Our data protection practices
We protect personal data at every stage: when you submit it, while we process it, when we store it, and when we share or delete it. Our practices follow Jamaica's Data Protection Act (2020) and align with international standards such as the General Data Protection Regulation (GDPR), SOC 2 and ISO 27001.
Technical safeguards
End-to-end encryption
TLS 1.3 protects data in transit. AES-256-GCM encrypts stored files, database records, and backups with AWS KMS-managed keys.
Staff vetting and training
All agents pass enhanced background checks. We run an all year round privacy and security training programme, with assessments at least quarterly.
Audits and compliance
SOC 2 gap analyses, penetration tests, and regular privacy risk assessments and data privacy impact assessments to ensure controls stay compliant.
Operational controls
Beyond technical controls, we embed privacy and security into our operations, supplier relationships, and product development.
Data Privacy impact assessments (DPIAs)
Before launching features or connecting new suppliers, we run detailed DPIAs to map data flows, assess risks, and document mitigations.
Data minimisation and retention schedules
We collect only what Jamaica's Data Protection Act (2020) and client contracts require. Retention clocks trigger automatic deletion after 7 years (or client-specified timelines).
Supplier and subprocessor due diligence
Every third party that processes pesonal data undergoes security and privacy assessments, contract reviews, and ongoing performance monitoring.
Access and accountability
Only authorised personnel with a proven business need can access personal data. Every access request is logged with user ID, timestamp, IP address, and purpose. Monthly access reviews remove dormant accounts and expired approvals. If a customer wants to know who accessed their data, they can contact our Data Protection Officer and we will provide details.