top of page

ANNEX B — TECHNICAL & ORGANISATIONAL MEASURES (TOMs)

​

Channel Chaser (operated by Cairncom Communications Ltd)
Version: 1.1
Last Updated: 19/1/2025
Contact: policy@cairncoms.co.uk
Scope: All systems, services, sub-processors, and personnel involved in delivering the Channel Chaser platform

This document defines the technical and organisational measures implemented by Cairncom Communications Ltd (“the Processor”) in accordance with:

  • GDPR Article 28(3)(c)

  • GDPR Article 32 (Security of Processing)

  • UK GDPR

  • CCPA/CPRA

  • ISO 27001-aligned controls

​

These TOMs apply to all Personal Data processed through the Channel Chaser SaaS platform, including data transmitted via Microsoft Office 365.

​

1. INFORMATION SECURITY MANAGEMENT FRAMEWORK (ISMS)

Channel Chaser maintains a structured and documented security programme including:

  • Security ownership assigned to the CSO and DPO

  • Annual policy reviews

  • Employee security training

  • Vendor risk management

  • Sub-Processor oversight

  • Risk assessments

  • Incident Response Plan (Annex H)

  • Business Continuity & Disaster Recovery Plan (Annex F)

​

2. ACCESS CONTROL
2.1 Role-Based Access Control (RBAC)

Access is limited by job function:

  • Engineering

  • Support

  • Security

  • Senior management

​

CRM and customer data access restricted to authorised roles.

​

2.2 Authentication

  • Passwords stored as salted and hashed values

  • MFA enforced for all admin accounts

  • OAuth support for CRM integrations

  • SSO available where applicable

​
2.3 Least Privilege Principle

Users receive only minimum access necessary.

​

2.4 Access Reviews

Quarterly access audits include:

  • Platform accounts

  • Microsoft Office 365 accounts

  • Administrator roles

  • Sub-Processor access

​

3. ENCRYPTION
3.1 Encryption In Transit

  • TLS 1.2+

  • HSTS enabled

  • Secure API transmission

​

3.2 Encryption At Rest

  • AES-256

  • Encrypted databases via hosting provider (Wix)

  • Encrypted storage in Microsoft OneDrive/SharePoint where support attachments are handled

​

3.3 Key Management

  • Managed by cloud providers (Wix / Microsoft)

  • Rotated per provider specifications

​

4. NETWORK SECURITY

  • Firewalls and segmentation applied at infrastructure level

  • No inbound access to databases

  • WAF protection applied upstream

  • Rate limiting on API endpoints

  • Logging of suspicious IP activity

​

5. APPLICATION SECURITY
5.1 Secure Development Lifecycle (SDLC)

The following are applied:

  • Code reviews

  • Peer review required before production deployment

  • Secure coding standards (aligned with OWASP)

  • Separation of development, staging, and production environments

​

5.2 Dependency & Vulnerability Management

  • Regular dependency scanning

  • Automated alerts for CVEs

  • Monthly patching cycle

  • Emergency patching within 48 hours for critical CVEs

​

5.3 Application Hardening

  • No plaintext secrets in code

  • API keys securely stored

  • Session expiration enforced

  • Token-based authentication for integrations

​
6. LOGGING & MONITORING
6.1 System Logs

Generated for:

  • Authentication events

  • CRM sync operations

  • API activity

  • Error and exception tracking

​

6.2 Security Monitoring

  • Automated anomaly detection

  • Suspicious login reporting

  • Alerts for repeated failed logins

​

6.3 Log Storage and Retention

  • Logs retained for 90 days

  • Logs stored in encrypted environments

​

Certain logs may pass through secure Microsoft Office 365 storage when used in:

  • Internal incident review

  • Support escalation

  • File attachments

​

7. DATA HANDLING & STORAGE
7.1 Primary Hosting

Data is hosted via Wix, which provides:

  • Encrypted storage

  • Firewall protection

  • Redundancy

  • Physical data centre security

  • SOC 2 and ISO 27001 compliance

​

7.2 Internal Document Storage

Microsoft Office 365 is used for internal processing of:

  • Support communications

  • Issue escalations

  • Documentation

  • Customer attachments

​

Data stored in OneDrive/SharePoint is encrypted, access-controlled, and regionally isolated based on Microsoft tenant configuration.

​

7.3 Email Transmission

Support and communication emails are processed via Microsoft Office 365 (Outlook).

Security includes:

  • Encryption in transit

  • Phishing protection

  • Advanced Threat Protection (ATP)

  • MFA for admin accounts

  • Conditional access policies

​

8. BACKUP & DISASTER RECOVERY
8.1 Backup Procedures

  • Encrypted daily backups

  • Stored geographically separate from production

  • Integrity testing performed regularly

​

8.2 Retention Period

Backups retained for 90 days.

​

8.3 Disaster Recovery

  • RTO: 24 hours

  • RPO: 24 hours

  • Documented procedures in Annex F

​

9. DATA MINIMISATION & RETENTION
9.1 Storage Limitation

We retain Personal Data only as long as required for:

  • Service delivery

  • Compliance

  • Operational necessity

​

9.2 Retention Enforcement

Automated deletion of:

  • Logs after 90 days

  • Support emails after 24 months

  • Data after contract termination (30 days active, then in backups for 90 days)

​

10. ORGANISATIONAL MEASURES
10.1 Employee Training

All employees receive training in:

  • GDPR & privacy

  • Security best practices

  • Phishing awareness

  • Incident reporting procedures

​

10.2 Confidentiality Agreements

All employees and contractors sign confidentiality agreements.

​

10.3 Vendor Management

  • Annual Sub-Processor reviews

  • Microsoft, Wix, and CRM vendors assessed for compliance

  • SCCs/UK Addendum used for EU/UK to US transfers

​

11. DATA SUBJECT RIGHTS SUPPORT

The Processor assists Controllers with:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Portability

​

Processes documented in the main DPA.

​

12. INCIDENT RESPONSE & BREACH MANAGEMENT

An Incident Response Plan (Annex H) defines:

  • Detection

  • Triage

  • Containment

  • Eradication

  • Recovery

  • Notification obligations

​

Sub-Processor incidents—including those from Microsoft Office 365—are:

  • Assessed

  • Escalated

  • Communicated to Controllers without undue delay

​

13. PHYSICAL SECURITY

Handled by Sub-Processors (Wix, Microsoft) and includes:

  • 24/7 monitoring

  • Biometric access controls

  • CCTV surveillance

  • Visitor logging

  • Climate controls

  • Redundant power

​

14. INTERNATIONAL DATA TRANSFER MECHANISMS

For Sub-Processors operating outside the UK/EU, we rely on:

  • SCCs

  • UK Addendum

  • TIAs

  • Microsoft and Wix enterprise security frameworks

  • Encryption & pseudonymisation

​

15. CONTINUITY OF COMPLIANCE

Channel Chaser conducts:

  • Annual TOMs review

  • Continuous evaluation of Sub-Processor security posture

  • Documentation updates when vendors change behaviour or architecture

​

16. CONTACT INFORMATION

For questions regarding TOMs:

📩 policy@cairncoms.co.uk

​

bottom of page