top of page

Privacy Policy

Privacy at Iron Oak Security Limited

Iron Oak Security Consulting Limited is responsible for the information we collect and process for our own purposes.  We’re committed to maintaining the security and privacy of the personal information we process, whether through our website or through our interactions with clients, prospects or industry partners.

Whether we are supporting our clients or managing our own information, privacy and security are at the heart of our operations.  Whilst we take appropriate measures in our own practices, security and privacy is at the core of our business operations, so it is imperative we operate in accordance and where possible above industry and regulatory requirements.

Key Contacts

Should you wish to contact us in order to find out more about how we process personal information / data, exercise your rights, make a complaint to us or just discuss some of our practices then please contact us using the online contact form:


Contact Form.


Data Retention

Iron Oak Security only processes personal information / data for as long as necessary to meet our legal obligations or where we have a legitimate business reason for keeping it.  We review personal information / data on a case by case basis and document the period of retention for each.

For further information on how long Personal Data is likely to be kept before being removed from our systems and databases, please contact us via the online contact form which is linked below.

Security and Privacy Consulting Services

Although our core services do not revolve around collecting and processing personal information, we often process personal information as part of delivering our Cyber Security and Data Privacy services to clients.  This can range from our client’s information or our client’s, client data.


We do not collect personal information as a matter of course in these interactions, except for pre-contractual material and communications relating to individual pieces of work.  There are instances where our Penetration Testing services process data, but this is covered directly with the client and not collected by us.  This work and subsequent processing of data is all done performed under a contract or with a view of entering one, which Iron Oak Security Consulting Ltd and our clients are subject to.

Data Types – Name, email addresses, address, telephone details, signatures, business contact details.


Website Enquiries

We have a Contact us page on this website, which allows individuals to ask questions about our services, including exercising your rights under Data Protection Law.  The Contact us page, is monitored by our internal team, to ensure we identify and handle your request effectively.  The Contact us form contains basic contact information and free text fields, allowing you to provide details of your enquiry.  We request that you do not include sensitive information in this form, as we have other secure ways in which you can send us information, should we require any.  This information is processed under our legitimate Interests and only used to facilitate your enquiry.


Information / Data Types – Name, email addresses, subject field and free text field (which should not include personal data)


Employee administration

We process personal data to facilitate contracts of employment and provide our employees with employee benefits that are associated with working at Iron Oak Security Consulting Limited.  Employees are provided with internal privacy information on how their data is processed but if you have previously worked with Iron Oak Security Consulting, you are able to make a request through our Contact us form.

Data Types – Provided via internal privacy policy to employees.


Prospective clients

We process basic business contact information of prospective clients and opportunities, which may initially be collected via sales meetings, business cards, verbally, events we may host, speak at or attend.  This includes the prospective client’s business contact information, which includes their personal information and details about each opportunity.  We use a cloud based solution to host this data, which also integrates into our email services and as such prospect emails are also synchronised into our cloud based solution, so that we can keep track of our interactions with you and manage the relationship effectively.  This processing is in Iron Oak Security’s Legitimate Interests or fulfilling our requirements when entering or in the Performance of a Contract with a client.


Information / Data Types – Name, email addresses, address, telephone details, signatures, business contact details, email conversations.


Financial management, accounting and administration

Our financial management and accounting services process basic client contact information in order to fulfil our accounting requirements.  This ranges from invoices, account details, timesheet approvals, statement of works, terms and conditions and bank details.  We use a cloud-based solution to process this data and use a separate cloud-based document storage solution.  This processing is primarily to enable us to perform our side of the contract with our client and meet our legal obligations for financial reporting.


Information / Data Types – Name, email addresses, address, telephone details, client and supplier bank account details, signatures, business contact details.


Customer satisfaction surveys

When we have delivered a piece of work to our clients, we like to make sure they have received a great service.  We use the client contact information in order to send a survey, asking some basic questions on how we performed when deliver our services.  This is performed under our legitimate interests and purely used to ensure we have delivered to our expectations.  This processing and the responses from clients are not used for spamming you with marketing communications.  We may ask for a reference but that’s about it.



We process basic contact and work information in relation to associates and contractors who would like to work with us or one of our clients.  This information could be collected through our website, email, LinkedIn, recruitment agencies or job advertising boards.  Contractors who are working with us or who could potentially be working with us in the future will have their details stored in a cloud-based solution, so that we can keep track of their skills, contact details and availability.  This processing is undertaken under Iron Oak Security’s legitimate interests and in the performance of a contract or with a view to entering one.


Information / Data Types – Name, email addresses, address, telephone details, skills, job history, bank account details, company insurance details, passport, driving licence, references and email conversations.


Marketing and Events

We want to ensure that our customers and businesses with an interest in Cyber Security and Data Privacy can receive the latest insights, news and information regarding our services.  We only send communications to individuals within organisations where we believe we have a legitimate interest to do so.  Where an individual uses our contact page, we also ask for consent to send communications, as a simple enquiry does not satisfy grounds to send communications of this nature after dealing with your request.

Our main form of providing information on our products, services, events and industry research and insight are via. 

Industry Events – This is where Iron Oak Security are either showcasing our services, whereby we produce information about our services and capabilities.  We may also run competitions but will only communicate with you for the purposes of that competition, so entering a competition doesn’t mean you get bombarded with marketing material.  We may also exchange business cards at events, and we will email you to follow up on our interaction with you.  This does not mean we will send you marketing material, but we will enter any information about opportunities into our sales system to ensure we have provided you with the information you require.


Social Media – Iron Oak Security make use of social media platforms such as LinkedIn, Instagram, Facebook and Twitter.  We as a business sign up to the terms and conditions of the provider and use the platforms to provide insight into the latest cyber security and data privacy activities taking place across the world, to promote Iron Oak Security’s employees, services and provide you with our latest thought leadership content on different subject matter.


Webinars – We conduct webinars on topics which are relevant to our services and industries we operate within.  In order to deliver the webinar, we require your personal data to provide you with the webinar details and how you can access the services.  Our webinars are publicised through our website, social media platforms, email and via a third-party provider.  Anyone wishing to attend would be required to register via our website or third-party provider. We collect first name, surname, email addresses and company name of the person wishing to attend.  When collecting this information, we will also ask for your permission to contact you for future marketing purposes.  You may also have the opportunity to provide questions prior to the webinar and this may involve an optional request for your email address beforehand in order to facilitate answering the question during the webinar.  We process your data only for delivering the webinar and this is processed under Iron Oak Security’s Legitimate Interests. 


If you do not wish to receive any form of communication from Iron Oak Security Limited then simply inform us through our online contact form or unsubscribe from any communication.

Use of Third Parties

We use third party system providers to enable us to deliver our services effectively and store our information (including personal data) securely, which allows us to focus on delivering our industry leading security and privacy solutions to our clients. Our providers consists of:

Our own infrastructure – We used world leaders in cloud-based infrastructure services, which means that the provider looks after all of the physical equipment and management of it and Iron Oak Security do the rest.  This means that there are high levels of physical security on our systems and Iron Oak Security provide additional layers above that.  We build our systems and services in these environments, which also allow you to choose the location of where data is held (including personal data).  Iron Oak Security Limited always choose the United Kingdom (UK), which means if we deliver a service from these systems, data will reside in the UK


Email, office applications and document storage – We use an externally hosted provider for these services who are world renowned experts in providing these services.  The data is all processed in Europe and we are responsible for ensuring its configured securely.  These systems are critical to our company and if you have dealings with us, no doubt your data will be held within these, unless it’s been deleted, as we no longer required it.


Sales Management Solution – We use an externally hosted system, which is hosted in the United States of America (USA).  This system is used to record all sales related information such as prospect information through to our communications with you as a client engaged in pre-sales and contractual dialogue with us.  Our employees also have the capability to sync their emails to you into this solution, which allows us to ensure we are continually up to speed with you as a client and able to meet all your needs on time.  This means that effectively your emails will be sent to our sales system and be processed in the USA.


Financial Accounting Software – We use an industry recognised financial software solution, which is hosted in United Kingdom.  We’ve signed a comprehensive set of terms and conditions with this provider, which includes standard contractual clauses that provide adequate safeguards for data being processed outside of Europe.  This system contains our client’s business contact information and associated invoicing and financial material.


Human Resources (HR) – Along with our clients, our employees are the lifeblood of Iron Oak Security.  Therefore, we chose an industry recognised HR system that would allow us to manage and support our employees effectively.  It is hosted in the United Kingdom and only retains Iron Oak Security Employees data (past and present).


Marketing Communication Software – In order to keep people up to date with our services and information within the Cyber Security and Data Privacy industry, we often send direct marketing communications, as described under our Marketing and Events section of this policy.  To enable us to deliver this service we use an externally hosted system that supports the delivery of marketing emails and provides us with the ability to understand the effectiveness of those emails, such as how many were opened, deleted and read.  This provider operates as our processor and does not check or monitor your data.  This system is hosted within the United Kingdom and Iron Oak Security have contractual requirements in place that govern the processing of personal data.


Internal IT Support Service – We use an externally hosted system to help us manage, record and resolve our internal IT functions and support requests from customers.  This system is hosted within UK Data Centres, the provider also has offices outside of Europe and has implemented safeguards in place to provide adequate protection over any personal data processed.   The provider has implemented additional safeguards as required by European law such as Binding Corporate Rules and is registered under the Privacy Shield Framework.  We process a requesters email address to facilitate this service, so we can ensure the individual is kept updated on their issues and if the requestor needs to be updated verbally, we require a telephone number.   The requester also has the opportunity to provide detail on their support issue, but we will only ask for personal detail if it is relevant to the support request.  Personal data processed in this context is done under the performance of a contract or under Iron Oak Security’s Legitimate Interests, dependant on the requestor and circumstance.


Webinars System – We conduct webinars on topics which are relevant to our services and industries we operate within.  In order to deliver the webinar, we require your personal data to provide you with the webinar details and how you can access the services.  We use an externally hosted service to deliver the webinars.  Our webinars are publicised through our website, social media platforms, emails and via a 3rd party events provider.  Anyone wishing to attend would be required to register via our website or the 3rd party events provider. We collect first name, surname, email addresses and company name of the person wishing to attend.  When collecting this information, we will also ask for your permission to contact you for future marketing purposes.  You may also have the opportunity to provide questions prior to the webinar and this may involve an optional request for your email address beforehand in order to facilitate answering the question during the webinar.

Security of Personal Data

At Iron Oak Security we take the security of personal data extremely seriously.  We have implemented a mixture of cyber security controls, encryption and an Information Security Management System (ISMS) which underpins our ISO27001:2013 standard. 

We assess security for Confidentiality, Integrity and Availability to ensure that data remains protected, accurate and available for its intended purposes.  Some of the core controls we have implemented as part of these certifications are:

Multi-Factor Authentication (MFA) on all internet-based systems,

Encryption of data at rest and in transit

Technical assessments of our systems for vulnerabilities and configuration weaknesses.

Controlled access to only approved individuals

Screening of all employees to a minimum of the Baseline Personnel Security Standard (BPSS)

Data handling training and for all employees.

Policies and procedures on secure operations and configuration of systems.


International Data Transfers

Primarily our systems and services are all located within the United Kingdom.  Your Personal Data will be processed outside of Europe and in countries that are deemed not to have adequate safeguards in place.  This is because some of the locations of where some of the industry leading systems we use are hosted in the UK but process data outside of Europe in countries such as but not limited to the United States of America.

There may also be rare occasions where our employees work outside of Europe and access systems from outside the EEA.

Iron Oak Security have implemented appropriate measures to ensure an adequate level of protection of your Personal Data at all times, when processed to countries outside of Europe and countries deemed to have inadequate safeguards.  These measures consist of our processors registering under Privacy Shield framework, Model Clause Contracts or by way of derogations for specific circumstances.  If you have any questions or would like to obtain copies of safeguards in for a specific set of processing, then please contact us with the specific request.

Your rights in relation to your data

Under Data Protection Law you have a number of Rights that are focused on placing you in control of how your data is processed.

You can exercise these Rights by using the online contact form.


We may ask you for identification prior to disclosing any data, as we need to ensure we only disclose information to the person entitled to it.

You have the following Rights in relation to the processing of your personal information / information / data;

Right to be Informed – You have the right to be provided information on how your personal data is processed – Like our Privacy Hub!

Right to Access – You have the right to have access to the personal information we hold about you.

Right to Rectification – This relates to the right to rectify any inaccurate personal information we hold about you.

Right to Erasure – The right to request that we delete your data, or stop processing it or collecting it, in some circumstances

The Right to Object – You have the right to object to the processing of your data, such as requesting us to stop sending you marketing communications.

Right to Data Portability – You can request your personal data to be sent to another service provider.

Right not to be subject to automated decision making – whilst you have this right, we do not conduct automated decision making. 

Right to Lodge a Complaint – You can lodge a complaint with Data Protection Regulator, which for us is the UK Information Commissioner’s Office, using the below details.


Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Ultimately, we want you to be in control of your personal detail so feel free to get in touch and ask any questions.

Changes to your privacy with us

Of course, from time to time, things change and at Iron Oak Security we are always striving to continually improve our business operations and services we deliver to clients.
Some changes may result in changes to our privacy information and this page, to ensure we are transparent about how we are processing your data at all times.

When any significant changes in the way we protect your privacy are made, we will make this clear on our website or by other means of communication such as email, so that you are able to review the changes and make an informed decision as to whether you want to exercise any of your rights in relation to the processing of your personal data.

bottom of page