS 1.2+ in transit; AES‑256 at rest (platform‑native KMS/HSM); key rotation and separation of duties for key management.
- Secrets Management: No secrets in code; use of secret managers and environment variables; short‑lived credentials for CI/CD.
- Logging & Monitoring: Centralised logs, immutable storage, time‑sync, alerting for auth anomalies, privilege changes, data‑exfil indicators.
- Backups & Recovery: Daily snapshots for critical systems, geographically redundant storage, periodic restore tests; documented RPO/RTO targets agreed per client.
- DDoS & Abuse Protection: Provider‑level DDoS protections, rate limiting, captcha/abuse controls where applicable.
10) Secure Development Lifecycle (SSDLC)
- Design: Threat modelling for new features and high‑risk changes; privacy‑by‑design checklists.
- Build: Coding standards referencing OWASP; dependency scanning (SCA); secrets scanning in repos.
- Test: Static (SAST) and dynamic (DAST) analysis; unit/integration tests; security test cases; test data is synthetic or anonymised.
- Review: Mandatory peer reviews; security sign‑off for high‑risk changes via CAB.
- Release: CI/CD with artifact signing; environment segregation (dev/test/stage/prod); infrastructure‑as‑code reviews.
- Operate: Continuous monitoring; monthly patch windows; regular vulnerability scans and tracked remediation SLAs.
- Assure: Annual 3rd‑party penetration testing on in‑scope systems or per client request.
11) AI/ML & Data Ethics
- Data handling: Training data is contract‑bounded; we avoid ingesting client personal data into shared model corpora unless explicitly contracted with safeguards.
- Model risk: Bias and fairness assessments where models influence individual outcomes; explainability documentation for decision‑affecting systems.
- Retention: Reproducible pipelines; ability to retrain without retaining personal data permanently unless required.
12) Vendor & Sub‑processor Management
- Selection & Due Diligence: Security/privacy questionnaire, technical evaluation, data residency and transfer safeguards.
- Contracts: DPAs with standard clauses; security obligations and breach notification terms.
- Monitoring: Annual reassessment or event‑driven reviews; right to audit where appropriate.
A current sub‑processor list can be provided under NDA and includes hosting, email delivery, observability, and support tooling providers as relevant to each engagement.
13) Data Subject Rights (DSRs)
We assist controllers (our clients) in fulfilling DSRs:
- Access/Portability: Export in common formats where technically feasible.
- Rectification/Erasure: Update or delete personal data on verified, lawful request.
- Restriction/Objection: Implement flags or suppression lists as instructed.
- Verification: Reasonable identity verification prior to fulfilment; logging of requests and responses.
Contact: info@designdirect.co.uk (for requests relating to Design Direct as controller) or route via the relevant client (controller) for project data.
14) Incident Response & Breach Notification
- Detection: 24×7 alerting on critical systems; triage runbooks; severity matrix.
- Containment & Eradication: Access revocation, isolation, forensic capture of volatile data, patching.
- Communication: Notify affected clients without undue delay where an incident affects their data; support client regulatory notifications.
- Post‑Incident: Root‑cause analysis (RCA), corrective actions, lessons learned, and policy/process updates.
15) Business Continuity & Disaster Recovery (BC/DR)
- BCP: Documented continuity plans for people, facilities, suppliers, and technology.
- DR: Priority restoration order for critical services; failover runbooks; periodic exercises.
- RTO/RPO: Defined per client system based on impact and contractual SLAs.
16) Retention & Deletion
- Default: Keep personal data only for the duration necessary to provide services and meet legal/contractual needs.
- Project Close: Upon termination/expiry, return or delete client data within agreed timeframes; secure wipe of storage and backups as feasible.
- Schedules: Retention schedules for logs, backups, and project artefacts are documented and can be customised per engagement.
17) Cookies & Tracking (for Websites/Apps We Operate)
- Consent: Obtain and record user consent for non‑essential cookies in relevant jurisdictions.
- Controls: Granular cookie preferences; honour Global Privacy Control (where supported).
- Disclosures: Maintain up‑to‑date cookie notices listing providers, purposes, and lifetimes.
18) Physical & Environmental Security
- Offices: Controlled access, CCTV where applicable, clean‑desk, locked storage for media.
- Data Centres/Cloud: We leverage leading cloud providers with certified facilities (e.g., ISO 27001, SOC 2 maintained by the provider). Client data centre certifications are inherited at the infrastructure layer; our responsibilities cover secure configuration and application security.
19) Customer Responsibilities (Shared Responsibility Model)
Security and compliance is shared:
- Client (Controller): Define lawful purposes; provide notices; choose configurations; review access lists; approve data sharing.
- Design Direct (Processor): Implement agreed controls, process data per instructions, assist with DSRs and DPIAs, report incidents.
- Cloud/Third Parties: Provide resilient, compliant infrastructure and services.
20) Audits, Assurance & Reporting
- Evidence on request: Policy excerpts, training summaries, vulnerability management reports, pen‑test executive summaries (under NDA).
- Client audits: Supported by prior arrangement and within reasonable scope.
- Metrics: Patch SLAs, vulnerability age, MFA coverage, phishing simulation results, and incident MTTR tracked internally.
21) Contact & Escalation
- General & Privacy: info@designdirect.co.uk
- Security Reporting (vuln/abuse): info@designdirect.co.uk
- Postal: Design Direct Web Solutions Ltd, London, United Kingdom
22) Change Log
- v1.0 (23‑Sep‑2025): Initial consolidated privacy & security whitepaper.
Appendix A: Example Retention Schedule (Baseline)
| Data Type |
Typical Retention |
Notes |
| Application logs |
90 days (active), 12 months (archive) |
Pseudonymise/anonymise where possible |
| Backups |
30–90 days |
Encrypted; periodic restore tests |
| User accounts |
Life of contract + 90 days |
Or as instructed by controller |
| Support tickets |
24 months |
May contain personal data; redact where feasible |
| CI/CD artifacts |
12 months |
Signed where applicable |
Appendix B: Incident Severity Matrix (Excerpt)
| Severity |
Example |
Initial Response Target |
| Sev‑1 (Critical) |
Confirmed breach of personal data at scale; production outage > 1h for critical systems |
15 minutes |
| Sev‑2 (High) |
Elevated suspicious activity; limited data exposure; partial outage |
1 hour |
| Sev‑3 (Moderate) |
Contained vulnerability; no evidence of data loss |
4 hours |
| Sev‑4 (Low) |
Minor policy deviation; informational alerts |
Next business day |
Appendix C: Glossary
- Controller/Processor: Roles defined under GDPR/UK GDPR.
- DPIA: Data Protection Impact Assessment.
- DSR: Data Subject Right.
- IDTA/SCC: UK International Data Transfer Agreement / EU Standard Contractual Clauses.
- RPO/RTO: Recovery Point Objective / Recovery Time Objective.
- SAST/DAST/SCA: Security testing methods.
- OWASP ASVS: Application Security Verification Standard.