Information Security Statement

This Information Security Statement outlines the approach taken by Hivelink Ltd to protect information and personal data processed in connection with the Hivelink platform. It is intended to support customer assurance, procurement and due-diligence reviews.

This statement does not form part of any contract and does not override the Hivelink Platform Terms & Conditions or any other contractual documentation.

1. Governance and responsibility

Hivelink Ltd is responsible for the security of the Hivelink platform and for implementing appropriate technical and organisational measures to protect personal data processed within it.

Information security responsibilities are managed centrally and reviewed as part of ongoing platform development and operational management.

2. Data protection and privacy

Hivelink processes personal data in accordance with UK GDPR and the Data Protection Act 2018.

For the purposes of data protection law:

• organisations using the platform act as data controllers for personal data relating to parents, guardians and participants;
• Hivelink acts primarily as a data processor, processing personal data on documented instructions from organisations;
• Hivelink also acts as an independent data controller for limited purposes including platform security, fraud prevention, billing, legal compliance and aggregated analytics.

A Data Processing Agreement compliant with Article 28 UK GDPR is embedded within the Hivelink Platform Terms & Conditions.

Personal data processed via the platform may be processed by Hivelink or its authorised service providers outside the UK, subject to appropriate safeguards in accordance with UK GDPR.

3. Access control

Access to the Hivelink platform and underlying systems is restricted to authorised users only.

Controls include:

• individual user accounts for all platform users;
• role-based permissions to enable organisations to control access by their staff;
• internal access controls limiting Hivelink staff access to authorised personnel only;
• access granted solely for defined operational purposes such as support, onboarding, maintenance, security and incident response.

Actions taken within the platform are logged and attributable to individual users. Organisations are responsible for managing their own user permissions and revoking access where appropriate.

4. Technical and organisational security measures

Hivelink applies appropriate technical and organisational measures to protect data, including:

• secure hosting environments;
• encrypted data transmission;
• logical access controls;
• separation of customer data;
• regular platform maintenance and updates;
• periodic review of security controls.

Security measures are designed to be proportionate to risk and are reviewed and adapted as the platform evolves.

5. Incident management

Hivelink maintains procedures to identify, investigate and respond to security incidents and personal data breaches.

Where a personal data breach affecting customer data is identified, Hivelink will notify affected organisations without undue delay, enabling them to meet their own regulatory notification obligations where required.

6. Sub-processors and suppliers

Hivelink uses a limited number of trusted third-party service providers (sub-processors) to deliver the platform, including providers of hosting, object storage, communications and payment services.

All sub-processors are subject to contractual data protection, confidentiality and security obligations.

A current list of authorised sub-processors is available on request via
support@hivelink.co.uk.

7. Availability and resilience

The Hivelink platform is operated on a best-endeavours basis.

Hivelink monitors platform availability and seeks to respond to incidents within a reasonable timeframe during normal operations, but does not offer formal service level agreements or guaranteed uptime.

8. Data retention and backups

Personal data processed via the platform is retained in accordance with documented retention policies and applicable legal obligations.

Where an organisation ceases to use the platform, data is retained in a restricted archival state and deleted or anonymised once no longer required.

System backups are retained for a limited period (currently up to 60 days) and are overwritten on a rolling basis.

9. Continuous improvement

Hivelink keeps its security practices under regular review and makes proportionate improvements as the platform evolves, taking into account risk, customer needs and regulatory expectations.

10. Contact

For further information relating to information security, assurance or due-diligence enquiries, please contact:

Hivelink Ltd
Email: support@hivelink.co.uk