In accordance with the UK Data Protection Act 2018 - this data privacy document is intended to provide you with information as to how Cyber Due Diligence Ltd treat personal data received from you in connection with our legitimate business activities.

Cyber Due Diligence Ltd have implemented documented systems and processes that are aimed at full compliance with the major principles that are the basis of GDPR and the Data Protection Act requirements; namely:

• Data Accuracy - the requirement that all personal data collected and processed by the Group shall be Accurate and Correct.

• Data Minimisation - the requirement to only collect, process and retain the minimum of data that is appropriate to the lawful purpose for which it has been collected and used.

• Integrity and Confidentiality - the requirement for those systems and processes on which such personal data is held to be secure, confidential and to have integrity of purpose, maintenance, and retention - preferably with such requirements built into those systems rather than being appended.

• Lawfulness, fairness, and transparency - the requirement for the legal, contractual, or other valid justification for the collection and use of such personal data and for its fair and transparent use.

• Purpose limitation - the fair and transparent identification, to the data subjects, of the valid purposes/reasons for the requirement for the collection and processing of their personal data - which should not be open-ended, but which shall be specific and unambiguous.

• Storage limitation - the fair and transparent identification of the justifiable retention periods for such personal data.

DATA COLLECTION AND HANDLING:

To fulfil its requirements to operate as businesses whilst fulfilling the above UK Data Protection Act needs - Cyber Due Diligence are required to collect, maintain, process, and retain personal data, records and other applicable information related to:

• Customers and their End-Users of our Products and Services.

• Suppliers and Subcontractors.

• Our own Employees i.e., Personal, Financial, Training & Competency.

• All relevant Business Transactions and Contract data.

• All Company Financial Data etc.

Cyber Due Diligence Ltd shall only collect and process personal data for which there is adequate lawful justification.

The Management Team shall maintain all such data securely within its own facilities (including its own computer networked systems etc.) and shall seek to always comply with the UK Data Protection

Act requirements: ensuring that we annually renew each of their individual Group Company Registrations with the Information Commissioner’s Office (ICO); which also serves to identify the type and quantity of personal data that is collected, processed, maintained, and retained. The company details that are listed below.

• Cyber Due Diligence Ltd - ICO Company Registration Number ZB881893 - renewable every March each year.

Our Computer Network Systems and Servers are protected and hosted by independently certified and approved hosts (i.e., they are approved by independent UKAS-Accredited Certification Bodies as meeting ISO 27001/27002 requirements); and appropriate firewalls, data encryption and other systems are put in place by the Management to ensure that no non-authorised personnel may gain access to any such records

Additional Emergency/Disaster Recovery and Business Continuity Procedures are also in place against the possibility of any future issues - despite the input of all applicable preventive measures being taken etc.

ACCESS TO AND PROCESSING OF ALL SUCH DATA:

Only applicably authorised, competent personnel have access to any such data for retention or processing purposes - in line with the relevantly issued Company Procedures and Process.

RETENTION AND DELETION OF ANY SUCH DATA:

The Management Team ensure that all such data, records and other applicable information is securely maintained/retained - in line with what is stated within our Company Procedure for the Control and Retention of Records.

Only applicable Company Directors (acting on the advice from the Group’s Data Protection Officer) can provide the authorisation for the controlled deletion of any such applicable data (held either as hard-copy or electronically held data).

CHANGES TO THIS PRIVACY POLICY:

Any future changes to the Privacy Policy and Procedures shall be reflected by the revision/update of this document.

It is, therefore, recommended that you visit this page on our websites, from time to time, to review and take account of any such changes.

INFORMATION SECURITY INCIDENTS / POTENTIAL DATA-BREACHES:

In the event of any notified or internally identified Security Information Incidents and/or potential Personal Data Breaches - the Data Protection Officer shall initially investigate their validity of all such potential incidents and provide the Management with applicable data confirming or refuting that any Data Breach has occurred (and the possible nature and severity of any such confirmed data breach) etc.

Once confirmed, any personal data breach shall be notified to the relevant Supervisory Authority (e.g., in the UK this will be the ICO); and actions shall be agreed to notify all individuals whose data has been compromised in line with UK Data Protection requirements.

Contact

Should any individual, whose personal data is collected and processed by either of the Cyber Due Diligence, need to make contact with us for any reason (but especially if they require to make a request for free access to the personal data that we have collected and continue to process related to them, or in the event of any request to correct, minimise or delete any such data etc.) - then they shall, in the first instance, make contact with the following identified Data Protection Officer, and relate their requirements to him:

Group Data Protection Officer’s Name:  Steve White

Contact Details

Steve.white@cybderduedil.com (or) by our Mailing Address: Cyber Due Diligence Limited, Vision House, 15 Biggin Gardens, Hopwood, OL102WF, UK

These terms shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising from matters relating to the Website shall be exclusively subject to the jurisdiction of the courts of England and Wales.

CHANGES TO THIS PRIVACY POLICY

Any changes made to this Privacy Policy in the future will be posted on our company’s website www.alternatestates.com. It is recommended that you visit this from time to time to review any changes. This Privacy Policy was last updated on 17th February 2025.