GDPR Commitment

Baycop Technologies Ltd ("Baycop") is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This page explains our approach to GDPR compliance both as a Data Controller (for data we collect ourselves) and as a Data Processor (when processing personal data on behalf of our clients).

Our operations span the UK and Sri Lanka. All cross-border data transfers are handled in accordance with UK GDPR transfer requirements.

As a Data Controller

When you visit our website or contact us, Baycop acts as a Data Controller — we determine the purpose and means of processing your personal data. Our Privacy Policy explains what data we collect and how we use it.

As a Data Processor

When delivering managed IT and security services, Baycop may process personal data on behalf of our clients. In this role we act solely as a Data Processor, following our clients' documented instructions. We enter into a formal Data Processing Agreement (DPA) with every client before any processing begins.

We only process personal data where we have a valid lawful basis under UK GDPR Article 6. The bases we rely on include:

• Contract — processing necessary to deliver our services to clients
• Legitimate interests — for website analytics, security monitoring and business communications
• Legal obligation — where we are required to process data by law
• Consent — for marketing communications and non-essential cookies

Where special category data is involved (e.g. health data processed by healthcare clients), we ensure an appropriate Article 9 condition is also met.

We fully support the rights of data subjects under UK GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / right to be forgotten (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights in relation to automated decision-making (Article 22)

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. Where we are acting as a Data Processor (i.e. on behalf of a client), we will forward subject access requests to the relevant Data Controller promptly.

We enter into a GDPR-compliant Data Processing Agreement (DPA) with every client whose data we process. Our DPA covers:

• Subject matter and duration of processing
• Nature and purpose of processing
• Type of personal data and categories of data subjects
• Obligations and rights of the controller
• Sub-processor arrangements and approvals
• Security measures and breach notification obligations
• Return or deletion of data on termination

If you are a client and have not yet signed a DPA with us, or wish to review your existing DPA, please contact us at [email protected].

We use the following categories of sub-processors in delivering our services:

• Baycop Technologies Pvt Ltd (Sri Lanka) — our 24/7 operations centre, operating under a formal intra-group DPA with appropriate transfer safeguards (Standard Contractual Clauses)
• Microsoft — Microsoft 365, Azure, Microsoft Sentinel (SIEM), Defender for Endpoint
• CrowdStrike — endpoint detection and response (EDR/XDR) platform
• PSA / RMM vendors — professional services automation and remote monitoring tools used for service delivery

We notify clients of any intended changes to sub-processors in accordance with the DPA.

Personal data processed by our Sri Lanka operations centre is transferred from the UK under Standard Contractual Clauses (SCCs) as approved by the ICO. We conduct Transfer Impact Assessments (TIAs) where required and implement supplementary technical and organisational measures.

Data processed by US-based sub-processors (such as Microsoft and CrowdStrike) is covered by the UK Extension to the EU-US Data Privacy Framework or Standard Contractual Clauses, as applicable.

We implement appropriate technical and organisational measures (TOMs) to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls (RBAC) and the principle of least privilege
• Multi-factor authentication (MFA) on all systems processing personal data
• 24/7 SIEM-based monitoring of our own infrastructure
• Annual penetration testing by an independent third party
• Regular staff data protection awareness training
• Documented incident response and breach management procedures

In the event of a personal data breach that poses a risk to individuals, we will:

• Notify the ICO within 72 hours of becoming aware of the breach (where required)
• Notify affected data subjects without undue delay where the breach is likely to result in high risk
• Notify affected clients (as Data Controllers) within 24 hours where we are acting as a Data Processor

We maintain a breach register and a documented breach response procedure.

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Our standard retention periods are:

• Client service data: duration of contract + 7 years
• Website enquiry data: 2 years
• Financial and invoicing records: 7 years (legal requirement)
• Security logs: up to 13 months

On contract termination, client data is returned or securely deleted in accordance with the DPA, within 30 days of the request.

If you have concerns about how we handle your personal data, please contact us first — we want the opportunity to resolve your concern. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

For any GDPR-related enquiries, data subject requests or to request a copy of our Data Processing Agreement:

Baycop Technologies Ltd
376 Essex Road, London N1 3PF, United Kingdom
Email: [email protected]
Phone: +44 7537 171273