T E C H N I C A L A N D

O R G A N I S A T I O N A L

M E A S U R E S

Exceptional Leadership Technology Ltd (“ELT”)

Version 1.0  |  Last updated: May 2026

This page sets out the technical and organisational measures implemented by Exceptional Leadership Technology Ltd. to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. These measures are grounded in and supported by the Exceptional Leadership Technology Ltd. Information Security Management System (ISMS), which is maintained in accordance with ISO 27001, SOC 2 Type 2, Cyber Essentials Plus and UK/EU GDPR.

Measures of pseudonymisation and encryption of personal data

  • Encryption at rest applied to all confidential data, including client psychometric assessment data, in accordance with the Cryptography Policy (aligned to NIST SP 800-57) and strong industry-standard cipher configurations.

  • Encryption in transit (TLS) required for all confidential data transmitted over public networks.

  • Full-disk encryption required on all devices used for company business (enforced via MDM).

  • Backup data is encrypted.

  • Cryptographic keys and secrets stored in dedicated secrets management services; never in source code or unprotected files.

  • Where use of production data in development is approved as an exception, it must be anonymised or pseudonymised before use.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

  • Information Security Policy framework comprising twelve sub-policies, maintained and reviewed at least annually.

  • Three-tier data classification scheme (Confidential, Restricted, Public) with handling requirements proportionate to sensitivity, defined in the Data Management Policy.

  • Production environments kept strictly separate from development and staging environments; production data is not used in development or test environments.

  • Formal change management process: changes to production systems and infrastructure require documentation, testing, and approval before deployment.

  • Anti-malware protection deployed on all company-issued endpoints with automatic definition updates; threat detection active for company email.

  • Network access controls applied to production environments; configuration reviewed at least annually.

  • Systems and networks provisioned and maintained in accordance with documented configuration and hardening standards.

  • Processing and storage resource usage monitored to ensure system availability and performance.

  • Data Loss Prevention: sensitive psychometric and client data must not be transmitted, stored, or shared outside of approved systems.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Business Continuity and Disaster Recovery (BC/DR) Plan maintained, with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical services.

  • Incident Response Plan with defined severity classification (S1–S4), response procedures, documented root cause analysis, and post-incident review.

  • Automated backups enabled for all production databases and critical data stores (e.g., AWS RDS automated backups, S3 versioning where appropriate).

  • Backup restoration tested at least annually; test outcomes documented and findings addressed promptly.

  • Fully remote workforce with no single-location dependency; personnel can operate from any location with internet access, supporting operational continuity.

  • Disaster recovery test performed at least annually; results reviewed by the Managing Directors.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

  • Annual formal risk assessment conducted in accordance with the Risk Management Policy (based on NIST 800-30 and ISO 27005).

  • Annual network penetration testing; results inform risk register and remediation priorities.

  • Annual review of the production environment, including assessment of significant changes to system components or architecture.

  • Annual disaster recovery test, including backup restoration; results documented and reviewed by Managing Directors.

  • Incident Response Plan reviewed and formally tested at least annually; findings documented.

  • Annual user access rights review of all user, administrator, and service accounts.

  • Internal and external audit programme; compliance with the ISMS policy framework verified through ongoing monitoring and periodic external review.

  • Technical vulnerability management: ongoing awareness of vulnerabilities affecting systems in use, with timely assessment and remediation.

Measures for user identification and authorisation

  • Role-Based Access Control (RBAC): access granted on the principle of least privilege; permissions not expressly granted are prohibited by default.

  • Multi-Factor Authentication (MFA) required for all privileged access to production infrastructure.

  • Unique user identifiers required for all personnel; credentials must not be shared between individuals.

  • Complex password policy

  • User provisioning requires documented approval from data owner or authorised management; user IDs disabled or removed within 3 business days of departure.

  • Annual user access reviews conducted and documented; access also reviewed on role changes.

  • Segregation of duties enforced where practicable; compensating controls (logging, access reviews, management oversight) applied where full segregation is not possible.

  • All privileged logins and activity logged; system utilities use restricted to minimum personnel.

  • Vendor default credentials changed before deployment; unnecessary default accounts disabled.

Measures for the protection of data during transmission

  • Encryption in transit (TLS) required for all confidential data transmitted over public networks, in accordance with the Cryptography Policy (NIST SP 800-57).

  • VPN connection required when transmitting confidential information over public or untrusted Wi-Fi networks.

  • Transfer of confidential data to external parties only permitted under a legal contract or arrangement and with the explicit approval of the data owner or a company director.

Measures for the protection of data during storage

  • Encryption at rest applied to all confidential data, including client psychometric assessment data, in accordance with the Cryptography Policy.

  • Access controls: confidential systems do not permit unauthenticated or anonymous access; access restricted to specific individuals or roles.

  • Confidential data must not be stored on personal devices or removable media (USB drives); all data stored in approved cloud storage.

  • Backup data encrypted; access to backup systems restricted to authorised personnel.

  • Secure deletion on disposal: confidential and restricted data securely deleted or device physically destroyed before disposal; cloud platform deletions confirmed through provider's standard process.

Measures for ensuring physical security of locations at which personal data are processed

  • ELT does not operate its own physical infrastructure or data centres. All production systems, data storage, and processing are hosted with approved cloud service providers (primarily Amazon Web Services).

  • Physical and environmental security for hosted infrastructure (physical access controls, fire suppression, climate management, power redundancy) is provided by cloud providers holding recognised certifications (e.g., ISO 27001, SOC 2 Type 2); certification evidence retained in the vendor management record.

  • For remote working: full-disk encryption required on all devices; screens lock automatically after a maximum of 5 minutes of inactivity; devices must not be left unattended in public or shared spaces.

  • Clean desk and clear screen policy enforced; confidential materials must not be left visible or unattended.

  • Public or unsecured Wi-Fi must not be used without an approved VPN.

  • Printed materials kept to a minimum; where produced, stored securely and disposed of by cross-cut shredding or equivalent.

Measures for ensuring events logging

  • Production systems configured to log: user log-in and log-out events; create, read, update, and delete operations on application users and key data objects; changes to security settings (including modification or disabling of logging); administrative or owner-level access to client data.

  • Logs protected against tampering and unauthorised access; changes to logging configuration require authorisation.

  • All privileged logins and activity logged and subject to periodic review.

  • Any restoration of production data containing personal data logged in auditable records.

  • Clock synchronisation on all information processing systems to ensure log accuracy and consistency.

Measures for internal IT and IT security governance and management

  • Information Security Policy framework maintained, reviewed at least annually, and approved by the Managing Directors. Aligned to ISO27001 and SOC 2 Type 2 frameworks.

  • Designated Information Security Manager (ISMS Manager) and Data Protection Officer responsible for overseeing the ISMS and GDPR compliance.

  • Risk Register and Risk Treatment Plan maintained in accordance with the Risk Management Policy (NIST 800-30, ISO 27005).

  • Formal Incident Response Plan with defined roles, severity classification, breach notification obligations (including UK GDPR 72-hour rule), and post-incident root cause analysis.

  • Security awareness training for all personnel at point of joining and annually thereafter, covering data classification, access control, phishing, and incident reporting.

  • Pre-employment screening including identity verification, employment history or professional reference checks, and right to work verification.

  • Disciplinary process for violations of information security policies, up to and including termination.

  • Third-party providers subject to proportionate due diligence, contractual security requirements (including DPAs where required), and at least annual review.

Measures for ensuring data minimisation

  • Data Management Policy defines three-tier data classification; processing limited to data that is necessary and proportionate to the specified purpose.

  • Confidential customer data must not be used or stored in non-production (development or test) environments.

  • Personnel trained on appropriate handling of sensitive and confidential data; awareness of data minimisation obligations included in security training.

  • Data Loss Prevention controls considered and applied proportionate to the risk of unauthorised disclosure.

Measures for ensuring data quality

  • Personal data handling requirements defined in the Data Management Policy, including accuracy and currency obligations.

  • Data subjects may request correction of personal data; corrections actioned upon request or where inaccuracy is identified.

  • PII deleted or de-identified in response to a verified data subject deletion request where no legal basis for retention applies.

Measures for ensuring limited data retention

  • Data Management Policy defines retention schedules by data type, including: psychometric assessment data (duration of client relationship + 3 years); PII (deleted or de-identified when no longer needed for its original purpose); incident and security records (3 years); contracts (duration + 6 years).

  • Annual data review conducted by the Information Security Manager; data identified as no longer required disposed of in accordance with the policy.

  • Secure deletion: digital data deleted using secure erase tools; paper records disposed of by cross-cut shredding; cloud platform deletions confirmed through provider's standard process.

  • Legal holds applied where required to preserve relevant data notwithstanding standard retention schedules.

Measures for ensuring accountability

  • Information Security Policy framework, including all referenced policies, maintained and reviewed at least annually; approved by Managing Directors.

  • Privacy by design and by default applied in the development of the Exceptional Insights platform, in accordance with the Secure Development Policy.

  • Records of processing activities (ROPA) maintained in accordance with UK GDPR Article 30.

  • Data Protection Impact Assessments (DPIAs) conducted for high-risk processing activities, including the processing of psychometric assessment data as likely special category data (Article 9 UK GDPR).

  • Data Processing Agreements (DPAs/Article 28 contracts) in place with all third-party processors, including key processors Naviu Tech (software development) and Umbrella Cyber (managed IT infrastructure).

  • Third-party providers subject to security due diligence, contractual security and data protection requirements, and at least annual review.

  • Compliance with the ISMS policy framework verified through ongoing monitoring, annual internal audit, and periodic external review; non-conformities tracked and addressed.