Provision Design is a UK-based events and design company specialising in processing data on behalf of clients, typically brands engaging with members of the public at events. We facilitate both physical and virtual events, providing a seamless experience for attendees while ensuring that all personal data is handled securely and in compliance with data protection laws.

This Data Processing Policy outlines how Provision Design processes, stores, and protects personal data on behalf of its clients. It aims to inform clients and other stakeholders about our data practices, ensuring transparency and fostering trust.

Provision Design is committed to safeguarding personal data and upholding the highest standards of data privacy and security. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws and regulations in our role as a data processor.

This policy applies to:

• Clients: All brands and organisations that engage Provision Design for event management and data processing services. These clients act as data controllers.
• Employees and Contractors: All staff members, including temporary workers and contractors, who handle personal data on behalf of Provision Design's clients.

This policy covers data processing activities related to physical events, virtual events, pre-event processes, on-site data collection, post-event activities, marketing and promotions, competitions and giveaways, and website and app interactions, as instructed by our clients.

Provision Design primarily operates and processes data within the United Kingdom. For events conducted outside the UK, we ensure compliance with local data protection laws in addition to the UK GDPR requirements, as instructed by our clients.

Provision Design processes personal data through methods specified by our clients, which may include event registrations, surveys, interactive installations, competitions, website interactions, and direct communications.

Provision Design processes personal data solely on the documented instructions of its clients, who are responsible for establishing the lawful basis for processing. We assist our clients in fulfilling their obligations regarding lawful processing as required.

We process only the personal data that is necessary for the specified purposes outlined in the data processing agreement with each client. We are committed to the principle of data minimisation and will advise clients if we believe excessive data is being processed.

All personal data processed by Provision Design is stored using Firebase, a cloud-based platform provided by Google Cloud. Firebase offers a suite of services that enable secure data storage, real-time database functionality, and efficient data management, ensuring high availability and scalability for our applications.

Google Cloud, as the provider of Firebase, acts as a sub-processor, processing data on behalf of Provision Design, which in turn processes data on behalf of its clients (the data controllers). Firebase complies with the UK GDPR and the Data Protection Act 2018, and Google has implemented measures to ensure that personal data is processed securely and lawfully.

Firebase holds internationally recognised certifications, including:

• ISO/IEC 27001
• ISO/IEC 27017
• ISO/IEC 27018
• SOC 1, SOC 2, and SOC 3

These certifications demonstrate adherence to stringent information security standards. Provision Design has a Data Processing Agreement (DPA) in place with Google Cloud, detailing the responsibilities and obligations of both parties regarding data protection.

• Data in Transit: All data transmitted between Provision Design's applications and Firebase is encrypted using Transport Layer Security (TLS).
• Data at Rest: Data stored within Firebase is encrypted at rest using Advanced Encryption Standard (AES) with 256-bit keys.

• Authentication: Password-based authentication verifies the identity of users accessing our applications, ensuring that only authorised individuals can access certain data.
• Role-Based Access Control (RBAC): Access to data is restricted based on user roles and permissions, minimising the risk of unauthorised access.
• Multi-Factor Authentication (MFA): Provision Design enforces MFA for all administrative access, adding an extra layer of security.

The network infrastructure utilised by Provision Design includes:

• Firewalls and Virtual Private Clouds (VPCs): To isolate and protect our data from external threats.
• Intrusion Detection and Prevention Systems (IDPS): Continuous monitoring for suspicious activities and automatic responses to potential threats.

Google Cloud data centres, which Provision Design uses for data storage, are equipped with extensive physical security measures, including:

• 24/7 on-site security personnel
• Biometric access controls
• Closed-circuit television (CCTV) surveillance
• Alarm systems

Environmental controls are also in place to protect against fire, flood, power outages, and other potential hazards, ensuring the physical integrity and security of the facilities where data is stored.

Provision Design stores all data within data centres located in either the UK or the European Economic Area (EEA) to comply with data residency requirements. Any data which cannot be stored within these geographical areas will be subject to international data rules, as defined in section 9. Data may be replicated across multiple data centres within the EEA for redundancy and high availability.

Provision Design utilises automated backup solutions to ensure data integrity and availability. In the event of a system failure or disaster, Provision Design and Google Cloud have procedures in place to restore data promptly.

• Activity Logs: Detailed logs are maintained for all access and actions performed within Firebase, aiding in security audits and compliance.
• Real-Time Monitoring: Continuous monitoring of systems allows for the detection and swift response to security incidents.

Provision Design ensures logical separation of data to prevent one client's data from being accessed by another client. Custom security rules are implemented to control data access at the database level.

Google Cloud undergoes regular independent third-party security assessments to verify compliance with security standards. Regular security testing and prompt remediation of identified vulnerabilities are integral parts of Firebase's security protocol.

Provision Design has established a comprehensive incident response plan to address potential data breaches or security incidents. In the event of a data breach:

• Immediate action is taken to contain and mitigate the incident, minimising potential harm to individuals and organisations affected.
• A thorough evaluation of the scope and impact of the breach is conducted.
• We promptly notify the affected clients, who are then responsible for notifying the Information Commissioner's Office (ICO) and affected individuals if required by law.
• An investigation is carried out to identify the root cause of the breach, and measures are implemented to prevent recurrence.

We retain personal data only for the duration specified in the data processing agreement with each client, or as required by applicable laws.

At the end of the retention period or upon client instruction, we securely delete or return all personal data as per the client's choice.

We assist clients in fulfilling data subject requests for deletion, as outlined in our data processing agreements.

We operate within the legal frameworks established by the UK GDPR and the Data Protection Act 2018, fulfilling our obligations as a Data Processor.

We adhere to the core principles of the UK GDPR in our role as a Data Processor: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

We have designated a Data Protection Lead responsible for overseeing our compliance with data protection regulations.

As a data processor, we assist our clients in fulfilling their obligations to data subjects, including:

• Responding to access requests
• Facilitating the correction of inaccurate data
• Assisting with requests for erasure or restriction of processing
• Supporting data portability requests

We promptly inform clients of any data subject requests received directly and do not respond without the client's authorisation.

We may engage third-party service providers as sub-processors to assist in providing our services. We:

• Obtain authorisation from our clients before engaging any sub-processors
• Ensure sub-processors are bound by appropriate data protection agreements
• Remain fully liable to our clients for the performance of sub-processors' obligations

Provision Design conducts international transfers of personal data only when:

• Explicitly authorised by the client (data controller)
• Necessary for the performance of our services
• Compliant with UK GDPR and other applicable data protection laws
• Protected by appropriate safeguards

• UK International Data Transfer Agreement (IDTA)
• UK Addendum to the EU Standard Contractual Clauses (SCCs)
• Adequacy Decisions: Transfers to countries recognized by the UK government as providing adequate protection
• Binding Corporate Rules (BCRs), where applicable

When required, we implement supplementary measures including:

• End-to-end encryption for data in transit
• Access controls and authentication measures
• Data minimisation practices
• Contractual controls with recipients

Before initiating international transfers, Provision Design:

• Conducts a documented Transfer Impact Assessment
• Evaluates the recipient country's data protection laws
• Assesses the effectiveness of transfer mechanisms
• Reviews and documents any necessary supplementary measures

We provide clients with:

• Advance notice of intended international transfers
• Details of recipient countries and transfer mechanisms
• Summary of implemented safeguards
• Regular updates on any significant changes

We maintain records of:

• Transfer mechanism documentation (IDTAs, SCCs)
• Transfer Impact Assessments
• Client authorisations
• Sub-processor agreements for international transfers

We ensure ongoing compliance through:

• Regular review of transfer mechanisms
• Monitoring of changes in recipient country laws
• Assessment of safeguard effectiveness
• Updates to documentation as required

We provide regular training to all employees and contractors who handle personal data. All staff are bound by confidentiality agreements and are instructed to report any data protection concerns or incidents promptly.

We review this policy regularly and update it as necessary. Significant changes will be communicated to clients and other relevant parties.

To the maximum extent permitted by applicable law, Provision Design's total aggregate liability to the client arising out of or in connection with its data processing services, whether in contract, tort (including negligence), breach of statutory duty, misrepresentation, restitution or otherwise, shall not exceed the total amount paid by the client to Provision Design in the twelve (12) months preceding the incident giving rise to the liability

Subject to clause 12.3, in no event shall Provision Design be liable to the client, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, for any:

1. Loss of profits, revenue, sales, business, or business opportunities
2. Loss or corruption of data, systems, or information
3. Business interruption, loss of production, or operational time
4. Loss of anticipated savings or goodwill
5. Any indirect, special, consequential, incidental, or punitive damages
6. Any losses arising from events beyond Provision Design's reasonable control regardless of whether such damages or losses were foreseeable or whether Provision Design had been advised of the possibility of such damages.

Nothing in this policy shall limit or exclude Provision Design's liability for:

1. Death or personal injury caused by its negligence
2. Fraud or fraudulent misrepresentation
3. Any liability which cannot be limited or excluded under applicable law
4. Deliberate or willful misconduct

Any claim by the client must be made within twelve (12) months of the date on which the client becomes aware, or ought reasonably to have become aware, of the circumstances giving rise to the claim. Both parties shall take reasonable steps to mitigate any losses that may arise under or in connection with this policy.

Provision Design maintains appropriate professional indemnity insurance coverage as required by applicable law. Details of insurance coverage will be provided to clients upon reasonable written request.

The client acknowledges and agrees that these limitations of liability are reasonable in the context of the services provided and the fees charged by Provision Design, and reflect the allocation of risk between the parties.

We cooperate fully with our clients to address any concerns or complaints from data subjects regarding our data processing practices.

A. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person ('data subject').
• Data Controller: The entity that determines the purposes and means of the processing of personal data.
• Data Processor: An entity that processes personal data on behalf of the data controller.
• Data Subject: An identified or identifiable natural person to whom personal data relates.
• Processing: Any operation or set of operations which is performed on personal data, whether or not by automated means.
• UK GDPR: The United Kingdom General Data Protection Regulation.
• Data Protection Act 2018: The UK's implementation of the GDPR, which also covers processing outside the scope of EU law.
• Sub-processor: A third party that processes personal data on behalf of a data processor.
• Data Protection Impact Assessment (DPIA): A process to help identify and minimise the data protection risks of a project.
• Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life and sexual orientation.

B. Legal References

1. UK General Data Protection Regulation (UK GDPR)
   • Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
   • Key provisions: Article 28 (Processor), Article 32 (Security of processing), Article 33 (Notification of a personal data breach to the supervisory authority)
2. Data Protection Act 2018
   • Chapter 12, Part 2: General processing
   • Chapter 12, Part 3: Law enforcement processing
   • Chapter 12, Part 4: Intelligence services processing
3. Privacy and Electronic Communications Regulations (PECR)
   • The Privacy and Electronic Communications (EC Directive) Regulations 2003
   • Relevant for electronic communications, including marketing communications
4. Network and Information Systems Regulations 2018
   • Implements the EU's Network and Information Systems (NIS) Directive
   • Relevant for digital service providers and operators of essential services
5. Information Commissioner's Office (ICO) Guidance
   • Guide to the UK GDPR
   • Data Sharing Code of Practice
   • Direct Marketing Code of Practice

C. Data Flow Description

1. Data Collection
   • Event participants provide personal data through online registration forms, on-site check-ins, or interactive installations.
   • Data is collected as per client instructions and in line with the specified lawful basis.
2. Data Transmission
   • Collected data is securely transmitted to Provision Design's systems using encrypted connections (TLS).
3. Data Storage
   • Personal data is stored in Firebase, hosted on Google Cloud infrastructure.
   • Data is encrypted at rest and logically segregated by client.
4. Data Processing
   • Data is processed according to client instructions for purposes such as event management, analytics, or marketing.
   • Access to data is restricted based on password-based, role-based and/or MFA access controls.
5. Data Sharing
   • Processed data may be shared back with the client or with authorised third parties as per client instructions.
   • Any data sharing is conducted securely and in compliance with data protection regulations.
6. Data Retention
   • Data is retained for the period specified in the client agreement or as required by law.
   • Regular reviews ensure data is not kept longer than necessary.
7. Data Deletion
   • At the end of the retention period or upon client request, data is securely deleted from active systems and backups.
8. Data Subject Requests
   • Requests from data subjects are promptly communicated to clients.
   • Provision Design assists clients in fulfilling these requests as per the data processing agreement.

This data flow ensures that personal data is handled securely and in compliance with data protection regulations throughout its lifecycle within Provision Design's systems.