Task-Wizard › Legal Information › Data Protection & Security

Last updated: 7 September 2025

This page summarises how TaskWizard Limited (“we”, “us”) protects information when providing remote administrative services. It sits alongside our Privacy Policy, Cookie Policy and Terms of Service.

1) Roles & scope

• Controller (our operations): for enquiries, billing, recruiting and running our business, we are the data controller.
• Processor (your operations): when we handle personal data strictly on your documented instructions to perform tasks for your organisation, you are the controller and we act as your processor.
• DPA: if we process personal data for you, we can sign a Data Processing Addendum that incorporates UK GDPR terms.

2) Security principles we follow

• Least-privilege access: only the minimum access needed, granted to named users with role-based permissions where possible.
• Need-to-know confidentiality: staff and subcontractors are bound by confidentiality and trained on data handling.
• Data minimisation: collect and keep only what’s necessary for the tasks agreed.
• Integrity & availability: sensible file naming/versioning, routine backups where we host data, and clear restore routes.
• Accountability: light SOPs/checklists for repeatable processes, with change logs for key client procedures.

3) Access management

• Prefer SSO or separate role accounts. If shared credentials are unavoidable, we store them using a secure method agreed with you and rotate if required.
• We enable MFA where supported and encourage IP/device restrictions if your tools allow.
• Onboarding and off-boarding checklists ensure access is granted/revoked promptly.

4) Technical & organisational measures (overview)

• Encryption: data encrypted in transit via TLS; at rest encryption where supported by the platform.
• Device security: modern OS, disk encryption, auto-lock, anti-malware, and patching policies.
• Segregation: client folders/workspaces kept separate with clear ownership and access lists.
• Logging: activity logs retained where available in the platform; review on exception or incident.
• Backups: for artefacts we host, scheduled backups with periodic restore tests; where you host data, we follow your backup regime.

5) Collecting, sharing & retaining data

• Collection: limited to task delivery (e.g., correspondence, document control, CRM updates). We avoid special category data unless essential and agreed.
• Sharing: only with your team, your named suppliers, or our core service providers supporting delivery (see “Subprocessors”). We do not sell personal data.
• Retention: keep for as long as needed for the task/contract and legal requirements. Typical retention mirrors what is in our Privacy Policy.

6) Subprocessors & international transfers

We use reputable third-party providers (e.g., hosting, email, productivity, storage, ticketing, scheduling) to deliver services efficiently. A list of our core providers is available on request.

Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as an adequacy decision or standard contractual clauses with the UK International Data Transfer Addendum. We assess material changes in transfer risks periodically.

7) Incidents & breach notification

• We maintain an incident response flow covering identification, containment, assessment and remediation.
• If we become aware of a personal data breach affecting your data while acting as processor, we will notify you without undue delay and share information we have to support your assessment and notifications.

8) Data subject requests

For processor activities, we forward any request we receive (access, rectification, erasure, objection, restriction or portability) to you without undue delay and assist you where reasonable and lawful. For controller activities, see our Privacy Policy for how to exercise your rights with us.

9) Deletion, return & off-boarding

• At the end of our engagement—or on your request—we will return or delete data we hold for you, unless retention is required by law or legitimate business needs (e.g., accounting records).
• We can provide a concise off-boarding pack (access lists, folder locations, open actions) to support a clean handover.

10) Your responsibilities

• Act as data controller for your business operations and provide clear, lawful instructions.
• Decide which systems to use, grant/revoke access promptly, and maintain your own security baselines (MFA, backups, patching).
• Tell us if specific regulatory, contractual or sector requirements apply so we can align our approach.

11) Questions & contacts

• Privacy contact: info@task-wizard.co.uk
• UK regulator: Information Commissioner’s Office — ico.org.uk (Tel: 0303 123 1113)

This page is a summary of our approach and does not replace a signed Data Processing Addendum where required. It does not constitute legal advice.