This Data Security Policy outlines how Mohr & Coleman (“Mohr & Coleman”, “we”, “us”, “our”), a trading name of Ricochet Group Ltd, approaches the protection of data, systems, and information in the course of providing Services. This policy applies to all employees, contractors, and third parties engaged by Mohr & Coleman, and supports our obligations under applicable data protection legislation, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1.1 The purpose of this policy is to ensure that data is handled securely, responsibly, and in accordance with legal and contractual obligations.

1.2 This policy applies to: personal data client data internal business data systems, infrastructure, and development environments used in connection with our Services

1.3 The policy covers data in all forms, including digital, physical, and verbal information.

Mohr & Coleman adopts the following core principles in relation to data security:

2.1 Confidentiality. Access to data is restricted to authorised individuals on a need-to-know basis.

2.2 Integrity. Data is maintained accurately and protected from unauthorised modification.

2.3 Availability. Systems and data are maintained to ensure availability as required for business operations, subject to the limitations of Third-Party Services.

2.4 Accountability. All individuals with access to data are responsible for maintaining its security.

3.1 Access to systems and data is controlled through user authentication and role-based permissions.

3.2 Access is granted only to individuals who require it for the performance of their role.

3.3 Administrative and privileged access is limited and monitored.

3.4 Access rights are reviewed periodically and revoked promptly when no longer required.

3.5 The use of shared accounts is avoided wherever possible. Where unavoidable, access is controlled and logged.

4.1 Strong passwords are required for all systems and services.

4.2 Multi-factor authentication (MFA) is used where available and appropriate.

4.3 Credentials must not be shared or reused across critical systems.

4.4 Password managers and secure credential storage solutions are used to manage access securely.

5.1 Systems are maintained with appropriate security updates and patches.

5.2 Firewalls, access controls, and security configurations are implemented to protect infrastructure.

5.3 Development, staging, and production environments are separated where appropriate.

5.4 Access to production environments is restricted and controlled.

5.5 Third-Party Services used for hosting, infrastructure, or development are selected with consideration for security, reliability, and compliance.

6.1 Data is stored only where necessary for the provision of Services.

6.2 Personal data is processed in accordance with applicable data protection laws and contractual obligations.

6.3 Data is stored using reputable systems and platforms with appropriate security controls.

6.4 Data is not retained longer than necessary for its intended purpose.

6.5 Where appropriate, data is encrypted in transit and at rest.

7.1 Secure development practices are followed throughout the software development lifecycle.

7.2 Code is managed using version control systems with controlled access.

7.3 Testing is carried out prior to deployment, including validation of functionality and security considerations where appropriate.

7.4 Dependencies, libraries, and integrations are selected and maintained with consideration for security risks.

8.1 Mohr & Coleman relies on Third-Party Services for aspects of hosting, infrastructure, tooling, and delivery.

8.2 While we take reasonable care in selecting such providers, we do not control their systems and cannot guarantee their performance or security.

8.3 Clients are responsible for: entering into agreements with Third-Party Service providers where required, maintaining accounts and credentials, and ensuring compliance with third-party terms.

9.1 Data may be transferred to and processed by Third-Party Services, including services located outside the United Kingdom.

9.2 Where personal data is transferred internationally, appropriate safeguards are used where required by law.

10.1 A security incident includes any actual or suspected: unauthorised access to data, data loss or breach, and compromise of systems or credentials.

10.2 All security incidents must be reported internally as soon as identified.

10.3 Mohr & Coleman will investigate incidents promptly and take appropriate steps to mitigate impact.

10.4 Where required by law or contract, affected Clients will be notified without undue delay.

11.1 Backup processes are implemented where appropriate, depending on the systems and services in use.

11.2 Backup responsibility may sit with: Mohr & Coleman; the Client; or a Third-Party Service provider depending on the agreed scope of Services.

11.3 Clients remain responsible for ensuring that appropriate backup arrangements are in place unless expressly agreed otherwise in writing.

12.1 All personnel are responsible for complying with this policy and maintaining good security practices.

12.2 Access to data is limited to those who require it to perform their role.

12.3 Personnel are expected to: follow secure working practices, report security concerns promptly, and handle data responsibly at all times.

13.1 Mohr & Coleman maintains awareness of data security risks and best practices.

13.2 Personnel are expected to remain informed of basic security responsibilities and evolving risks.

14.1 This policy supports compliance with applicable data protection laws and contractual obligations.

14.2 The policy may be updated from time to time to reflect changes in legal, regulatory, or operational requirements.

14.3 Continued engagement with Mohr & Coleman constitutes acceptance of this policy where it forms part of contractual or procurement documentation.