Purpose and Scope

This policy outlines Dragonfish’s commitment to ensuring the security and safety of data within the Lumin platform. It applies to all Dragonfish employees, contractors, and third-party developers who access, use, or manage the Lumin platform and its data. This policy specifically addresses the unique characteristics of Lumin, where the primary data comprises anonymised survey response data. All personal data, if ever collected, is anonymised at source. This means that no personally identifiable data is captured at any point in the process.

Definitions

● Anonymised Data: Data that does not relate to an identified or identifiable natural person and cannot be re-identified by any means reasonably likely to be used.
● Authorised Personnel: Individuals granted access to Lumin based on business need and role.
● Third-Party Developers: External developers contracted to build or maintain aspects of the Lumin platform under data protection and confidentiality agreements.
● Data Subject Rights: Rights under GDPR such as access, rectification, and erasure, which do not apply to fully anonymised data.

Legal Basis and Compliance

Due to the anonymised nature of data processed by Lumin, data subject rights do not apply to survey responses, as Dragonfish does not retain any personally identifiable information. Nonetheless, Dragonfish still ensures it continues to uphold best practices as required by the UK GDPR and the Data Protection Act 2018. Where applicable, this may include consent or legitimate interests. Important note on reporting thresholds: While the Lumin platform is designed to collect and report anonymised data, Dragonfish actively reviews reporting levels to ensure that aggregated results do not risk indirect identification. Suppression thresholds and segmentation filters are managed to prevent any possibility of re-identification. Dragonfish regularly consults legal guidance, including best practice from the ICO, the EU Data Protection Board, and the GDPR, to ensure that its handling of small-group reporting remains compliant with the principle of data minimisation and does not constitute personal data processing. For any questions or concerns regarding data protection, please contact our Data Protection Officer, at dpo@dragonfishuk.com

Core Principles

• Confidentiality: Access is restricted to authorised users with a legitimate business purpose. Confidentiality is upheld in line with legal, contractual, and ethical obligations.
• Anonymity: The anonymity of survey respondents is guaranteed. No personal data is collected in a way that links directly or indirectly to survey responses, ensuring that respondents cannot be identified.
• Integrity: Controls are in place to ensure the accuracy and consistency of all anonymised data. Measures prevent unauthorised or accidental data modification or deletion. Secure development practices help maintain system integrity.
• Availability: Lumin is engineered for resilience, ensuring reliable access to authorised users. Downtime is minimised through continuity planning and disaster recovery protocols.
• Compliance: Dragonfish complies with the UK GDPR, Data Protection Act 2018, and all relevant contractual obligations. Policies are reviewed annually or following material changes in regulations or platform design.

Data Anonymity and Protection

Dragonfish is unequivocally committed to maintaining the anonymity of survey respondents. Key anonymity safeguards include:

• Aggregated Reporting: Data is only shared at levels (e.g., department, grade) where identifi cation risk is minimal.
• Minimum Group Thresholds: Suppression is applied where fewer than six (6) individuals are present in a data group. This threshold is based on industry best practices to minimise the risk of indirect identifi cation. Group sizes smaller than six may provide enough detail to potentially identify individuals, so data suppression ensures that anonymity is maintained.
• Design-Led Anonymity: The platform’s architecture prevents re-identifi cation by design.

Data Security Measures

Data Hosting and Infrastructure The Lumin platform and its database are hosted on Amazon Web Services (AWS), utilising:

• EC2 (Elastic Compute Cloud) for the application server.
• RDS (Relational Database Service) for the database.

AWS is a widely trusted cloud provider used by major enterprises and governments worldwide. The data is currently hosted in the “Europe (London) – eu-west-2” region. This region was selected to balance performance, data residency, and compliance.

Server-Level Protections

• AWS Security Groups act as a fi rewall to only allow necessary traffic.
• SSH access is restricted to authorised IPs and secured with key-based authentication.
• IAM roles are confi gured with least-privilege access.

Application-Level Protections

• Environment variables are stored securely.
• HTTPS is enforced for all web traffi c.
• Built-in protections against CSRF, XSS, and other vulnerabilities are enabled.
• Application debug mode is disabled in production.

Data in Transit

• All data is encrypted using TLS protocols.
• HTTPS is enforced for all web access.

Data at Rest

• Anonymised data is encrypted with AES-256 or equivalent.
• Encryption keys are securely stored and rotated per Dragonfish encryption procedures.

Access Control

• Role-Based Access Control (RBAC) is implemented.
• Strong passwords and, where appropriate, Multi-Factor Authentication (MFA) are enforced.
• Access logs are maintained and reviewed regularly.

Secure Development Practices

• All development follows secure coding standards (e.g., OWASP).
• Static and dynamic testing is conducted as part of secure release practices.

Vulnerability Management

• Regular vulnerability scans are conducted.
• Patches are applied according to risk-based severity timelines.
• All risks are tracked and reviewed per the Vulnerability Management Procedure.

Logging and Monitoring

• All system activity is logged and monitored.
• Intrusion detection and prevention systems (IDPS) are in place.

Data Residency and Compliance

Dragonfish ensures that all data is stored and processed in compliance with applicable data protection regulations. The Lumin platform’s data is hosted in the “Europe (London) – eu-west-2” AWS region, aligning with the UK GDPR and other relevant data residency requirements. AWS provides a range of compliance certifi cations and adheres to international standards, ensuring that our infrastructure meets stringent security and privacy obligations.
Downloaded data is safely stored on Egnyte’s cloud platform in secure, ISO-certifi ed data centers spread across multiple locations. Built-in redundancy ensures reliability, while strong encryption protects data both at rest and in transit. Access is tightly controlled, so only authorised personnel can retrieve or make changes.

Third-Party Developer Security

All third-party developers are contractually bound by strict data security and confi dentiality clauses. Controls include:

• Contractual Terms: Agreements include data anonymisation clauses and audit rights.
• Access Controls: Time-limited and role-specifi c access is issued with unique credentials.
• Security Testing: Code reviews and vulnerability scans validate all third-party work.
• Audit Rights: Dragonfish reserves the right to audit developer security practices.
• Prohibited Actions: Attempting to deanonymise data is strictly forbidden.

Data Retention and Disposal

Unless otherwise agreed with the client, data is retained for six (6) years to support:

• Year-on-year comparison.
• Inclusion in aggregated benchmarking datasets.

After this period:

• Row-level survey data is permanently deleted.
• Aggregated, fully anonymised data may be retained for long-term analytical purposes.

All data is disposed of in line with Dragonfish’s secure disposal practices to prevent recovery.

Incident Response

Dragonfish is committed to ensuring data security and promptly addressing any security incidents that may arise. We continually monitor and manage security risks to protect the privacy of our users and their data.

Responsibilities

• Dragonfish IT Department: Oversees security implementation and technical controls. Maintains related policies and incident response plans.
• Dragonfish Developers: Follow secure coding standards. Cooperate in vulnerability mitigation. Promptly report potential security issues.
• All Dragonfish Employees: Comply with this policy. Report any suspected security incidents immediately. Complete annual security training.
• Data Owners: Typically client-side stakeholders or designated project leads who are responsible for ensuring that data collected through Lumin is handled in line with agreed protocols, ethical standards, and this policy.

Contracts, Liability & Insurance

All client engagements involving the Lumin platform are governed by contractual Terms & Conditions that refl ect the security and privacy commitments in this policy. These include liability provisions, limitations on data access, and data protection measures. Dragonfish maintains appropriate professional and cyber liability insurance to cover risks associated with data handling, anonymisation breaches, and service disruption.

Policy Review and Contact

This data security and safety policy will be reviewed and updated periodically to refl ect any changes in our practices, technologies, or legal requirements. The date of the last review is 25th April 2025. Dragonfish will communicate any signifi cant changes to this policy through appropriate channels.