Schedules of Processing 

Subject matter of the Processing

Support the customer journey whilst they undergo penetration testing.

Duration of the Processing

For the duration of the contract

Nature of the Processing

Collection, Recording and Storage

Purpose of the Processing

To provide the services under the contract

Categories of Personal Data (including special categories of data, where applicable)

Name, work email address, work phone number and business address

Categories of data subjects

Customers and clients (including their staff)

Information security standards

In accordance with ISO 27001:2022 Cyber Essentials and Cyber Essentials Plus security controls

Worknest IT

UK – Chesire

Office 365

Monday.com

Frankfurt, Germany

Manage customer email communication, project management for penetration testing and customer details to perform penetration testing

Pipedrive

Frankfurt, Germany/Dublin, Ireland and London, UK

Obtain customer contact information to liaise with customers regarding their penetration testing.

Invoice Tracker

UK – Unit H, Gateway 1000, Whittle Way, Stevenage, SG1 2FP

Use the scheduling calendar to book in customer tests.

Defense.com

UK - Unit H, Gateway 1000, Whittle Way, Stevenage, SG1 2FP

Gather testing information/ customer credentials and perform the penetration testing.

Processing purpose  

To assess the customers against the Cyber Essentials requirements and audit them to help them gain Cyber Essentials Plus 

Processing duration  

Duration of the contract  

Categories of personal data  

Name, work email address, phone number. IP addresses are used in Cyber Essentials Plus audits 

Categories of data subjects  

Customers and customers employees 

Information security standards 

In accordance with ISO 27001:2022 Cyber Essentials and Cyber Essentials Plus security controls 

Worknest IT 

UK – Chesire 

Office 365 

 IASME 

 IASME Consortium Ltd 
Wyche Innovation Centre 
Upper Colwall 
Malvern 
WR13 6P 

UK data stored in UK 

Cyber Essentials assessment and Cyber Essentials Plus audit report portal 

 Monday.com 

 1 Rathbone Square London 
W1T 1FB, UK 

US based on EU servers 

Project management 

Qualys 

100 Brook Drive, Green Park, Reading, Berkshire, England, RG2 6UJ 

US data stored in UK 

Vulnerability scanning 

Subject matter of the processing 

Pen testing of CHECK applications 

Duration of the processing 

Duration of the statement of work then stored in logs for 6 months thereafter 

Report held for 6 years 

Nature and purposes of the processing 

In order to pen test a customer’s environment the processing could entail but not limited to collection, recording, storage, disclosure by transmission, consultation and adaption  

Type of Personal Data 

Email address, first name, last name, this list is not exhaustive as further personal data may be accessed dependant on the pen test requested by the customer  

Categories of Data Subject 

Customer employees and customers customers 

Retention period(s) for Personal Data during the contract term and process for destruction of data at end of retention period/s 

Duration of the statement of work  

Logs are held for 6 months thereafter 

The report is held in secure portal for up to 6 years containing minimal personal data 

Plan for return and destruction of the data once the processing is complete (unless legal requirement to preserve that type of data). 

Once the statement of work completed and the report written the logs are uploaded to a secure file storage and after 6 months are deleted. 

Within secure portal the report and any associated data is deleted.  

The customer can export the report and associated data, and a customer may request this data deleted at any point.  

Sub-Processors 

Cyndicate Labs 

661 High St, Kingswinford DY6 8AL