Try for free5

Try for free5

Technical and Organisational Measures (TOMs) V2.1

 

This document provides information about the technical and organisational measures and controls implemented to ensure an appropriate level of security.

 

1. Overview

We have implemented a risk-based approach to our technical and organisational measures in accordance with the principles of confidentiality, integrity and availability to ensure the security of personal data.

Lead Forensics operates an ISO 27001-certified information security management system.

2. The Lead Forensics Product

Lead Forensics offers a SaaS solution that identifies website visitors and provides actionable leads within a business-to-business environment.

3. Information Security Management System (ISMS) Framework

Lead Forensics runs an ISMS that implements a risk-based approach to information security, selecting appropriate security controls and processes based on a regularly reviewed and updated risk assessment.

ISO 27001 is the international standard that specifies a best-practice ISMS and covers compliance requirements. The Lead Forensics ISMS is certified to ISO27001 by independent UKAS-accredited auditors.

Access to ISMS Documentation

We can share our ISO27001 Statement of Applicability and Information Security Policy freely with customers, prospective customers and other relevant parties. Detailed policies, external audit reports, and technical procedures can be shared as part of due diligence once the requesting party has agreed to an NDA.

The details of our risk assessment, as well as some technical design details and procedures, are confidential and cannot be shared. In these cases, we will share the policies that define the security standards that Lead Forensics will adhere to, even if we cannot reveal the technical details.

Security documentation requests should be emailed to [email protected]

4. Physical Security

      • Locked doors on all entrances/exits (e.g., electronic locks, physical locks)
      • Access control systems (biometric security, access card security)
      • 24/7 Reception/security personnel
      • CCTV systems
      • Additional physical security measures to protect IT equipment (partitioned server room, fireproof safe, etc.)
      • Secure disposal bins for confidential paper waste (shredded on-site)
      • Certified waste disposal for electronic waste

5. Control of Access to IT Systems and Physical Environments

      • Access permission to physical IT areas is restricted to staff who specifically require it
      • Multi-Factor Authentication required for access to systems
      • Separate accounts with specific role assignments used for administrative purposes. Role-based access controls and the application of the principle of least privilege are implemented universally
      • We require the use of strong/complex passwords and are transitioning to the use of passwordless technologies internally
      • Multiple authentication layers on internal applications
      • Automatic locking of IT terminals and devices after periods of inactivity, with passwords required to re-access
      • Password databases are subject to strong encryption/hashing
      • Audits of security procedures are conducted annually, as a minimum
      • Specialised training for employees

6. Protect Personal Data Against Cyber-Attack

      • Multi-Factor Authentication is required for access to systems
      • Firewalls configured with an implicit deny stance
      • Hardware Asset Register maintained
      • Software\Firmware records maintained
      • Vulnerability management process ensures systems are patched/updated in alignment with multiple frameworks
      • Mature software patching process
      • All cloud service management access requires MFA authentication
      • Anti-Virus\Anti-Malware Installed on all systems
      • EDR solution deployed
      • Data backups encrypted with Private keys
      • Regular Backup restore testing
      • All off-site backups are stored encrypted in offline archives
      • Annual 3rd Party Penetration testing
      • Monthly internal Penetration testing
      • All staff are subject to automated anti-phishing training/simulations, security and compliance awareness training
      • All laptops encrypted

7. Processors and the Supply Chain

We conduct due diligence on any prospective processor or supplier processing data. We require them to commit to commercial and Data Processing Agreements (where personal data is processed) that meet the necessary regulatory conditions. We conduct an annual audit to review our supply chain.

8. Storage Limitation

We have backup retention limits implemented with automatic lifecycle policies (archive and expiry).

At least annually, we review the retention periods for personal data and apply the storage limitation principle to our data deletion/retention policy.

9. Detecting Security Events

      • Advanced Threat Analytics actively deployed
      • Automated security event alarms
      • User risky sign-in detection and alerting
      • Centralised un-editable Logging Systems
      • SIEM deployed to automatically analyse security logs and raise alerts

10. Minimising Impact

      • Availability management molicy.
      • Resilient IT services with minimised single points of failure

11. Encryption

Data at rest

We use encryption at rest for our application data whenever we process data.

Data in transit

All data is encrypted in transit over public networks. We regularly review and update the encryption standards to stay aligned with current best practices.

12. Response and Recovery Planning

We have implemented incident management processes and procedures, including pre-approved incident response plans for:

      • Ransomware
      • A security incident triggering a personal data breach
      • Denial of service

Business Continuity Processes (BCP) and Procedures are in place and are reviewed and tested annually.

13. Data Protection by Design and Default

We consider appropriate data protection principles and integrate the necessary safeguards into conceptual product and process innovation to meet the requirements of the Regulation and the rights of data subjects.

14. Data Controller and Data Processor Workflows and Agreements

      • We consider our technical and procedural workflows to align with the responsibility of personal data, and document ROPA (Records of Processing Activities)
      • Binding agreements appropriate to the personal data being shared or processed are required between data controllers and data processors
      • We regularly review the technical and organisational workflows and controls in place, and have a formal annual audit

15. Committed to Improvement

We are committed to reviewing our processes, policies, and documentation as follows:

      • ISMS system with regular process reviews and audits
      • Incident Review Processes to identify improvement opportunities
      • Companywide annual audit conducted by Data Compliance
      • External auditors conduct quarterly audits

16. Certification

      • ISO 27001 Certification
      • PCI DSS Certification
      • Registered with the ICO

 

V2.1 Last reviewed January 2026