Information Security Policy
1. Introducton
This document contains the LiveDiligence Limited (LiveDiligence) policy and underlying high level processes in relation to information security.
2. Definition and Scope
The Information Security Policy defines the LiveDiligence approach to information security to ensure that the information it controls, produces or manages is handled confidentially, reliably, with integrity and within the framework of the law and wider regulatory requirements to which LiveDiligence is subject.
This policy is applicable to all employees, contractors, temporary workers, and all third-party intermediaries, solutions or service providers who require access to LiveDiligence information.
3. Roles and Responsibilities
Chief Operations Officer
-
Policy owner.
-
Ensure that information security is implemented and maintained according to this policy.
-
Ensure all necessary resources are available at the appropriate time.
-
Define which information related to information security will be communicated to which interested party (both internal and external), by whom and when.
-
Set the methods for recording, measuring and analysing the information security objectives.
Chief Technology Officer
-
Operational coordination of information security.
-
Reporting on the performance of information security.
-
Implement information security training and awareness programs for employees, which applies to all persons who have a role in information security management.
All Staff/ Asset Owners
-
Protect the integrity, availability, and confidentiality of assets.
-
Report all security incidents or weaknesses as soon as they are known.
4. Managing Information Security
Failure to maintain security controls, whether as a result of an accident or an intentional breach, can result in severe consequences for both the organisation and other stakeholders affected.
LiveDiligence holds personal, financial and commercially sensitive data which requires a proportionate, yet robust set of protective measures and controls both technical and administrative.
4.1 Information Security Goals
To support LiveDiligence in managing its obligations, this policy sets out a number of supportive goals, which form a principle based framework of how information security is handled:
-
Confidentiality – LiveDiligence will strive to ensure the confidentiality of all corporate client, customer and other stakeholder information. This will require implementing access restrictions and guidelines to protect privacy and commercially sensitive information detailed in section 5.
-
Integrity - LiveDiligence will ensure the accuracy, trustworthiness and validity of information throughout its life-cycle. Effective measures, both administrative and technical, will be taken to prevent the alteration of data whether at rest or in transit by unauthorised individuals or processes either wilfully, by negligence, or in error.
-
Availability - Authorised users will have reliable access to information at the time they require it. The correct measures, procedures and resources must be in place to maximise uptime and ensure that LiveDiligence can operate in the most productive way possible.
Training – LiveDiligence will ensure that its staff are fully aware of their information security responsibilities and are given the necessary skillset to confidently manage LiveDiligence information in a secure manner. This will require a comprehensive information security awareness program, which will educate and continually update all employees in the provision of simple techniques for protecting information assets.
5. Technical Configuration and Security Setup
LiveDiligence is hosted on Microsoft Azure, providing the infrastructure and security for our infrastructure, systems and data. Microsoft Azure is ISO 27001 certified.
5.1 Organisational / personnel
LiveDiligence is hosted on Microsoft Azure, providing the infrastructure and security for our infrastructure, systems and data. Microsoft Azure is ISO 27001 certified.
a. All personnel sign confidentiality agreements. Access to code, data, and other information is strictly limited to employees on a need to know basis that require access to be able to perform their day-to-day work.
b. Where available, all access to third party systems must be configured to require multi-factor authentication.
c. Access to our accounts and systems are logged at all times.
d. Third party systems where confidential information is handled must use role-based access control in order to restrict access on a need to know basis for specific roles or users.
e. Devices used by personnel to access confidential information are controlled and monitored and must make use of LiveDiligence approved antivirus/antimalware protection.
5.2 Data protection & location
a. Commercial data is stored exclusively in datacentres in the U.K. and is encrypted at rest with 256-bit AES encryption while our data in transit is encrypted using the TLS 1.3 protocol with SHA-256.
5.3 Availability & redundancy
a. We are committed to make sure our services are highly-available. Our essential cloud services are deployed as zonally redundant resources so that we can to continue operations even in the event of hardware failures, network or power outages, or natural disasters.
5.4 Prevention & monitoring.
a. Our systems are continuously being updated and improved to minimise security risks and manage vulnerabilities.
b. We continuously monitor and scan our systems for irregularities, malicious software, and suspicious files, so that we can intervene as soon as any threats or problems are detected.
c. Regular security assessments are done based on best practices and security guidelines to make sure our systems stay security and protected.
5.5 Access to customer data
a. LiveDiligence personnel may only access customer data where we are processor of that data under the following conditions:
i) for the purpose of incident response, customer support, or disaster recovery.
ii) for no longer than is required to fulfil the purpose of the access.
iii) in an auditable manner.
iv) if we are required by law to access such data.
b. Customer data is never used in development or test environments.
5.6 Physical Security
a. Customer data is stored on Microsoft Azure Cloud and protected by industry leading, multi-layer physical security measures. https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security
5.7 Incident management & Disaster Recovery.
a. All employees are required to immediately report any potential security breach.
b. In the event of a security breach that affects customer data where we are processor, we will communicate with our customer (usually the controller) regarding the severity, scope, root cause, and resolution of the breach
c. Our back-up policy describes our data backup procedures and recovery methods
d. We carry out monthly testing of our disaster recovery process to ensure the continuity of our services and integrity of customer data.
5.8 Separation
a. In case of personnel termination or resignation, all access to accounts, credentials, our systems and third-party systems are immediately disabled.
6. Exemptions
If the need for an exemption to any of the elements listed in this policy has been identified, this must be raised as quickly as possible. An exemption should be raised to and approved by the policy owner. All exemptions are time limited to a maximum of 12 months and are assessed for risks on an ongoing basis.
7. Non-compliance
Any breaches to this policy should be reported to the Chief Operations Officer, within 24 hours of identification.
Where a breach is identified, this will be dealt with under the LiveDiligence disciplinary policy and procedures.
8. Validity and document management
This document is valid as of 24th April 2025.
The owner of this document is the Chief Operations Officer, who must check and, if necessary, update the document at least once a year.
Ready for radically better due diligence?
LiveDiligence has already been used on over 750 transactions — we’d love you to join our growing community.