Data Protection

Comprehensive data protection measures and compliance framework safeguarding your construction project information.

Last updated: February 2025

1. Our Data Protection Commitment

At Baselinq (Pty) Ltd, data protection is fundamental to our construction intelligence platform. We recognise the sensitive nature of construction project information and implement comprehensive measures to ensure the security, integrity, and confidentiality of all data entrusted to us.

Our data protection framework is designed to exceed the requirements of UK GDPR and South African POPIA, providing robust safeguards for clients across all jurisdictions where we operate.

Core Principles

  • Privacy by design and by default
  • Principle of data minimisation
  • Transparency in data processing
  • Accountability and demonstrable compliance

2. Legal Framework and Compliance

UK GDPR Compliance

We fully comply with the UK General Data Protection Regulation, implementing:

  • Lawful basis for all data processing activities
  • Data subject rights and request handling procedures
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Breach notification protocols within 72 hours to supervisory authorities
  • Data Protection Officer oversight and governance

South African POPIA Compliance

As a South African registered company, we adhere to the Protection of Personal Information Act:

  • Information Officer appointed and responsible for compliance
  • Processing aligned with the eight conditions for lawful processing
  • Cross-border transfer safeguards implemented
  • Direct marketing consent and opt-out mechanisms
  • Regular compliance audits and assessments

Construction Industry Standards

Our data protection measures align with construction industry requirements including confidentiality obligations under JBCC, NEC, FIDIC, and GCC contract standards.

3. Technical Security Measures

Encryption Standards

  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • End-to-end encryption for sensitive communications
  • Encrypted backups and disaster recovery systems

Access Controls

  • Multi-factor authentication (MFA) required
  • Role-based access control (RBAC)
  • Principle of least privilege enforcement
  • Regular access reviews and deprovisioning

Infrastructure Security

  • ISO 27001 certified data centres
  • Network segregation and firewalls
  • Intrusion detection and prevention systems
  • 24/7 security monitoring and incident response

Application Security

  • Secure software development lifecycle (SSDLC)
  • Regular penetration testing and vulnerability assessments
  • Code review and security scanning
  • Web application firewalls and DDoS protection

4. Organisational Security Measures

Staff Training and Awareness

  • Mandatory data protection training for all employees
  • Regular security awareness updates and phishing simulations
  • Specialised training for roles with data access
  • Annual compliance certification requirements

Policies and Procedures

  • Comprehensive information security policy framework
  • Data handling and classification procedures
  • Incident response and business continuity plans
  • Regular policy reviews and updates

Vendor Management

  • Due diligence assessments for all third-party vendors
  • Data processing agreements with robust security requirements
  • Regular vendor security reviews and audits
  • Incident notification and response coordination

5. Data Processing Activities

Construction Project Data

Purpose: Platform functionality, RFI management, document control, claims prevention

Legal basis: Contract performance, legitimate interests

Retention: Duration of contract plus 7 years for legal requirements

User Account Information

Purpose: Account management, authentication, service delivery

Legal basis: Contract performance, legitimate interests

Retention: Duration of account plus 2 years for support purposes

Analytics and Usage Data

Purpose: Platform improvement, performance optimisation, feature development

Legal basis: Legitimate interests, consent for non-essential analytics

Retention: 24 months, anonymised after 12 months

6. International Data Transfers

Our global operations may require international data transfers, which are protected through:

Transfer Safeguards

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where available
  • Binding Corporate Rules (BCRs) where applicable
  • Supplementary technical and organisational measures

Risk Assessment

  • Transfer impact assessments (TIAs)
  • Destination country law analysis
  • Ongoing monitoring of transfer conditions
  • Emergency suspension mechanisms

7. Data Subject Rights Management

Rights Request Process

  1. Submit request via info@baselinq.com with identity verification
  2. Acknowledgement within 2 business days
  3. Identity verification and request validation
  4. Processing and coordination with relevant teams
  5. Response within 30 days (or 60 days for complex requests)

Supported Rights

  • Right of access (SAR)
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

Response Standards

  • Free of charge (unless excessive)
  • Electronically where possible
  • Clear, plain language responses
  • Escalation procedures for disputes

8. Incident Response and Breach Management

Incident Response Timeline

  • 0-1 hours: Detection, containment, and initial assessment
  • 1-24 hours: Investigation, impact assessment, and evidence collection
  • 24-72 hours: Regulatory notification (where required)
  • Ongoing: Affected individual notification and remediation

Breach Response Measures

  • 24/7 incident response team availability
  • Automated threat detection and alerting systems
  • Forensic investigation capabilities
  • Communication plans for stakeholder notification
  • Post-incident reviews and improvement implementation

9. Audit and Compliance Monitoring

Internal Audits

  • Quarterly compliance assessments
  • Annual comprehensive audits
  • Continuous monitoring systems
  • Gap analysis and remediation planning

External Validation

  • Third-party security assessments
  • Compliance certifications (ISO 27001, SOC 2)
  • Regulatory examinations
  • Customer security reviews

10. Contact Our Data Protection Team

For data protection enquiries, rights requests, or concerns, contact our dedicated team:

Data Protection Officer (UK/EU)

Email: info@baselinq.com
Subject: DPO - Data Protection Enquiry
Response time: 48 hours

Information Officer (South Africa)

Email: info@baselinq.com
Subject: IO - POPIA Enquiry
Response time: 48 hours

Data Protection Excellence

Your data security is our priority. Contact our data protection specialists for any questions or concerns.

Contact Data Protection TeamView Privacy Policy