Carpe Diem's Cybersecurity Policy outlines the safeguards and procedures in place to protect client data. We handle sensitive information such as databases, contact lists, credentials, and access to digital properties. This policy aims to ensure all client data remains secure, confidential, and used solely for the purposes of service delivery, while providing transparency on our security practices.

This policy applies to all Carpe Diem employees, contractors, and third-party vendors who have access to client data. It covers all devices, applications, and services used by our team, whether company-issued or personal, especially in a remote working environment.

Confidential Data Handling: We treat all client information as confidential, including databases, access credentials, and proprietary data. This information is used strictly for service delivery.
Non-Disclosure Agreements (NDAs): All employees are bound by NDAs, legally obligating them to protect client data. Breaches are subject to disciplinary action, including termination and potential legal consequences.
Data Access Control: We implement a principle of least privilege, granting access to client data only to those employees who require it for their tasks.

Password Management with Password Sharing Apps: We recommend the use of password-sharing apps such as LastPass for secure credential sharing. These tools allows clients to share login details without exposing actual passwords and enables them to revoke access at any time.
Delegate Access: We request only delegate-level access to client accounts, ensuring clients retain control. Full administrative access is requested only when necessary.
Access Reviews: We conduct regular audits of employee access levels to ensure compliance and adjust permissions based on project requirements.

Screen Monitoring: We use screen monitoring software to track employee activity, ensuring compliance with client data handling policies.
Secure File Sharing: Client data is transferred using encrypted file-sharing services (e.g., Google Workspace, OneDrive). We do not permit the use of unsecured channels for sharing sensitive information.
Data Retention and Deletion: Client data is retained only for the duration of the project and securely deleted upon completion, unless instructed otherwise by the client.

Incident Reporting: Any security incident or suspected breach must be reported immediately to our Management Team. We have procedures in place to address and resolve any potential threats.
Client Notification: In the event of a data breach affecting client information, clients will be notified within 24 hours, along with the steps being taken to mitigate risks.
Corrective Actions: Our Management Team will investigate incidents, implement corrective measures, and update security protocols as needed.

Mandatory Training: All employees undergo comprehensive cybersecurity training during onboarding and annually thereafter. This includes training on secure data handling, threat identification, and compliance with company policies.
Compliance Monitoring: We conduct regular compliance checks to ensure all employees follow the established security protocols.

This policy is reviewed annually or as needed in response to changes in technology, legal requirements, or company practices. Updates will be communicated to clients and reflected in our security procedures.

We are dedicated to providing transparency and maintaining the highest standards of data protection. If you have any questions or require further information about our security practices, please contact us at [happy@carpediemuk.com]