Company: Design Direct Web Solutions Ltd
Registered: United Kingdom
Established: 2012
Version: 1.0
Effective Date: 23 September 2025
Introduction & Scope
Design Direct Web Solutions (“Design Direct”, “we”, “us”) delivers web, data, AI/ML, and digital platforms for clients in the UK and globally. Trust, privacy, and information security are foundational to our services. This whitepaper sets out our approach to safeguarding personal data, securing applications and infrastructure, and aligning with applicable laws and standards, including (as applicable to the engagement):
- UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
- EU General Data Protection Regulation (EU GDPR) where we act as processor for EU subjects
- Privacy and Electronic Communications Regulations (PECR) (cookies/marketing)
- Applicable client contractual and sector requirements
Scope: This document covers Design Direct’s core operations, engineering and delivery processes, data handling, and controls across people, process, and technology. Client-specific addenda (e.g., sector rules, data residency, bespoke SLAs) are appended to Statements of Work (SoW) or Data Processing Agreements (DPA) as needed.
Our Privacy Commitment
We treat privacy as a fundamental right and follow these principles:
- Lawfulness, fairness, transparency: clear purposes, lawful bases, and accessible notices
- Purpose limitation: process data only for specified, explicit purposes agreed with clients
- Data minimisation: collect and process the minimum required to deliver the service
- Accuracy: keep data accurate and up to date where feasible
- Storage limitation: retain data only as long as necessary for the stated purpose
- Integrity and confidentiality: protect data with appropriate security (technical and organisational measures)
- Accountability: evidence our compliance through policies, training, and audit trails
- Respect for data subject rights: provide mechanisms to exercise access, rectification, deletion, restriction, portability, and objection rights
Roles & Governance
- Data controller / processor: we generally act as a processor for client data. For Design Direct’s own marketing and HR data we are the controller.
- Executive ownership: CEO and Board provide oversight for privacy and security risk.
- Data Protection Lead (DPL): responsible for privacy governance, DPIAs, incident coordination, and regulatory liaison (contact: info@designdirect.io).
- Security Lead (CISO function): owns security policy, threat management, and assurance.
- Engineering managers: ensure secure SDLC, code quality, and environment controls.
- All staff and contractors: mandatory privacy and security training and acceptable-use adherence.
Governance cadences include quarterly risk review, monthly vulnerability posture review, change advisory board (CAB) for high‑risk changes, and annual policy review.
Lawful Bases & Processing Activities
We rely on lawful bases appropriate to each activity:
- Contract performance: to build, host, support, and maintain client solutions
- Legitimate interests: service improvement, fraud prevention, and security monitoring (assessed via Legitimate Interest Assessments as needed)
- Consent: email marketing and optional cookies; parental consent where required for minors
- Legal obligation: record‑keeping, tax, and incident reporting where applicable
Typical processing (as a processor for clients) includes customer accounts, authentication, transaction records, support communications, analytics (as configured), and integrations with third‑party providers chosen by the client.
Data Categories & Sensitivity
- Common personal data: names, contact details, IDs, usage logs
- Special category data: only processed if contractually required and with appropriate safeguards (e.g., encryption, access controls, DPIA, SCC/IDTA where transferred internationally). We advise avoiding special category data unless necessary.
- Children’s data: handled only under explicit client instruction with enhanced safeguards and verifiable consent mechanisms.
Data Flow & Residency
- Residency options: UK/EU hosting available upon request. By default we provision UK/EU regions for UK/EU clients unless otherwise agreed.
- Data transfer mechanisms: for international transfers (e.g., UK–EU–India or sub‑processors outside the UK/EU), we implement appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs), plus Transfer Risk Assessments where required.
- India delivery centre: our Kerala engineering centre operates under processor obligations, least‑privilege access, VPN, device management, logging, and contractual data protection terms.
Security Framework & Standards Alignment
We align our controls with recognised frameworks and best practices:
- ISO/IEC 27001/27002: policy, risk management, asset controls, supplier security, business continuity (alignment, not a certification claim)
- NCSC and Cyber Essentials Plus controls: baseline hardening, patching, malware protection, MFA, and secure configuration (alignment)
- OWASP ASVS and OWASP Top 10: secure application design, coding, and testing
Organisational Security
- Policies: Information Security Policy, Acceptable Use, Access Control, Secure Development, Incident Response, Backup and Recovery, Vendor Management, Mobile/Remote Work
- Training and awareness: mandatory induction and annual refreshers; role‑based training for engineers (secure coding, secrets handling) and operations (phishing drills)
- Screening and contracts: background checks as permitted by law; NDAs and confidentiality clauses for all staff and contractors
- Asset management: hardware and software inventories; device encryption; MDM for corporate endpoints; removal of access on leavers within 24 hours
Technical Security Controls
- Identity and access management: SSO/MFA, role‑based access (RBAC), just‑in‑time elevated access for admin tasks, periodic entitlement reviews
- Network security: segmented VPCs/VNETs, private subnets, security groups/NSGs, WAF/CDN for public apps, VPN/Zero‑Trust access for admin
- Endpoint security: full‑disk encryption, EDR/anti‑malware, automatic patching, device posture checks
- Encryption: TLS 1.2+ in transit; AES‑256 at rest (platform‑native KMS/HSM); key rotation and separation of duties for key management
- Secrets management: no secrets in code; use of secret managers and environment variables; short‑lived credentials for CI/CD
- Logging and monitoring: centralised logs, immutable storage, time‑sync, alerting for auth anomalies, privilege changes, data‑exfil indicators
- Backups and recovery: daily snapshots for critical systems, geographically redundant storage, periodic restore tests; documented RPO/RTO targets agreed per client
- DDoS and abuse protection: provider‑level DDoS protections, rate limiting, captcha/abuse controls where applicable
Secure Development Lifecycle
- Design: threat modelling for new features and high‑risk changes; privacy‑by‑design checklists
- Build: coding standards referencing OWASP; dependency scanning (SCA); secrets scanning in repos
- Test: static (SAST) and dynamic (DAST) analysis; unit and integration tests; security test cases; test data is synthetic or anonymised
- Review: mandatory peer reviews; security sign‑off for high‑risk changes via CAB
- Release: CI/CD with artifact signing; environment segregation (dev/test/stage/prod); infrastructure‑as‑code reviews
- Operate: continuous monitoring; monthly patch windows; regular vulnerability scans and tracked remediation SLAs
- Assure: annual 3rd‑party penetration testing on in‑scope systems or per client request
AI/ML & Data Ethics
- Data handling: training data is contract‑bounded; we avoid ingesting client personal data into shared model corpora unless explicitly contracted with safeguards
- Model risk: bias and fairness assessments where models influence individual outcomes; explainability documentation for decision‑affecting systems
- Retention: reproducible pipelines; ability to retrain without retaining personal data permanently unless required
Vendor & Sub‑processor Management
- Selection and due diligence: security and privacy questionnaire, technical evaluation, data residency and transfer safeguards
- Contracts: DPAs with standard clauses; security obligations and breach notification terms
- Monitoring: annual reassessment or event‑driven reviews; right to audit where appropriate
A current sub‑processor list can be provided under NDA and includes hosting, email delivery, observability, and support tooling providers as relevant to each engagement.
Data Subject Rights
We assist controllers (our clients) in fulfilling DSRs:
- Access and portability: export in common formats where technically feasible
- Rectification and erasure: update or delete personal data on verified, lawful request
- Restriction and objection: implement flags or suppression lists as instructed
- Verification: reasonable identity verification prior to fulfilment; logging of requests and responses
Contact: info@designdirect.io (for requests relating to Design Direct as controller) or route via the relevant client (controller) for project data.
Incident Response & Breach Notification
- Detection: 24×7 alerting on critical systems; triage runbooks; severity matrix
- Containment and eradication: access revocation, isolation, forensic capture of volatile data, patching
- Communication: notify affected clients without undue delay where an incident affects their data; support client regulatory notifications
- Post‑incident: root‑cause analysis (RCA), corrective actions, lessons learned, and policy or process updates
Business Continuity & Disaster Recovery (BC/DR)
- BCP: documented continuity plans for people, facilities, suppliers, and technology
- DR: priority restoration order for critical services; failover runbooks; periodic exercises
- RTO/RPO: defined per client system based on impact and contractual SLAs
Retention & Deletion
- Default: keep personal data only for the duration necessary to provide services and meet legal or contractual needs
- Project close: upon termination or expiry, return or delete client data within agreed timeframes; secure wipe of storage and backups as feasible
- Schedules: retention schedules for logs, backups, and project artefacts are documented and can be customised per engagement
Cookies & Tracking (for websites/apps we operate)
- Consent: obtain and record user consent for non‑essential cookies in relevant jurisdictions
- Controls: granular cookie preferences; honour Global Privacy Control (where supported)
- Disclosures: maintain up‑to‑date cookie notices listing providers, purposes, and lifetimes
Physical & Environmental Security
- Offices: controlled access, CCTV where applicable, clean‑desk, locked storage for media
- Data centres/cloud: we leverage leading cloud providers with certified facilities (e.g., ISO 27001, SOC 2 maintained by the provider). Client data centre certifications are inherited at the infrastructure layer; our responsibilities cover secure configuration and application security.
Customer Responsibilities (Shared Responsibility Model)
Security and compliance is shared:
- Client (controller): define lawful purposes; provide notices; choose configurations; review access lists; approve data sharing
- Design Direct (processor): implement agreed controls, process data per instructions, assist with DSRs and DPIAs, report incidents
- Cloud and third parties: provide resilient, compliant infrastructure and services
Audits, Assurance & Reporting
- Evidence on request: policy excerpts, training summaries, vulnerability management reports, pen‑test executive summaries (under NDA)
- Client audits: supported by prior arrangement and within reasonable scope
- Metrics: patch SLAs, vulnerability age, MFA coverage, phishing simulation results, and incident MTTR tracked internally
Contact & Escalation
- General and privacy: info@designdirect.io
- Security reporting (vulnerability or abuse): info@designdirect.io
- Postal: Design Direct Web Solutions Ltd, London, United Kingdom
Change Log
- v1.0 (23‑Sep‑2025): initial consolidated privacy and security whitepaper
Appendix A: Example Retention Schedule (Baseline)
| Data / Asset Type | Active Retention | Archive Retention | Notes |
|---|---|---|---|
| Application logs | 90 days | 12 months | Pseudonymise or anonymise where possible |
| Backups | 30–90 days | — | Encrypted; periodic restore tests |
| User accounts | Life of contract | +90 days | Or as instructed by the data controller |
| Support tickets | 24 months | — | May contain personal data; redact where feasible |
| CI/CD artefacts | 12 months | — | Signed where applicable |
Appendix B: Incident Severity Matrix (Excerpt)
| Severity | Label | Description | Initial Response Target |
|---|---|---|---|
| Sev-1 | Critical | Confirmed breach of personal data at scale; production outage > 1 hour | 15 minutes |
| Sev-2 | High | Elevated suspicious activity; limited data exposure; partial outage | 1 hour |
| Sev-3 | Moderate | Contained vulnerability; no evidence of data loss | 4 hours |
| Sev-4 | Low | Minor policy deviation; informational alerts | Next business day |
Appendix C: Glossary
- Controller/processor: roles defined under GDPR/UK GDPR
- DPIA: Data Protection Impact Assessment
- DSR: Data Subject Right
- IDTA/SCC: UK International Data Transfer Agreement / EU Standard Contractual Clauses
- RPO/RTO: Recovery Point Objective / Recovery Time Objective
- SAST/DAST/SCA: security testing methods
- OWASP ASVS: Application Security Verification Standard
