Data Security Policies

  1. Non-Disclosure Agreement (NDA)
    1. We will issue and countersign an NDA and Data Sharing agreement which covers all our employees and subcontractors and binds them to strict confidentiality and data protection standards.
  2. Data Storage and Access
    1. Data files should be stored in Microsoft SharePoint locations secured with 2-Factor Authentication (2FA) to ensure secure access.
    2. Access to data files on SharePoint sites is restricted to company devices protected by password and 2FA.
  3. Device Security
    1. All company devices should comply with CRM Champion’s (CRMC’s) device usage policy. (Firewalls should be enabled, as well as up-to-date anti-virus and intrusion detection system software, provided by Sentinel Software, and monitored by the endpoint security agent.)2.
    2. Company devices are subject to strict software policies, have encrypted hard drives, and run the most current version of the operating system and applications.
  4. Data Transfer
    1. Data should not be transferred physically unless it is required and approved by the client.
    2. Where data transfer is required (whether physically or digitally), it must be encrypted.
    3. Data files should not be attached to emails.
  5. Data Analytics and Development
    1. Anaconda (Jupyter Notebook) is the approved platform for writing and running Python code for data analytics. On rare occasions, ‘VS Code’ may be used as an alternative to Jupyter.
    2. If necessary, a VPN may be used for accessing the client’s data.
    3. If necessary, a remote-control program can be used to access the client’s device to provide access to relevant data and Jupyter Notebook.
    4. If the data is open source or accessible via a secure platform, CRMC Data Analysts may use CRMC company devices to gain access.
    5. If using a secure platform, CRMC Data Analysts should be provided with their own user account with 2FA.
    6. If collaboration with other developers is required, we will use the highly secure GitHub development platform. Please see for more information.
      1. Data will not be stored on GitHub or other repository management platforms.
  6. Data Sharing and Storage
    1. Any outputs at the non-technical level will be stored and shared via Microsoft 365 (M365) SharePoint.
    2. All data must be encrypted in transit and at rest.
    3. All physical devices that store data must be encrypted and remote wiping should be enabled in case of loss or theft.
  7. VPN and Authentication
    1. VPN should be set up where applicable to ensure security and integrity for accessing client data.
    2. All users must have a unique user account with 2FA for accessing client online platforms.
  8. Passwords
    1. Passwords and 2FA guidance must follow the stricter of client’s or CRMC’s password policy, unless specified explicitly by contract or data sharing agreement.
  9. Cyber Essentials
    1. As a certificated Cyber Essentials (cert id: ccb0db39-f996-4197-aeaf-3c3756efa1c4) company we have robust policies in place for data security.