The Chain Limited - Data Processing Notice

Introduction

This notice sets out how The Chain Limited ("TCL") process data on individuals, clients and service providers that TCL interacts with.

About us

TCL is a provider of information security services, incorporated and based in Guernsey, company no. 52604.

Data we hold

We process data in order to provide information security assurance and advisory services. The types of data we collect and process includes:

Contact details (names, addresses, phone numbers, email address)
Information provided in the course of provision of information security services (for example: technical details of IT systems, relationships with service providers, risks and controls, vulnerabilities, details of security incidents, user credentials and access codes)
Information provided in the course of digital forensics investigations (for example: details of alleged incidents, forensic images of hard drives and other digital media, credentials and access codes)
Information that we gather from public and open-sources including name, employer, date of birth, special interests, and contact details
Meetings attended and calls made
CCTV footage of our premises
Any other information you provide to us

Purposes of processing

Purpose	Lawful basis
To enter into client relationships and provide information security services	The legitimate interest of The Chain Limited as a provider of information security services to process personal data for the purpose of providing those services In order to support legal proceedings To fulfil a contract we have entered into to provide information security services
To ensure the security of TCL premises, systems and staff	The legitimate interests of TCL in preventing and detecting unauthorised access to its premises, systems and data
To provide evidence in support of audits and other reviews	The legitimate interests of TCL in providing information security assurance and advisory services, to ensure it meets legal, regulatory and ethical obligations

Sources and recipients of data

Sources include clients, service providers, or open-source material. Potential recipients include:

providers of legal services, courts, tribunals where disclosure is necessary to fulfil the purposes set out above
law enforcement agencies where disclosure is necessary to meet legal obligations

All data is held within the EU, UK or Channel Islands.

Rights of data subjects

Data subjects for whom TCL holds data may have rights in respect of their personal data. To exercise those rights, including withdrawal of consent, right of access, or to update, correct or erase data, data subjects should send requests to tcldataprotection@chainci.com.

Retention and destruction of data

TCL only retains data for as long as necessary to fulfil the purpose for which it was collected. Primary retention controls include:

redaction of unnecessary sensitive data from larger data sets at the point of capture
archival of completed engagements
secure destruction all data relating to a client engagement seven years from the completion of the engagement

Destruction is subject to the exception where data cannot be removed for legal, regulatory or technical reasons.

Changes to this privacy notice

This notice will be updated from time to time and published on our website at https://chainci.com/privacy. This notice was last reviewed on 15th January 2024.