Compliance & Standards
Overview
At PIP Agency, the responsible and secure handling of personal data is fundamental to our operations. This page explains, in plain language, exactly how we process the data you entrust to us — from the moment of collection through to secure deletion.
We operate under a data minimisation principle: we collect only what is strictly necessary, store it only for as long as required, and protect it using industry-standard security controls throughout its lifecycle.
Our Commitment
We treat your data with the same care we would want our own information to be treated. We do not monetise your data, sell it to third parties, or use it for any purpose beyond processing your claim.
Data We Process
The personal data we process falls into the following categories, each collected for a specific and documented purpose:
Identity Data
- Full name
- Email address
- Phone number (if provided)
- Wallet address used for authentication
Claim Data
- Description of financial loss
- Names of platforms or entities involved
- Approximate dates and amounts
- Transaction identifiers or reference numbers
Supporting Documentation
- Uploaded files (screenshots, PDFs, transaction exports)
- Correspondence with third parties
- Bank statements or financial records (where provided)
Technical Data
- IP address
- Browser and device information
- Session timestamps
- Platform interaction logs
Communication Data
- Emails and messages exchanged with our support team
- Internal case notes related to your claim
Processing Purposes
We process personal data under the following lawful bases as defined under the UK GDPR. Each processing activity has a documented purpose and legal basis.
| Purpose | Lawful Basis |
|---|---|
| Processing your claim submission | Contract performance |
| Communicating about your case | Contract performance |
| Identity verification and fraud prevention | Legitimate interests |
| Improving platform functionality | Legitimate interests (anonymised) |
| Compliance with legal obligations | Legal obligation |
| Reporting to authorities when required | Legal obligation |
| Sending service-related notifications | Contract performance / Consent |
Security Measures
We implement a layered security architecture aligned with ISO/IEC 27001 principles and industry best practices. Our security programme covers technical infrastructure, operational procedures, and human factors.
Infrastructure Security
- All servers are hosted in SOC 2 Type II certified data centres within the UK and EEA
- Network perimeter protected by enterprise-grade firewall and intrusion detection systems
- Automated vulnerability scanning performed on a continuous basis
- Regular third-party penetration testing (minimum annually)
- DDoS protection and rate limiting on all public-facing endpoints
- Isolated network segments for different data sensitivity levels
Access Control
- Role-based access control (RBAC) — staff access only what they need for their role
- Multi-factor authentication (MFA) mandatory for all staff with system access
- Privileged access management (PAM) for administrative functions
- All access is logged, monitored, and subject to audit
- Access rights reviewed quarterly and upon any change in role
- Immediate access revocation upon staff departure
Operational Security
- All staff complete mandatory data protection and security awareness training
- Confidentiality agreements required for all personnel and contractors
- Security incident response plan maintained and tested
- Business continuity and disaster recovery plans in place
- Regular security reviews of third-party service providers
Encryption Standards
We use strong, industry-standard encryption to protect your data both in transit and at rest. Our encryption practices are reviewed regularly to ensure they remain current with best practices.
Data in Transit
- Transport Layer Security (TLS) version 1.3 for all browser-to-server communication
- HTTP Strict Transport Security (HSTS) enforced — all traffic over HTTPS
- Strong cipher suites only; weak and deprecated ciphers disabled
- Certificate Transparency logging and OCSP stapling enabled
- Secure cookies with HttpOnly and SameSite attributes enforced
Data at Rest
- AES-256 (Advanced Encryption Standard, 256-bit key) for all stored personal data
- Separate encryption keys for different data categories
- Key management using hardware security modules (HSMs)
- Encrypted database backups stored separately from primary data
- Uploaded files encrypted individually prior to storage
What this means in practice: Even in the unlikely event of unauthorised access to our storage systems, your personal data would remain encrypted and unreadable without access to the corresponding encryption keys, which are stored separately under strict controls.
Data Retention & Deletion
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, and to comply with our legal and regulatory obligations. Once data is no longer required, it is securely deleted using methods appropriate to the sensitivity of the information.
Retention Schedule
| Data Type | Retention Period | Basis |
|---|---|---|
| Claim records & documentation | 7 years post-closure | Legal obligation |
| Identity & contact data | 7 years post-closure | Legal obligation |
| Authentication logs | 12 months | Legitimate interest |
| Support communications | 3 years from last contact | Legitimate interest |
| Legal correspondence | 10 years | Legal obligation |
| Analytics (anonymised) | 26 months | Legitimate interest |
| Marketing consent records | 5 years from consent | Legal obligation |
Secure Deletion Methods
- Database records are cryptographically overwritten and logically deleted
- File system data is securely erased using NIST 800-88 compliant methods
- Physical media is destroyed using certified providers when decommissioned
- Backup copies are deleted in line with their own scheduled purge cycle
- Deletion is logged and auditable to confirm completion
Your Rights Under GDPR
Under the UK GDPR and EU GDPR, you have the following enforceable rights in respect of your personal data. PIP Agency is committed to honouring these rights promptly and without charge in the vast majority of cases.
Right of Access (Article 15)
Request a copy of all personal data we hold about you, along with information about how and why we process it. We will respond within 30 days.
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete data. We will action this within 30 days and notify any third parties who received the incorrect data.
Right to Erasure (Article 17)
Request deletion of your data where it is no longer necessary for its original purpose, subject to our legal retention obligations.
Right to Restriction (Article 18)
Request that we limit our processing of your data in certain circumstances, such as while you contest its accuracy.
Right to Portability (Article 20)
Receive your data in a structured, machine-readable format to transfer to another organisation.
Right to Object (Article 21)
Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right not to be Subject to Automated Decisions (Article 22)
We do not use fully automated decision-making that produces significant legal effects. All significant decisions involve human review.
How to exercise your rights
Submit your request in writing to [email protected]. We may need to verify your identity before processing your request. Responses are provided within 30 days; complex requests may be extended by a further two months with notice.
Data Breach Procedures
Despite our robust security measures, no system is entirely immune to incidents. We have a documented and tested incident response plan that ensures any personal data breach is handled promptly, transparently, and in compliance with our legal obligations.
Detection and Assessment
- Automated monitoring systems are in place to detect anomalous activity 24/7
- Any suspected security incident is escalated to our security team immediately
- The nature, scope, and likely impact of the incident are assessed without delay
- Affected data categories and individuals are identified as quickly as possible
Regulatory Notification
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR. Our notification will include:
- The nature of the breach, including categories and approximate number of individuals affected
- The name and contact details of our Data Protection contact
- The likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
Individual Notification
If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay. Our notification will describe what happened, what data was affected, the potential consequences, and what steps we are taking — as well as guidance on steps you can take to protect yourself.
Report a security concern
If you believe your account has been compromised or you have identified a security vulnerability, please contact us immediately at [email protected]. We take all reports seriously and will respond promptly.
Third-Party Processors
We engage a small number of carefully vetted third-party processors to help us operate our platform. All processors are bound by Data Processing Agreements (DPAs) that require them to process data only on our instructions and to maintain appropriate security standards.
| Processor Category | Purpose | Location |
|---|---|---|
| Cloud Infrastructure | Hosting, storage, and database services | UK / EEA |
| Email Service Provider | Transactional and case notification emails | UK / EEA |
| Identity Verification | Optional KYC verification where required | UK / EEA |
| Analytics (Anonymised) | Aggregated platform performance metrics | UK / EEA |
| Security Monitoring | Intrusion detection and log analysis | UK / EEA |
We review our third-party processors annually and following any material changes to their services or security practices. We will update this page if we engage new processors who handle personal data in a materially different way.
International Transfers
We endeavour to keep all personal data within the United Kingdom and the European Economic Area. In the rare cases where a transfer outside these territories is necessary, we ensure appropriate safeguards are in place:
- Adequacy decisions: transfers to countries recognised as providing adequate data protection by the UK ICO or European Commission
- Standard Contractual Clauses (SCCs): legally binding contractual commitments by the recipient to protect your data to UK/EU standards
- Binding Corporate Rules: where applicable for transfers within a corporate group
- Supplementary technical measures: additional encryption or pseudonymisation for all international transfers
You have the right to request information about any specific international transfers of your data and the safeguards in place. Contact us at [email protected] for details.