Data Security

1. Introduction

GreenTree Advisory Ltd is committed to protecting and securing your personal data. This Data Security Policy explains how we safeguard your information when you use our website or engage with our expert network consulting services.

We implement comprehensive security measures that comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are the data controller for the purposes of data protection law.

2. Data We Collect and Secure

We implement security measures to protect the following types of personal data:

Personal Information

• Name and job title
• Email address and contact details
• Company name and business information
• Industry sector and consultation requirements
• Communication preferences and consultation history

Technical Information

• IP address and browser information
• Device and operating system data
• Website interaction and usage analytics
• Encrypted cookie data and session information

3. Security Infrastructure

We maintain enterprise-grade security infrastructure to protect your data:

Technical Safeguards

• Encryption: All data transmission uses TLS 1.3 encryption and data at rest is encrypted using AES-256
• Secure Hosting: Data is stored on ISO 27001 certified servers located within the UK and EU
• Access Controls: Multi-factor authentication and role-based access control for all personnel
• Network Security: Firewalls, intrusion detection systems, and regular vulnerability assessments
• Data Backup: Encrypted, geographically distributed backups with regular restore testing

Organizational Safeguards

• Staff Training: Regular data protection and security awareness training for all team members
• Confidentiality Agreements: All personnel and contractors bound by strict confidentiality obligations
• Incident Response: 24/7 security monitoring with established breach response procedures
• Regular Audits: Annual security assessments by independent third-party specialists

4. Data Retention and Disposal

We implement secure data retention policies to minimize risk:

• Active Clients: Data retained for the duration of engagement plus 7 years for legal compliance
• Consultation Enquiries: Contact information retained for 2 years unless consent is withdrawn
• Website Analytics: Anonymized data retained for up to 26 months for service improvement
• Marketing Contacts: Retained until consent is withdrawn or 3 years of inactivity

When data is no longer required, it is securely deleted using industry-standard data destruction methods, including cryptographic erasure and physical destruction of storage media where applicable.

5. Third-Party Security

We carefully select and monitor all third-party service providers who may process your data:

• Due Diligence: All providers undergo rigorous security assessments before engagement
• Contractual Obligations: Data processing agreements with strict security and confidentiality requirements
• Limited Access: Third parties only receive the minimum data necessary for their specific function
• Regular Reviews: Ongoing monitoring and annual security reviews of all service providers

Current trusted third-party categories include website hosting (AWS/Azure), email services (encrypted), and analytics (privacy-compliant).

6. Incident Management

In the unlikely event of a security incident, we have established procedures to protect your interests:

• Immediate Response: 24/7 monitoring systems detect and respond to potential security threats
• Investigation: Expert incident response team investigates and contains any potential breaches
• Notification: Affected individuals notified within 72 hours if there is a risk to their rights
• Regulatory Reporting: Mandatory breach reporting to the ICO within 72 hours where required
• Remediation: Immediate steps taken to prevent future incidents and strengthen security measures

7. Your Security Rights

You have several rights regarding the security of your personal data:

• Access: Request details about how your data is being secured
• Portability: Request secure transfer of your data to another service provider
• Correction: Update or correct any inaccurate information we hold
• Deletion: Request secure deletion of your personal data (subject to legal obligations)
• Restriction: Limit how we process your data in certain circumstances
• Objection: Object to processing based on legitimate interests

To exercise any of these rights or report security concerns, contact our Data Protection Officer using the details below.

8. Website Security

Our website implements multiple layers of security to protect your browsing experience:

• HTTPS: All pages served over encrypted HTTPS connections
• Security Headers: Comprehensive security headers to prevent common web attacks
• Regular Updates: Website software and security patches updated regularly
• Secure Forms: All consultation forms use encrypted transmission and validation
• Cookie Security: Secure, SameSite cookies with appropriate expiration policies

9. Continuous Improvement

We continuously enhance our data security measures:

• Regular Reviews: Monthly security assessment and policy updates
• Technology Updates: Investment in latest security technologies and practices
• Industry Standards: Adherence to evolving data protection and security standards
• Expert Consultation: Regular consultation with cybersecurity specialists
• Feedback Integration: Client and user feedback incorporated into security improvements

10. Contact Our Data Protection Officer

If you have questions about our data security measures, wish to report a security concern, or need to exercise your data protection rights, please contact us:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection matters.

ICO Contact Details:
Website: ico.org.uk
Phone: 0303 123 1113