Data Protection Statement

Pyramid Ledger Ltd is committed to handling personal data lawfully, fairly and transparently, and to embedding data protection into the design of our services and our day-to-day operations. We treat strong information governance not as a compliance burden but as a core part of the cybersecurity assurance our clients expect from us.

This statement applies to personal data we process in connection with this website (https://pyramidledger.com) and our marketing and business-development activities, and it explains the approach we take when we process personal data on behalf of clients while delivering cybersecurity and software-development services.

It does not replace any contract-specific terms. Where we deliver services to a client, the precise data protection arrangements are set out in the relevant services agreement and accompanying Data Processing Agreement (DPA), which take precedence over this general statement in respect of that engagement.

We process personal data in accordance with the data protection laws that apply in the United Kingdom. In particular, we comply with:

• the UK General Data Protection Regulation (UK GDPR);
• the Data Protection Act 2018 (DPA 2018), which supplements and tailors the UK GDPR in domestic law; and
• the Privacy and Electronic Communications Regulations 2003 (PECR), which govern cookies, similar technologies and electronic communications.

We also have regard to guidance published by the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection, and we keep our practices under review so that they remain aligned with the law and with recognised good practice.

Our role under data protection law depends on the activity in question, and it is important to be clear about which role we occupy.

When we act as a controller

For personal data collected through this website — principally the details submitted via our Contact form and our Get a Quote form — and for our own marketing, business-development and internal business records, Pyramid Ledger Ltd is the data controller. This means we determine the purposes and means of the processing and are responsible for how that data is handled. Our Privacy Policy sets out what we collect in this capacity and why.

When we act as a processor

When we deliver cybersecurity or software-development services to a client, we typically act as a processor (and the client as the controller). In that capacity we process personal data only on the client's documented instructions, for the purposes set out in the engagement, and under a separate Data Processing Agreement that reflects the requirements of Article 28 of the UK GDPR. We do not use client personal data for our own purposes.

In some limited circumstances — for example, our own billing records or our security logs relating to an engagement — we may act as a controller for narrowly defined operational data. Where the position could be unclear, we agree the respective roles with the client in writing before processing begins.

All of our processing is governed by the principles set out in Article 5 of the UK GDPR. We apply them as follows:

• Lawfulness, fairness and transparency — we process personal data only where we have a valid lawful basis, in a way people would reasonably expect, and we are open about what we do.
• Purpose limitation — we collect personal data for specified, explicit and legitimate purposes and do not use it in ways incompatible with those purposes.
• Data minimisation — we collect only the personal data we actually need; our website forms ask for limited, relevant information and treat several fields, such as phone number and company name, as optional.
• Accuracy — we take reasonable steps to keep personal data accurate and up to date, and to correct or erase inaccurate data without delay.
• Storage limitation — we keep personal data only for as long as necessary for the purpose for which it was collected (see Data retention below).
• Integrity and confidentiality (security) — we protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
• Accountability — we take responsibility for our processing and maintain records, policies and controls that allow us to demonstrate our compliance.

When we act as a controller, we rely on one or more of the following lawful bases under Article 6 of the UK GDPR:

• Legitimate interests — for responding to enquiries submitted through our Contact and Get a Quote forms, for general business development, and for protecting our website and systems against fraud, spam and abuse (including through the Cloudflare Turnstile anti-bot challenge that protects our forms). We balance these interests against the rights and expectations of the individuals concerned.
• Steps prior to entering into a contract / performance of a contract — where you contact us to obtain a quote or to engage our services, processing your details to respond and to negotiate or perform an agreement.
• Legal obligation — where we must process personal data to comply with a legal or regulatory requirement, such as accounting or record-keeping duties.
• Consent — where consent is the appropriate lawful basis for a specific activity. Where we rely on consent, you may withdraw it at any time. The website itself sets only strictly necessary cookies and does not use analytics, advertising or tracking technologies that would require consent.

When we act as a processor for a client, the client is responsible for establishing the lawful basis for the processing, and we process the relevant personal data on their documented instructions.

In line with PECR, we are transparent about the limited technologies this website uses. The site sets only strictly necessary cookies, which support security and the correct functioning of the site — principally cookies set by Cloudflare and by the Cloudflare Turnstile challenge that protects our forms from spam and automated abuse. These are exempt from the consent requirement because they are essential to provide the service you have requested.

We do not use Google Analytics, advertising cookies, marketing pixels, or any cross-site or third-party tracking. We also use a small amount of browser sessionStorage to remember interface state, such as whether a notification has been dismissed. sessionStorage is not a cookie; it stays on your device, is not transmitted to us for tracking, and is cleared when you close the browser tab. Further detail is set out in our Privacy Policy.

Individuals have rights over their personal data under the UK GDPR. Depending on the circumstances and the lawful basis we rely on, these include the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and rights relating to automated decision-making and profiling. We do not carry out automated decision-making that produces legal or similarly significant effects through this website.

To exercise any of these rights in relation to data for which we are the controller, please contact us at info@pyramidledger.com. We will respond within the statutory time limit, normally one month, and we will not charge a fee in most cases. We may need to verify your identity before acting on a request.

Where your personal data is processed by us on behalf of a client (so that we act as a processor), the client is the controller and is responsible for responding to your request. If you contact us, we will promptly direct your request to the relevant client and assist them as required under our DPA. For full details of how we handle personal data collected through this website, please see our Privacy Policy.

As a cybersecurity firm, security is central to how we operate. We implement and maintain technical and organisational measures appropriate to the risk, which include:

• Encryption in transit — our website is served over HTTPS and personal data submitted through our forms is encrypted in transit using TLS.
• Access control and least privilege — access to personal data is restricted to authorised personnel on a need-to-know basis, with strong authentication and role-based permissions.
• Vendor due diligence — we assess the security and data protection practices of the processors we use and put written data processing terms in place with them.
• Logging and monitoring — we maintain logs and monitor for suspicious activity so that we can detect and respond to potential security events.
• Secure development — we follow secure software-development practices, including code review and timely patching, and we design with data protection in mind.
• Staff awareness — our people receive appropriate guidance on data protection and information security and are bound by confidentiality obligations.

No method of transmission or storage is completely secure, but we continually review and improve our controls to keep risk to an acceptable level.

To run this website and deliver our communications, we rely on a small number of carefully selected service providers who process limited personal data on our behalf under appropriate contractual terms:

• Cloudflare, Inc. — provides hosting, content delivery, security and the Turnstile CAPTCHA that protects our forms from spam and bots. Cloudflare automatically processes limited technical data, such as IP addresses and request logs, for security and delivery purposes.
• Brevo (formerly Sendinblue) — delivers the submissions from our Contact and Get a Quote forms to us as transactional email.

We may also share personal data with our professional advisers, or where we are required to do so by law or to establish, exercise or defend legal claims.

Some of these providers may process personal data outside the United Kingdom, including in the United States. Where personal data is transferred internationally, we ensure an appropriate safeguard is in place as required by the UK GDPR — relying on UK adequacy regulations where they apply, or otherwise on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with any additional measures needed to protect the data.

We keep personal data only for as long as is necessary for the purposes for which it was collected, after which we securely delete or anonymise it.

• Enquiry and quote-request data — retained for as long as needed to deal with your enquiry and, where relevant, to pursue a potential business relationship, and thereafter for a reasonable period in line with our legitimate interests.
• Client and contract records — retained for the duration of the engagement and for as long afterwards as required to meet our legal, accounting and regulatory obligations.
• Security and technical logs — retained for a limited period appropriate to their security and operational purpose.

When we act as a processor for a client, personal data is retained and deleted in accordance with the client's instructions and the terms of the applicable DPA.

We maintain procedures to detect, report and investigate personal data breaches. Our logging and monitoring help us identify potential incidents quickly, and our staff are expected to report any suspected breach without delay so that it can be assessed.

On becoming aware of a personal data breach, we assess the likelihood and severity of any risk to the rights and freedoms of affected individuals. Where we act as the controller and the breach is likely to result in such a risk, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to individuals, we will also inform those affected without undue delay.

Where we act as a processor for a client, we will notify the client (the controller) without undue delay after becoming aware of a breach affecting their personal data, and we will assist them in meeting their own notification obligations.

Suspected security incidents can be reported to us at ir@pyramidledger.com.

Clients who engage us to deliver cybersecurity or software-development services can expect us to support their own compliance obligations. In that role:

• Data Processing Agreement — we enter into a written DPA that meets the requirements of Article 28 of the UK GDPR, setting out the subject-matter, duration, nature and purpose of the processing, the types of personal data and categories of data subjects, and the obligations of each party.
• Documented instructions — we process personal data only on the client's documented instructions and for the agreed purposes.
• Sub-processor transparency — we maintain transparency about the sub-processors we use, and we engage them under terms consistent with our own obligations.
• Assistance with data-subject requests — we assist clients, by appropriate technical and organisational measures, in responding to requests from individuals exercising their rights.
• Support for compliance — we assist clients with their obligations relating to security, breach notification and, where relevant, data protection impact assessments, and we make available the information needed to demonstrate compliance.

A copy of our standard DPA is available on request. To discuss the data protection arrangements for an engagement, please contact us at info@pyramidledger.com.

If you have any questions about this Data Protection Statement, about how we handle personal data, or if you wish to exercise your rights, please contact us:

• Pyramid Ledger Ltd, EC1V 2NX, London, United Kingdom
• Email: info@pyramidledger.com
• Security-incident reports: ir@pyramidledger.com
• Telephone: +44 (0) 20 4584 2944

We are registered in England & Wales. We would always encourage you to raise any concern with us in the first instance so that we can try to resolve it. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at https://ico.org.uk.