Technical and Organisational Measures (TOMs) V2

This document provides information about the technical and organisational measures and controls implemented to ensure an appropriate level of security.

1. Overview

We have implemented a risk-based approach to our technical and organisational measures in accordance with the principles of integrity, availability and confidentiality to ensure the security of personal data.

Lead Forensics runs an ISO 27001-accredited information security management system.

2. The Lead Forensics Product

Lead Forensics offers a SaaS solution that identifies website visitors and provides actionable leads within a business-to-business environment.

3. Information Security Management System (ISMS) Framework

Lead Forensics runs an ISMS which implements a risk-based approach to information security, selecting appropriate security controls and processes based on a risk assessment that is regularly reviewed and updated.

ISO 27001 is the international standard that provides the specification for a best-practice ISMS and covers compliance requirements. The Lead Forensics ISMS is certified to ISO27001 by independent UKAS accredited auditors.

Access to ISMS Documentation

We can share our ISO27001 Statement of Applicability and Information Security Policy freely with customers, prospective customers and other relevant parties. Detailed policies, external audit reports and technical procedures can be shared as part of a due diligence procedure once the requesting party has agreed to an NDA.

The details of our risk assessment and some technical design details and procedures are confidential and unable to be shared. In these cases, we will share the policies that define the security standards that Lead Forensics will adhere to, even if we cannot reveal the technical detail.

Security documentation requests should be emailed to [email protected]

4. Physical Security

- - Locked doors on all entrances/exits (e.g., electronic locks, physical locks)
  - Access control systems (biometric security, access card security)
  - 24/7 Reception/security personnel
  - CCTV systems
  - Additional physical security measures to protect IT equipment (partitioned server room, fireproof safe, etc.)
  - Secure disposal bins for confidential paper waste (shredded on-site)
  - Certified waste disposal for electronic waste

5. Control of Access to IT Systems and Physical Environments

- - Access permission to physical IT areas restricted to staff who specifically require it
  - Multi-Factor Authentication required for all remote access to systems
  - IT security systems have individual user login and unique usernames
  - Role-based access control with least privilege and need to know basis
  - We require the use of strong/complex passwords
  - We encrypt all data in transit on public networks
  - We use encryption at rest for our application data wherever we process data using cloud-hosted services. Our on-premise databases are not encrypted at rest, but they have other mitigating controls to ensure the physical security of our data
  - Multi-authentical layers on internal applications
  - Automatic locking of IT terminals and devices after periods of inactivity, with passwords required to re-access
  - Password databases are subject to strong encryption/hashing
  - Audits of security procedures conducted annually, as a minimum
  - Specialised training for employees

6. Protect Personal Data Against Cyber-Attack

- - Multi-factor authentication for all remote access to systems
  - Firewalls maintained with the least access rulebase
  - Hardware Asset Register maintained
  - Software\Firmware records maintained
  - Vulnerability management process ensures systems are patched/updated according to industry best practices
  - Regular Software Security Update Processes and Procedures
  - All Cloud Management Platforms require MFA Authentication
  - Anti-Virus\Anti-Malware Installed on systems
  - EDR solution deployed
  - Data backups encrypted with Private keys
  - Regular Backup restore testing
  - All offsite backups are stored encrypted in offline archives
  - Annual 3rd Party Penetration testing
  - Monthly internal Penetration testing
  - All staff subject to automated anti-phishing training/simulations
  - All laptops encrypted

7. Processors and the Supply Chain

We conduct due diligence on any prospective processor or supplier processing data. We require them to commit to commercial and Data Processing Agreements (where personal data is processed) that meet the necessary regulatory conditions. We conduct an annual audit to review our supply chain.

8. Storage Limitation

We have backup retention implemented with automatic lifecycle policies (archive and expiry).

At least annually, we review the retention periods for personal data and apply the storage limitation principles to our data deletion/retention policy.

9. Detecting Security Events

- - Advanced Threat Analytics actively deployed
  - Automated security event alarms
  - User risky sign-in detection and alerting

10. Detecting Security Events

- - Centralised un-editable Logging Systems
  - SIEM deployed to automatically analyse security logs and raise alerts

11. Minimising Impact

- - Availability management molicy.
  - Resilient IT services with Minimised Single Points of Failure

12. Encryption

Data at rest

We use encryption at rest for our application data whenever we process data using cloud-hosted services. Our on-premise databases are not encrypted at rest, but they have other mitigating controls to ensure the physical security of data.

Data in transit

All data is encrypted in transit over public networks. We regularly review and update the encryption standards to stay aligned with current best practices.

13. Response and Recovery Planning

We have implemented Incident Management processes and procedures, including pre-approved incident response plans for:

- - Ransomware
  - A security incident triggering a personal data breach
  - Denial of service

Business Continuity Processes (BCP) and Procedures are in place and are reviewed and tested annually.

14. Data by Design and Default

We consider appropriate data protection principles and the integration of the necessary safeguards into conceptual product and process innovation to meet the requirements of the Regulation and the rights of data subjects.

15. Data Controller and Data Processor Workflows and Agreements

- - We consider our technical and procedural workflows to align with the responsibility of personal data, and document ROPA (Records of Processing Activities)
  - Binding agreements appropriate to the personal data being shared or processed are required between data controllers and data processors
  - We regularly review the technical and organisational workflows and controls in place and have a formal annual audit

16. Training and Awareness

- - All new employees complete IT security training
  - All new employees are required to complete Data Compliance training
  - Existing employees receive periodic compliance, IT security and policy awareness training
  - Hybrid/home workers must comply with IT/HR policies
  - Data Compliance is tasked with developing a culture of data protection awareness

17. Committed to Improvement

We are committed to reviewing our processes, policies, and documentation as follows:

- - ISMS system with regular process reviews and audits
  - Incident Review Processes to identify improvement opportunities
  - Companywide annual audit conducted by Data Compliance
  - External auditors conduct quarterly audits

18. Certification

- - ISO 27001 Certification
  - PCI DSS Certification
  - Registered with the ICO

V2	Last modified February 2025

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__zlcmid	1 year	__zlcmid is a cookie set by Zopim to help identify a user's chat session between page loads.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__gtm_campaign_url	session	This cookie is used to collect campaign information from the referring URL, used to improve campaign relevance.
__gtm_referrer	session	This cookie is used to identify and store the referring URL to improve the quality of campaigns.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_M827Q9YV22	2 years	This cookie is installed by Google Analytics.
_gat_UA-22580480-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_session_id	14 days	Cookie set by G2 to store the visitor’s navigation by recording the landing pages. This allows the website to present products and indicate the efficiency of the website.
Hotjar	1 year	In order to process data about your visit to a website, Hotjar stores first-party cookies on your browser.
lfuuid	9 years 8 months 7 days 9 hours	This cookie is used to store information on user preferences, to provide offers that are targeted to individual interests.
site_identity	1000 days	This cookie is set when the email recipient clicks through a Live Web Tracking tracked link. This cookie is for scout.salesloft.com. We do this to allow multi-site tracking.
sli_token	30 days	This cookie is set when the email recipient clicks through a Live Web Tracking tracked link.
sliguid	12 months	This cookie provides an anonymous user identifier across multiple requests.
slireg	7 days	This cookie identifies the Salesloft server region that the Team’s data is on.
slirequested	12 months	Once the sliguid cookie has been confirmed against a central server, this cookie is set for every request that comes in.
Unbounce	Session	Cookies to track page stats and attribute a conversion event back to a specific page using the page ID and variant letter. Unbounce cookies do not store any personally identifiable information and cannot be used to identify an individual based on the information stored in them directly.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.

Cookie	Duration	Description
_ccpx_u	1 year	Unique ID to facilitate advertising
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_li_ss – liadm.com	29 Days	Unique ID to facilitate advertising
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
lidid – liadm.com	1 year	Unique ID to facilitate advertising
NextRoll	13 months	NextRoll cookies are being used for the purpose of advertising.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
tuid – usbrowserspeed.com	1 year	Unique ID to facilitate advertising

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description
loglevel	never	No description available.
zte2095	session	No description

Technical and Organisational Measures (TOMs) V2

Product

Customers

Resources

About Us