Contact [email protected]
1) Our role and approach to personal data
August Recognition Ltd processes personal data to deliver professional services (e.g. communications, scheduling, drafting materials, and project delivery).
Depending on the context:
- For client service delivery, the client is typically the Data Controller, and August acts as a Data Processor (processing on documented instructions).
- For August’s own business administration (contracts, invoicing, compliance, relationship management), August may act as an independent Data Controller.
We do not expect to process special category data. Clients should not send special category data unless agreed in writing with appropriate safeguards.
2) Where client data is stored (data locations)
August does not operate its own physical servers for client delivery. We use reputable SaaS providers for collaboration, meetings, and communications, including (as applicable):
- Google Workspace**
- Microsoft Teams
- Slack
- Zoom
- Fathom* (meeting notes)
- ActiveCampaign (email communications)
Data is stored and processed within these providers’ systems. Data location varies by provider and may depend on:
- data residency settings available and enabled,
- global infrastructure and support operations, and
- provider sub-processors.
Where data residency controls exist, August will use UK/EU hosting and processing options where reasonably available and appropriate.
*We use Fathom to facilitate meeting recordings. All data processed through this service is protected using encryption both in transit and at rest, in line with industry-standard security practices. Recordings can be deleted on demand.
**We store all recordings in Google Workspace where all data is protected with encryption at rest and in transit by default. Google Workspace uses Advanced Encryption Standard (AES) 256-bit or 128-bit keys for data at rest and Transport Layer Security (TLS) for data in transit.
We use Fathom (paid plan) integrated with Google Workspace to manage meeting recordings. Both platforms provide robust audit and security controls:
- Audit logging: Google Workspace maintains detailed audit logs (via Admin Console and Vault), capturing user activity such as access, sharing, and deletion of files.
- Fathom logs recording access and usage within its platform.
Access controls
Recordings are stored within controlled Google Drive environments with role-based access permissions.
Access is restricted to authorised users only, enforced through Google Workspace identity and access management (including MFA and SSO where applicable).
Protection against unauthorised change: Audit logs within Google Workspace are tamper-resistant and restricted to administrative roles.
Administrative access is limited and monitored.
Retention and deletion controls:
Data retention policies are managed through Google Workspace Vault, ensuring recordings can be retained, audited, or deleted in line with organisational policy.
Deletion actions are logged and, where required, recoverable within defined retention periods.
Regarding platform governance:
- Contractual and security assurances: Both Google Workspace and Fathom are engaged under formal agreements that include data processing terms, confidentiality obligations, and security commitments aligned with industry standards (e.g. GDPR compliance).
- No unauthorised onward sharing: Recordings are not shared externally or reused without explicit approval.
- Any sharing is governed by internal policies and controlled through Google Drive permissions and link restrictions.
Together, these measures ensure that recording activity is fully auditable, securely managed, and protected against unauthorised access or alteration, while maintaining strict control over how recordings are used and shared.
3) International transfers (restricted transfers) and safeguards
Some processing may occur outside the UK/EU (including the USA), depending on provider infrastructure and configuration.
Where international transfers occur, August ensures appropriate safeguards, which may include:
- UK IDTA and/or UK Addendum to EU SCCs, and
- documented Transfer Risk Assessments, and
- suitable technical and organisational measures, such as:
- encryption in transit and at rest (provider-supported),
- least privilege access controls,
- MFA for staff,
- auditing and logging in admin tools (where available).
4) Sub-processors: what we use and why
We use vetted sub-processors to provide secure and efficient delivery.
Typical purposes include:
- email and file storage,
- meetings and conferencing,
- team collaboration and messaging,
- meeting notes and action tracking (where enabled),
- email communications (where used).
We ensure sub-processors are bound by appropriate data protection terms, and we remain responsible for their processing in relation to the Services.
5) Retention (how long we keep client data)
We retain client data:
- for the duration of the engagement, and
- for up to 12 months after contract end (or last activity), then delete or anonymise it.
We may retain limited records longer where required by law (e.g., accounting). Access is restricted and retention is minimised.
Backups: Data removed from active systems may remain in provider backups until overwritten per the provider’s backup lifecycle.
6) Data subject rights support
Where August acts as a Processor, we will:
- notify the client promptly if we receive a request directly,
- not respond unless authorised by the client, and
- provide reasonable assistance to help the client meet statutory timeframes.
7) End of contract: return or deletion
At the end of the contract, we will:
- provide a return copy of client data on request (commonly used format), and
- delete client data as per item 5, or on request from active systems within 60 days, subject to legal retention and backup lifecycle constraints.
8) Security controls (summary)
We maintain appropriate technical and organisational measures, including:
- MFA for staff accounts (where available),
- access control and least privilege,
- encryption in transit and at rest (provider-supported),
- secure configuration of collaboration tools (sharing controls),
- joiner/mover/leaver access management,
- incident response procedures.
Award submissions and third-party platforms
Where the Services include submitting award entries, the Client acknowledges that award organisers and their platforms are independent third parties. Once an entry (including any personal data contained in it) is submitted to an award organiser, the organiser will process that data under its own privacy notice and terms as an independent data controller. August Recognition Ltd is not responsible for the organiser’s handling, storage, security, retention, disclosure, or onward transfer of the data after submission.