top of page

Security, Compliance & Operational Resilience

Last Updated: 02/02/2026​​

​

Our Commitment to Data Governance

At LicenceSync, data security is the foundation of our forensic assurance process. As an independent consultancy supporting regulated and enterprise-scale organisations, we operate under a transparent Governance Framework designed to protect client intellectual property and sensitive metadata.

​

1. Personnel Vetting & Standards

  • BPSS Cleared: All consultancy engagements are led by a specialist holding current Baseline Personnel Security Standard (BPSS) clearance. This is the required security vetting for individuals handling sensitive UK government and financial sector data.

​

  • ICO Registered: LicenceSync is registered with the Information Commissioner’s Office (ZA768925) and operates in strict accordance with the Data Protection Act 2018.

​

  • NDA-Ready: We operate a confidentiality-first approach. We are accustomed to executing specific Non-Disclosure Agreements (NDAs) to formalise data protection before any technical discovery begins.

​

2. Hybrid Data Processing Model

We utilise a tiered approach to data analysis, ensuring that automated "heavy lifting" is performed in audited environments while bespoke reconciliation is handled with strict local controls.

​

  • Tier 1: Automated Forensics (ISO 27001): Primary tenant ingestion and large-scale metadata analysis are performed within an ISO 27001-certified SaaS environment. This ensures that the ingestion of tenant metadata meets internationally recognised security standards.

​

  • Tier 2: Bespoke Reconciliation (Local Controls): Where specific manual reconciliation is required (e.g., matching HR leaver lists to active IDs), data is handled by a BPSS-vetted consultant on BitLocker-encrypted hardware.

​

  • Secure Ingestion: We strictly avoid unsecured email attachments for sensitive datasets, utilising MFA-protected encrypted transfer portals (e.g., SharePoint/OneDrive) for all document exchanges.

​

3. Data Minimisation & Retention (UK GDPR)

We act as a Data Processor under UK GDPR, focusing on the principle of data minimisation.

​

  • Forensic Purge Policy: By default, all PII (names, emails, UPNs) and client-sensitive datasets are forensically deleted within 30 days of final report delivery, unless a longer "Aftercare" period is contractually agreed.

​

  • Zero-Sharing Policy: We never share data with third parties—including Microsoft—without explicit written consent.

​

  • Proactive Management: We continually review our security posture to stay ahead of evolving threats and ensure alignment with the latest UK data protection regulations.

​

4. Operational Resilience (Business Continuity)

To mitigate "Key Person Risk," we maintain a robust Business Continuity Plan (BCP) to ensure project delivery is never compromised:

  • Peer Substitution: LicenceSync maintains a network of independent BPSS-vetted partner consultants who can be onboarded as substitutes under our standard Terms of Service. This ensures that in the event of primary consultant unavailability, project momentum is maintained by a specialist of equal vetting and expertise.

​

  • Daily Handover Logs: We maintain internal "Project Status Checklists" updated at the close of each business day. These logs document current progress, pending data reconciliations, and next steps, allowing for a seamless transition to a partner consultant if required.

​

  • Hardware Redundancy: We maintain a secondary encrypted device ready for immediate deployment in the event of primary hardware failure.

​

  • Cloud Persistence: All project work-papers are synced in real-time to an encrypted, MFA-protected cloud repository. This ensures that the "Intellectual Property" of the audit remains accessible to the client even in the event of consultant unavailability.

​

Compliance FAQs

Do you require Global Admin credentials?

No. To maintain the principle of Least Privilege, we typically use limited-scope, "Global Reader" permissions to ingest metadata, ensuring we have no write-access to your environment.

​

How do you ensure my data is kept confidential?

All client information is handled strictly on a need-to-know basis. Beyond our BPSS vetting, we enforce Role-Based Access Control (RBAC) and advanced encryption to ensure data remains siloed and protected.

​

What insurance coverage do you hold?

LicenceSync Consulting Ltd is fully indemnified by Hiscox Insurance Company Limited with the following limits:

  • Professional Indemnity: £2,000,000

  • Public Liability: £2,000,000

  • Employers’ Liability: £5,000,000

​
 

bottom of page