Security Policy
Last Updated: April 2026
1. Our Security Commitment
Terra Connect Ltd takes the security of personal data and client systems seriously. We implement technical and organisational measures proportionate to the risks involved in our processing activities, in compliance with UK GDPR Article 32 and the Data Protection Act 2018.
Security is not a one-time activity — we continuously review and improve our security posture to keep pace with evolving threats.
2. Technical Security Measures
Encryption in Transit
All data transmitted between your browser and our website is encrypted using TLS 1.2 or higher. We enforce HTTPS across all pages with HSTS headers.
Content Security Policy
Strict CSP headers prevent cross-site scripting (XSS) attacks by controlling which scripts, styles, and resources can load on our pages.
Clickjacking Protection
X-Frame-Options: DENY prevents our pages from being embedded in frames, protecting against clickjacking attacks.
IP Anonymisation
Google Analytics is configured with anonymize_ip: true, ensuring IP addresses are truncated before storage.
Access Control
Role-based access controls ensure only authorised personnel can access systems and data. Access is reviewed regularly and revoked on departure.
Referrer Policy
Referrer-Policy: strict-origin-when-cross-origin limits the information shared in referrer headers when navigating to external sites.
Dependency Management
We regularly audit and update third-party libraries and dependencies to patch known vulnerabilities.
Backups
Regular backups of client data and system configurations are maintained to enable recovery in the event of data loss or system failure.
3. Organisational Security Measures
- Confidentiality agreements: All staff, contractors, and sub-processors are bound by confidentiality obligations
- Security awareness: Team members are trained on data protection and information security best practices
- Principle of least privilege: Access to personal data is limited to those who need it to perform their role
- Security reviews: We conduct periodic security assessments of our systems and processes
- Vendor assessment: All third-party processors are assessed for security compliance before engagement
- Documented procedures: We maintain written security procedures including incident response plans
4. Data Breach Response
We have a documented incident response procedure. In the event of a suspected or confirmed personal data breach:
Detection & Containment (Hours 0–4)
- The incident is identified and logged with a timestamp
- Immediate containment measures are taken (e.g. isolating affected systems, revoking compromised credentials)
- Our data protection contact is notified immediately
Assessment (Hours 4–24)
- The scope and nature of the breach is assessed
- Personal data categories and number of individuals affected is determined
- Likelihood of risk to individuals is evaluated
Notification (Within 72 Hours)
- If the breach is likely to result in a risk to individuals’ rights and freedoms, we notify the ICO within 72 hours of becoming aware (UK GDPR Article 33)
- If the breach is likely to result in a high risk to individuals, we notify affected individuals without undue delay (UK GDPR Article 34)
- If we are acting as a processor, we notify the controller without undue delay (within 24 hours where possible)
Recovery & Review (Post-incident)
- Full recovery of affected systems and data
- Root cause analysis to understand how the breach occurred
- Implementation of measures to prevent recurrence
- Documentation of the breach, its effects, and actions taken (UK GDPR Article 33(5))
5. Responsible Disclosure
If you discover a security vulnerability in our website or systems, we ask that you report it to us responsibly. Please:
- Contact us immediately at privacy@terraconnect.co.uk with the subject “Security Vulnerability”
- Provide a detailed description of the vulnerability and how to reproduce it
- Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue
- Do not publicly disclose the vulnerability until we have had reasonable time to investigate and remediate it
We will acknowledge your report within 2 business days and work to resolve confirmed vulnerabilities promptly. We do not currently operate a bug bounty programme.
6. Limitations
While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet. We encourage you to use secure passwords, keep your devices updated, and be cautious about phishing attempts.
7. Contact
For security concerns, vulnerability reports, or questions about this policy:
Security / Data Protection: privacy@terraconnect.co.uk
General: hello@terraconnect.co.uk
Company: Terra Connect Ltd (Company No. 12492304)
Address: 57 Tonbridge Drive, Basildon, SS15 6ND, United Kingdom
To report a breach directly to the regulator: ico.org.uk/for-organisations/report-a-breach