top of page
Channel Chaser

ANNEX B — TECHNICAL & ORGANISATIONAL MEASURES (TOMs)

Channel Chaser – Cairncom Communications Ltd
Version: 1.1
Last Updated: 19/1/2025
Contact: policy@cairncoms.co.uk
Scope: All systems, services, sub-processors, and personnel involved in delivering the Channel Chaser platform

This document defines the technical and organisational measures implemented by Cairncom Communications Ltd (“the Processor”) in accordance with:

  • GDPR Article 28(3)(c)

  • GDPR Article 32 (Security of Processing)

  • UK GDPR

  • CCPA/CPRA

  • ISO 27001-aligned controls

These TOMs apply to all Personal Data processed through the Channel Chaser SaaS platform, including data transmitted via Microsoft Office 365.

1. INFORMATION SECURITY MANAGEMENT FRAMEWORK (ISMS)

Channel Chaser maintains a structured and documented security programme including:

  • Security ownership assigned to the CSO and DPO

  • Annual policy reviews

  • Employee security training

  • Vendor risk management

  • Sub-Processor oversight

  • Risk assessments

  • Incident Response Plan (Annex H)

  • Business Continuity & Disaster Recovery Plan (Annex F)

2. ACCESS CONTROL
2.1 Role-Based Access Control (RBAC)

Access is limited by job function:

  • Engineering

  • Support

  • Security

  • Senior management

CRM and customer data access restricted to authorised roles.

2.2 Authentication

  • Passwords stored as salted and hashed values

  • MFA enforced for all admin accounts

  • OAuth support for CRM integrations

  • SSO available where applicable

2.3 Least Privilege Principle

Users receive only minimum access necessary.

2.4 Access Reviews

Quarterly access audits include:

  • Platform accounts

  • Microsoft Office 365 accounts

  • Administrator roles

  • Sub-Processor access

3. ENCRYPTION
3.1 Encryption In Transit

  • TLS 1.2+

  • HSTS enabled

  • Secure API transmission

3.2 Encryption At Rest

  • AES-256

  • Encrypted databases via hosting provider (Wix)

  • Encrypted storage in Microsoft OneDrive/SharePoint where support attachments are handled

3.3 Key Management

  • Managed by cloud providers (Wix / Microsoft)

  • Rotated per provider specifications

4. NETWORK SECURITY

  • Firewalls and segmentation applied at infrastructure level

  • No inbound access to databases

  • WAF protection applied upstream

  • Rate limiting on API endpoints

  • Logging of suspicious IP activity

5. APPLICATION SECURITY
5.1 Secure Development Lifecycle (SDLC)

The following are applied:

  • Code reviews

  • Peer review required before production deployment

  • Secure coding standards (aligned with OWASP)

  • Separation of development, staging, and production environments

5.2 Dependency & Vulnerability Management

  • Regular dependency scanning

  • Automated alerts for CVEs

  • Monthly patching cycle

  • Emergency patching within 48 hours for critical CVEs

5.3 Application Hardening

  • No plaintext secrets in code

  • API keys securely stored

  • Session expiration enforced

  • Token-based authentication for integrations

6. LOGGING & MONITORING
6.1 System Logs

Generated for:

  • Authentication events

  • CRM sync operations

  • API activity

  • Error and exception tracking

6.2 Security Monitoring

  • Automated anomaly detection

  • Suspicious login reporting

  • Alerts for repeated failed logins

6.3 Log Storage and Retention

  • Logs retained for 90 days

  • Logs stored in encrypted environments

Certain logs may pass through secure Microsoft Office 365 storage when used in:

  • Internal incident review

  • Support escalation

  • File attachments

7. DATA HANDLING & STORAGE
7.1 Primary Hosting

Data is hosted via Wix, which provides:

  • Encrypted storage

  • Firewall protection

  • Redundancy

  • Physical data centre security

  • SOC 2 and ISO 27001 compliance

7.2 Internal Document Storage

Microsoft Office 365 is used for internal processing of:

  • Support communications

  • Issue escalations

  • Documentation

  • Customer attachments

Data stored in OneDrive/SharePoint is encrypted, access-controlled, and regionally isolated based on Microsoft tenant configuration.

7.3 Email Transmission

Support and communication emails are processed via Microsoft Office 365 (Outlook).

Security includes:

  • Encryption in transit

  • Phishing protection

  • Advanced Threat Protection (ATP)

  • MFA for admin accounts

  • Conditional access policies

8. BACKUP & DISASTER RECOVERY
8.1 Backup Procedures

  • Encrypted daily backups

  • Stored geographically separate from production

  • Integrity testing performed regularly

8.2 Retention Period

Backups retained for 90 days.

8.3 Disaster Recovery

  • RTO: 24 hours

  • RPO: 24 hours

  • Documented procedures in Annex F

9. DATA MINIMISATION & RETENTION
9.1 Storage Limitation

We retain Personal Data only as long as required for:

  • Service delivery

  • Compliance

  • Operational necessity

9.2 Retention Enforcement

Automated deletion of:

  • Logs after 90 days

  • Support emails after 24 months

  • Data after contract termination (30 days active, then in backups for 90 days)

10. ORGANISATIONAL MEASURES
10.1 Employee Training

All employees receive training in:

  • GDPR & privacy

  • Security best practices

  • Phishing awareness

  • Incident reporting procedures

10.2 Confidentiality Agreements

All employees and contractors sign confidentiality agreements.

10.3 Vendor Management

  • Annual Sub-Processor reviews

  • Microsoft, Wix, and CRM vendors assessed for compliance

  • SCCs/UK Addendum used for EU/UK to US transfers

11. DATA SUBJECT RIGHTS SUPPORT

The Processor assists Controllers with:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Portability

Processes documented in the main DPA.

12. INCIDENT RESPONSE & BREACH MANAGEMENT

An Incident Response Plan (Annex H) defines:

  • Detection

  • Triage

  • Containment

  • Eradication

  • Recovery

  • Notification obligations

Sub-Processor incidents—including those from Microsoft Office 365—are:

  • Assessed

  • Escalated

  • Communicated to Controllers without undue delay

13. PHYSICAL SECURITY

Handled by Sub-Processors (Wix, Microsoft) and includes:

  • 24/7 monitoring

  • Biometric access controls

  • CCTV surveillance

  • Visitor logging

  • Climate controls

  • Redundant power

14. INTERNATIONAL DATA TRANSFER MECHANISMS

For Sub-Processors operating outside the UK/EU, we rely on:

  • SCCs

  • UK Addendum

  • TIAs

  • Microsoft and Wix enterprise security frameworks

  • Encryption & pseudonymisation

15. CONTINUITY OF COMPLIANCE

Channel Chaser conducts:

  • Annual TOMs review

  • Continuous evaluation of Sub-Processor security posture

  • Documentation updates when vendors change behaviour or architecture

16. CONTACT INFORMATION

For questions regarding TOMs:

📩 policy@cairncoms.co.uk

bottom of page