NATUZERO LIMITED

Data Security Policy

1. Purpose

This policy defines how Natuzero Limited protects and handles customer data in the course of providing IT consulting services. It ensures confidentiality, integrity, and availability of client data, and compliance with applicable regulations.

2. Scope

This policy applies to:

  • All employees, contractors, and third-party service providers of Natuzero Limited

  • All systems, devices, applications, and communication channels used to access or store customer data

  • All customer data handled during pre-sales, project delivery, support, or post-project activities

3. Definitions

  • Customer Data: Any data received from clients, including personal data, credentials, source code, configuration files, documentation, or intellectual property.

  • Sensitive Data: Information classified as confidential or regulated (e.g., personal data under GDPR, PCI data, or healthcare information).

  • Data Owner: The customer who provides the data.

  • Authorized Personnel: Employees or subcontractors with explicitly granted access.

4. Data Access Controls

  • Access to customer data is strictly limited to authorized personnel on a need-to-know basis.

  • Multi-factor authentication (MFA) (when applicable) is required for all systems used to access customer environments or data.

  • Use of shared or generic accounts is prohibited.

  • Access rights are reviewed quarterly and revoked upon role change or termination.

5. Data Handling Practices

  • Customer data must be stored only on secure, encrypted storage systems (e.g., AES-256 encryption).

  • Data must never be copied, transferred, or stored on personal devices or unauthorized cloud services.

  • When working remotely, access must be through VPN or secure tunneling services.

  • No customer data may be printed or written down unless explicitly authorized.

6. Data Sharing and Transfer

  • Data must be transferred only via secure, encrypted channels (e.g., SFTP, HTTPS, or encrypted email).

  • Sharing customer data with third parties is prohibited unless contractually authorized, and subject to NDA and DPA agreements.

  • Public cloud file-sharing platforms (e.g., Dropbox, Google Drive) may be used only if contractually approved and secured.

7. Data Retention and Deletion

  • Customer data will be retained only as long as necessary for the agreed service period or legal obligation.

  • Upon project closure or customer request, data must be:

    • Returned securely to the customer

    • Or permanently deleted using secure wipe tools (DoD 5220.22-M or equivalent)

  • Deletion must be documented and verifiable.

8. Incident Reporting

  • Any data breach or security incident involving customer data must be reported to the Security Officer / Managing Director and client within 24 hours of discovery.

  • An internal investigation and a Root Cause Analysis (RCA) report must be completed within 5 business days.

9. Training and Awareness

  • All staff must complete annual security training, including data privacy and secure handling of client data.

  • Regular awareness campaigns will be conducted (e.g., phishing drills, secure coding reminders).

10. Policy Review

  • This policy shall be reviewed at least annually or after any major incident or regulatory change.