top of page

Security, Compliance & Operational Resilience

Last Updated: 02/02/2026​​

Our Commitment to Data Governance

At LicenceSync, data security is the foundation of our forensic assurance process. As an independent consultancy supporting regulated and enterprise-scale organisations, we operate under a transparent Governance Framework designed to protect client intellectual property and sensitive metadata.

1. Personnel Vetting & Standards

  • BPSS Cleared: All consultancy engagements are led by a specialist holding current Baseline Personnel Security Standard (BPSS) clearance. This is the required security vetting for individuals handling sensitive UK government and financial sector data.

  • ICO Registered: LicenceSync is registered with the Information Commissioner’s Office (ZA768925) and operates in strict accordance with the Data Protection Act 2018.

  • NDA-Ready: We operate a confidentiality-first approach. We are accustomed to executing specific Non-Disclosure Agreements (NDAs) to formalise data protection before any technical discovery begins.

2. Hybrid Data Processing Model

We utilise a tiered approach to data analysis, ensuring that automated "heavy lifting" is performed in audited environments while bespoke reconciliation is handled with strict local controls.

  • Tier 1: Automated Forensics (ISO 27001): Primary tenant ingestion and large-scale metadata analysis are performed within an ISO 27001-certified SaaS environment. This ensures that the ingestion of tenant metadata meets internationally recognised security standards.

  • Tier 2: Bespoke Reconciliation (Local Controls): Where specific manual reconciliation is required (e.g., matching HR leaver lists to active IDs), data is handled by a BPSS-vetted consultant on BitLocker-encrypted hardware.

  • Secure Ingestion: We strictly avoid unsecured email attachments for sensitive datasets, utilising MFA-protected encrypted transfer portals (e.g., SharePoint/OneDrive) for all document exchanges.

3. Data Minimisation & Retention (UK GDPR)

We act as a Data Processor under UK GDPR, focusing on the principle of data minimisation.

  • Forensic Purge Policy: By default, all PII (names, emails, UPNs) and client-sensitive datasets are forensically deleted within 30 days of final report delivery, unless a longer "Aftercare" period is contractually agreed.

  • Zero-Sharing Policy: We never share data with third parties—including Microsoft—without explicit written consent.

  • Proactive Management: We continually review our security posture to stay ahead of evolving threats and ensure alignment with the latest UK data protection regulations.

4. Operational Resilience (Business Continuity)

To mitigate "Key Person Risk," we maintain a robust Business Continuity Plan (BCP) to ensure project delivery is never compromised:

  • Peer Substitution: LicenceSync maintains a network of independent BPSS-vetted partner consultants who can be onboarded as substitutes under our standard Terms of Service. This ensures that in the event of primary consultant unavailability, project momentum is maintained by a specialist of equal vetting and expertise.

  • Daily Handover Logs: We maintain internal "Project Status Checklists" updated at the close of each business day. These logs document current progress, pending data reconciliations, and next steps, allowing for a seamless transition to a partner consultant if required.

  • Hardware Redundancy: We maintain a secondary encrypted device ready for immediate deployment in the event of primary hardware failure.

  • Cloud Persistence: All project work-papers are synced in real-time to an encrypted, MFA-protected cloud repository. This ensures that the "Intellectual Property" of the audit remains accessible to the client even in the event of consultant unavailability.

Compliance FAQs

Do you require Global Admin credentials?

No. To maintain the principle of Least Privilege, we typically use limited-scope, "Global Reader" permissions to ingest metadata, ensuring we have no write-access to your environment.

How do you ensure my data is kept confidential?

All client information is handled strictly on a need-to-know basis. Beyond our BPSS vetting, we enforce Role-Based Access Control (RBAC) and advanced encryption to ensure data remains siloed and protected.

What insurance coverage do you hold?

LicenceSync Consulting Ltd is fully indemnified by Hiscox Insurance Company Limited with the following limits:

  • Professional Indemnity: £2,000,000

  • Public Liability: £2,000,000

  • Employers’ Liability: £5,000,000


 

bottom of page