Please also add this statement at the top of each document as well - This document is reviewed annually each October or sooner if legislation or our operations change. The latest version will always be available at www.cavfo.com
This policy sets out how Cavendish Family Office (London) Limited (“Cavendish”) protects the confidentiality, integrity, and availability of information entrusted to us. It applies UK GDPR, the Data Protection Act 2018, and recognised good practice.
Applies to all directors, employees, consultants, and third-party providers who access Cavendish systems or data in any form (cloud, on-premise, paper, mobile devices), including AI and recording tools approved for business use.
• The CEO acts as the Information Security Lead and Data Protection Officer.
• Managers ensure team compliance.
• All users must follow this policy, complete training, and report incidents immediately.
• Third parties must meet equivalent standards under written contract (including confidentiality, security controls, breach notification, and audit rights).
• Information is classified as Public, Internal, Confidential, or Special Category.
• Confidential and Special Category data must be encrypted at rest and in transit, shared only on a need-to-know basis, and never moved to personal devices or unauthorised apps.
• Paper containing Confidential or Special Category data is stored in locked storage and cross-shredded on disposal.
• Unique user IDs for every user; shared accounts are prohibited.
• Strong passwords, multi-factor authentication on all external access and privileged roles.
• Role-based access with least-privilege and periodic access reviews.
• Immediate removal or suspension of access upon role change or exit.
• Company devices must use full-disk encryption, up-to-date operating systems, and centrally managed anti-malware.
• Screen lock within 5 minutes; automatic patching enabled.
• Use of personal devices requires prior approval, mobile device management, and compliance with this policy.
• External media (USB, portable drives) is restricted and must be encrypted.
• Secure configuration, protected networks, and segmented access for sensitive services.
• Encrypted transport (TLS) for all remote connections and cloud services.
• Firewalls and intrusion detection/prevention in place; changes follow documented change control.
• Only approved cloud services may be used; data location and subcontractors must be disclosed in contracts.
• Data in transit protected by TLS or equivalent.
• Data at rest encrypted using industry-standard algorithms.
• Encryption keys are stored and rotated securely with access limited to authorised administrators.
• Configuration and code changes are peer-reviewed, tested, approved, and logged.
• Dependencies are kept current; known vulnerabilities are remediated according to risk.
• Secrets (API keys, tokens) are stored in secure vaults, not in code or documents.
• Security-relevant events (access, admin actions, authentication failures, data exports) are logged, time-synchronised, protected from tampering, and retained per the retention policy.
• Alerts are reviewed and investigated; material incidents are escalated without delay.
• High-risk vulnerabilities are remediated promptly; critical patches are expedited.
• Regular vulnerability scans; penetration testing on a risk-based schedule.
• Third-party advisories are monitored and actioned.
• Due diligence before onboarding any supplier or AI tool that processes personal or confidential data (security, data location, sub-processors, certifications, breach terms).
• Data-processing agreements in place where required.
• AI/recording tools (for example, Otter.ai) must be approved, configured for privacy, and disclosed to clients as per our privacy and client-engagement notices.
• Encrypt sensitive attachments or use approved secure portals.
• Verify recipients before sending; do not auto-forward client data to personal accounts.
• Cross-border transfers require a lawful transfer mechanism (for example, UK IDTA or EU SCCs as applicable).
• Offices use controlled entry and secure storage for records and devices.
• Visitors are escorted and recorded.
• Paper archives are minimised and stored in locked cabinets.
• Critical data is backed up regularly, encrypted, and tested for restoration.
• Continuity plans define recovery objectives for key services and data.
• Suspected or actual incidents (loss, unauthorised access, malware, mis-send) must be reported immediately to the CEO/DPO at mark@cavfo.com.
• Incidents are triaged, contained, investigated, and recorded. Where legally required, affected parties and regulators (for example, the ICO) will be notified in line with statutory timelines.
• Mandatory induction and annual refresher training on security, phishing, privacy, and safe tool use.
• Targeted training for high-risk roles and system administrators.
• Retain only what is necessary and for as long as needed (see Data Retention Policy).
• Secure destruction: cross-shredding for paper; certified wiping or physical destruction for media.
• Breaches of this policy may lead to disciplinary action, contract termination, and legal reporting where required.
• This policy is reviewed at least annually or following material change in risk, law, or operations, and approved by senior management.
For security queries or to report a vulnerability: mark@cavfo.com. For general information security enquiries: info@cavfo.com.
