Data Security

Overview of Data Security

The Agency Store provides a range of traditional and AI-powered business information and advisory solutions. We are involved in the generation, storage, processing and distribution of information. Our A.I. tools, where deployed, are specifically developed to enhance insights generation, workflow efficiency, and output accuracy across various client projects. Our workflows and AI solutions adhere strictly to rigorous data security, confidentiality, and compliance standards. A detailed overview of our policies can be found in full below within:

  1. Data Security Policy

  2. Data Retention Policy

  3. Client Confidentiality Policy

  4. Artificial Intelligence (A.I.) Usage Policy

  5. Access Controls and Permissions Policy

Policy highlights include:

  • Full compliance with GDPR standards.

  • Client data is owned entirely by clients; The Agency Store does not retain ownership.

  • Data processed by AI systems excludes all personally identifiable information and confidential client materials.

  • OpenAI usage via organizational account explicitly opted out of model training, ensuring data remains secure and confidential.

  • Proprietary AI tools hosted securely via Microsoft Azure Cloud, adhering to Microsoft’s AI security standards.

  • Project data securely hosted exclusively on Google Workspace cloud storage.

  • All AI-generated outputs undergo detailed human review by Agency Store staff, ensuring accuracy, neutrality, completeness, and quality.

  • Strict access control managed centrally via Google Workspace and Microsoft 365 with enforced multi-factor authentication (MFA).

Key sub-processors utilized are Google Workspace (cloud storage and management), Microsoft Azure (cloud hosting and AI APIs), OpenAI (AI services), and Microsoft 365 (workflow management and administration).

Data Security Policy

Overview:
Agency Store is committed to maintaining the highest standards of data security and integrity to protect client data from unauthorized access, disclosure, alteration, or destruction. We employ robust industry-standard measures and trusted third-party services to ensure data security.

Data Storage and Protection:

  • Google Workspace:

    • Data stored securely on Google Workspace, adhering to GDPR compliance standards.

    • Utilizes encryption at rest and in transit (AES-256 and TLS).

    • Meets rigorous security standards, including ISO 27001, ISO 27017, ISO 27018 certifications.

  • Microsoft 365:

    • Used for workflow management and document creation.

    • Provides encrypted document storage and sharing capabilities.

    • Compliant with GDPR, ISO 27001, and SOC Type 1 and 2 standards.

Communication Security:

  • Google Meet:

    • Used exclusively for secure video conferencing.

    • End-to-end encryption for video and audio communications.

    • Access restricted to authorized personnel only.

Access Control and Permissions:

  • Access to data is controlled via role-based access control (RBAC).

  • Multi-factor authentication (MFA) enforced for accessing critical systems.

  • Regular audits of user permissions and access levels to ensure compliance and security.

Device and Endpoint Security:

  • Agency Store uses company-issued laptops with encrypted storage.

  • Endpoint protection software installed and maintained across all devices.

  • Regular security updates, patches, and vulnerability assessments conducted.

Incident Management:

  • A structured incident response procedure is in place.

  • Prompt investigation, notification, and resolution in line with GDPR guidelines and best practices.

Policy Review and Update:

  • Regular reviews and updates to the Data Security Policy to address evolving risks and technological advancements.

  • Latest version always available on our website.

For additional details or queries regarding data security, please contact hello@agencyproducts.store.

Last updated: 1st February 2025

Data Retention Policy

Overview:
Agency Store retains client data solely for legitimate business purposes, ensuring necessary historical context and reference for potential follow-up or repeated studies. Our retention practices strictly adhere to GDPR compliance and data minimization principles.

Retention Duration:

  • Client data is retained for up to a maximum of three (3) years from the project's completion date.

  • Data retention is based on legitimate business purposes, primarily enabling the replication or referencing of previous studies upon client request.

Personal Information (PI) Handling:

  • All Personal Information (PI) collected or processed during client engagements is deleted immediately following project completion.

  • No PI is retained beyond the active phase of any project.

Data Storage:

  • Retained data is securely stored in the Google Cloud environment.

  • Agency Store ensures no client data is stored locally on employee devices or external drives.

Data Minimization and Duplication Avoidance:

  • Data retained post-project completion is minimized by removing unnecessary attachments and clearing temporary working folders.

  • Efforts are regularly undertaken to avoid duplication and reduce data footprints.

Audit and Compliance Checks:

  • Regular internal audits and compliance reviews are conducted at the close of each project and during annual business cycles.

  • These reviews ensure timely deletion of obsolete data, adherence to retention schedules, and ongoing compliance with GDPR guidelines.

Compliance Standards:

  • GDPR (General Data Protection Regulation) – adherence to principles of lawfulness, fairness, transparency, storage limitation, data minimization, and integrity.

  • ISO 27001 compliance principles inform our data retention practices, ensuring secure storage and handling.

Policy Review and Update:

  • Regular reviews and updates to the Data Retention Policy to address evolving risks and technological advancements.

  • Latest version always available on our website.

For additional details or queries regarding data security, please contact hello@agencyproducts.store.

Last updated: 1st February 2025

Client Confidentiality Policy

Overview: Agency Store places the highest priority on maintaining strict confidentiality and protecting client privacy. All client information and project data are handled with utmost care and in compliance with applicable regulations.

Confidentiality and NDAs:

  • Agency Store ensures absolute confidentiality of all client data, project information, and related communications.

  • All client engagements, suppliers, and subcontractors are bound by Non-Disclosure Agreements (NDAs), which are countersigned and securely stored for compliance and auditing purposes.

Internal Data Access Control:

  • Data access is strictly limited to personnel actively engaged in relevant projects.

  • Access controls are managed centrally through Google Workspace permissions and Microsoft 365 administration.

  • Regular audits are conducted to verify proper access permissions and ensure compliance.

Third-Party Data Sharing:

  • Client data may occasionally be shared with third-party software providers for processing purposes.

  • Agency Store carefully vets all third-party vendors to ensure they comply with stringent security standards, protocols, and prevailing regulations such as GDPR.

Compliance and Standards:

  • Agency Store fully complies with the General Data Protection Regulation (GDPR) and associated privacy laws.

  • We regularly monitor and update our policies and practices to align with the latest regulatory requirements and best practices.

Policy Review:

  • This Client Confidentiality and Privacy Policy is reviewed regularly and updated as necessary to reflect changes in regulations or our business practices.

  • The latest version of this policy is available on our website.

Last updated: 1st February 2025

Artificial Intelligence (A.I.) Usage Policy

Overview: The Agency Store leverages artificial intelligence (AI) solutions to enhance client services, enabling efficient and high-quality outputs. This policy outlines our responsible use of AI technologies, highlighting our commitment to data security, ethical practices, and compliance.

AI Tools and Platforms:

  • The Agency Store utilizes OpenAI solutions accessed via a dedicated organizational account.

  • We have explicitly opted out of OpenAI's model training, ensuring compliance with the highest data security standards equivalent to OpenAI's publicly stated policies (OpenAI Data Security).

  • Additionally, Agency Store employs proprietary AI tools developed internally, hosted securely on Microsoft's Azure Cloud via secure API interfaces, fully compliant with Microsoft's AI security standards.

Data Handling and Confidentiality:

  • We do not use AI systems to process or analyze data relating to identifiable individuals.

  • Confidential client information or materials are never shared with AI systems.

  • Outputs generated by AI tools are stored and managed in strict accordance with our established Data Retention Policy.

Quality Assurance:

  • AI-generated content undergoes thorough review by The Agency Store’s staff prior to delivery.

  • Reviews include checks for accuracy, bias, completeness, and adherence to quality standards.

Security and Access Controls:

  • Access to AI tools and resources is secured via strict password and authentication protocols managed centrally through Google Workspace and Microsoft 365.

  • Usage logs and permissions are routinely audited to ensure adherence to our strict security practices.

  • As an OpenAI for Business user, all AI interactions are confidential and not shareable externally.

Compliance and Policy Maintenance:

  • The Agency Store regularly reviews this AI Usage Policy to ensure ongoing alignment with security, ethical standards, and technological advancements.

  • The most recent version of this policy is always accessible via our website.

Last updated: 1st February 2025

Access Control & Permissions Policy

Overview: Agency Store maintains stringent access control measures to ensure that client and company data remain secure and accessible only to authorized individuals. This policy details how user access and permissions are managed across our digital environments.

User Management:

  • User accounts and permissions for Google Workspace, Microsoft 365, and associated platforms are centrally managed exclusively by a Company Director.

  • New users are added, managed, or removed promptly to ensure appropriate access control.

Permissions Assignment:

  • Access permissions to specific files and folders are project-specific and restricted to assigned project personnel.

  • Individual passwords govern user-specific access, ensuring personalized security.

  • Passwords themselves are not project-specific, but permissions at the folder and file level are strictly project-based.

Authentication and Security Measures:

  • Multi-factor Authentication (MFA) is mandated and enforced across all Google Workspace and Microsoft 365 accounts, applicable to both software and hardware.

  • MFA provides an additional layer of security beyond basic password controls.

Audit and Review of Permissions:

  • User permissions are reviewed periodically, as well as specifically during the initiation and conclusion phases of each project.

  • Reviews are conducted to ensure permissions accurately reflect current project assignments and responsibilities.

Exit and Role Change Procedures:

  • Upon an employee's departure or role change, immediate steps are taken by the Company Director to revoke or adjust access rights.

  • Exiting employees’ accounts are fully removed from all drives, platforms, and devices as part of their formal exit procedure.

Policy Maintenance:

  • The Agency Store regularly reviews and updates this Access Control and Permissions Policy to ensure ongoing effectiveness and compliance with current best practices.

  • The most recent version of this policy is always available via our website

Last updated: 1st February 2025