Data Handling and Security Statement

WarmPro Group is committed to protecting the personal and project-related data entrusted to us by clients, residents, employees, partners, and stakeholders. We recognise the importance of data security in maintaining trust, ensuring regulatory compliance, and delivering professional services across decarbonisation, retrofit, and construction projects.

This statement sets out how WarmPro securely manages, stores, and protects all data in accordance with UK GDPR, Data Protection Act 2018, and industry-specific requirements including TrustMark Data Warehouse protocols and PAS framework obligations.

WarmPro's data protection and cyber security approach is built on the following principles:

• Confidentiality - ensuring data is accessible only to authorised personnel

• Integrity - maintaining accuracy and completeness of data throughout its lifecycle

• Availability - ensuring data is accessible when needed for legitimate business purposes

• Accountability - demonstrating compliance with data protection obligations

• Transparency - being clear about how we collect, use, and protect data

All personal and project-related data is securely managed within encrypted systems:

• UK-based cloud infrastructure - data stored exclusively within UK-based, ISO 27001-certified cloud environments

• Encryption at rest - all stored data encrypted using industry-standard encryption protocols

• Encryption in transit - all data transmitted via secure SSL/TLS connections

• Segregated storage - client data segregated to prevent unauthorised cross-access

• Regular backups - automated backup systems with secure off-site storage

• Disaster recovery - comprehensive business continuity and disaster recovery procedures

Access to personal and project data is restricted to authorised personnel only:

• Role-based access - access permissions granted based on job role and necessity

• Authentication requirements - multi-factor authentication for sensitive systems

• Access logging - comprehensive audit trails of all data access and modifications

• Regular reviews - periodic review of access permissions and user accounts

• Immediate revocation - prompt removal of access when personnel leave or change roles

• Need-to-know principle - data access limited to what is necessary for each role

WarmPro enforces mandatory data protection training and security protocols:

• Mandatory training - all staff complete data protection and cyber security training during induction

• Annual refresher training - regular updates on data protection obligations and security procedures

• Policy compliance - all personnel required to comply with data handling policies

• Confidentiality agreements - staff sign confidentiality and data protection agreements

• Clear procedures - documented procedures for data handling, storage, and disposal

• Awareness programmes - ongoing awareness of phishing, social engineering, and security threats

Secure device policies protect data accessed through company and personal devices:

• Secure devices - all company devices configured with security software and encryption

• Password policies - strong password requirements and regular password changes

• Device encryption - full disk encryption on laptops and mobile devices

• Remote wipe capability - ability to remotely erase data from lost or stolen devices

• Software updates - mandatory security patches and software updates

• Bring Your Own Device (BYOD) policies - security requirements for personal devices accessing company data

WarmPro extends data protection requirements to all subcontractors and partners:

• Pre-qualification checks - vetting of subcontractors for data security practices

• Contractual obligations - data protection and security clauses in all subcontractor agreements

• Limited data sharing - sharing only data necessary for specific project delivery

• Compliance monitoring - regular checks that partners maintain security standards

• Breach notification - requirements for partners to report data security incidents immediately

Data is retained only for as long as necessary and disposed of securely:

• Defined retention periods - clear policies on how long different data types are retained

• Compliance requirements - retention periods aligned with TrustMark, PAS frameworks, and funding schemes (typically 6-10 years for project records)

• Secure disposal - data securely deleted or destroyed when no longer required

• Disposal documentation - records maintained of data disposal activities

• Media destruction - physical destruction of storage media containing sensitive data

WarmPro maintains comprehensive incident response procedures:

• Incident detection - monitoring systems to detect potential security breaches

• Rapid response - immediate action protocols for suspected data breaches

• Investigation procedures - thorough investigation of all security incidents

• Breach notification - notification to ICO and affected individuals within 72 hours where required

• Remediation - swift action to contain breaches and prevent recurrence

• Lessons learned - post-incident reviews to improve security measures

WarmPro maintains rigorous compliance and auditing processes:

• Regular audits - periodic internal and external security audits

• Compliance monitoring - ongoing monitoring of data protection obligations

• ISO 27001 alignment - security practices aligned with ISO 27001 information security standards

• TrustMark compliance - adherence to TrustMark Data Warehouse security requirements

• Funding scheme obligations - meeting data security requirements for ECO4, HUG2, WHLG, PSDS programmes

• Documentation - comprehensive records of security measures and compliance activities

When sharing data with third parties, WarmPro ensures:

• Legitimate purpose - data shared only for legitimate project delivery or compliance purposes

• Data Processing Agreements - formal agreements with all data processors

• Security standards - third parties required to maintain equivalent security standards

• Limited access - third parties given access only to data necessary for their specific role

• Audit rights - WarmPro retains the right to audit third-party data handling practices

WarmPro employs multiple layers of technical security:

• Firewalls - network firewalls protecting systems from unauthorised access

• Antivirus and anti-malware - comprehensive malware protection across all systems

• Intrusion detection - systems monitoring for suspicious activity

• Vulnerability scanning - regular scans for security vulnerabilities

• Patch management - timely application of security patches and updates

• Email security - spam filtering and email security protocols

WarmPro respects your rights regarding your personal data:

• Right to information - clear information about how we use your data

• Right of access - ability to request copies of your personal data

• Right to rectification - ability to correct inaccurate data

• Right to erasure - ability to request deletion in certain circumstances

• Right to restriction - ability to limit how we process your data

• Right to portability - ability to receive data in portable format

To exercise these rights or raise data security concerns, please contact us through our Contact page.

WarmPro continuously reviews and improves data security measures:

• Regular policy reviews - annual review of data protection and security policies

• Security updates - implementing new security technologies and best practices

• Threat monitoring - staying informed of emerging cyber security threats

• Staff feedback - incorporating lessons learned from operational experience

• External advice - consulting with data protection and security specialists

For questions about our data handling and security practices, to report a security concern, or to exercise your data rights, please contact us through the details provided on our Contact page.

If you believe we have not handled your data securely or in accordance with data protection laws, you can complain to the Information Commissioner's Office (ICO) at www.ico.org.uk.

This Data Handling and Security Statement was last reviewed on 06-12-2025. It is reviewed annually and updated to reflect changes in security practices, regulatory requirements, and technological developments.