Signals

Data Security Policy

Last updated: 2025-05-07
Version: 1.0
Applies to: All employees, contractors, and service providers of Research Signals Ltd.

1. Purpose

This Data Security Policy outlines the procedures and technical safeguards that Research Signals Ltd. (Signals) implements to protect the confidentiality, integrity, and availability of personal data and other sensitive information. The purpose of this policy is to:

  • Prevent unauthorized access, use, disclosure, or destruction of data.
  • Comply with data protection regulations including the UK GDPR, DPA 2018, and other applicable laws.
  • Ensure trust and data protection for users of our platform.

2. Scope

This policy applies to:

  • All personal data handled by Research Signals Ltd.
  • All systems and infrastructure used to store, transmit, or process data.
  • All employees, contractors, and third-party service providers.

3. Roles and Responsibilities

  • Data Protection Officer (DPO): Oversees compliance with data protection regulations and manages data subject requests. This role is currently held by Nicko Goncharoff.
  • CTO/Engineering Lead: Responsible for secure system architecture and implementation of technical controls. This role is currently held by Florin Asăvoaie.
  • All Staff: Must comply with this policy and report any suspected data breaches or risks.

4. Data Classification

All data processed by Signals is classified into the following categories:

ClassificationExamplesProtection Level
Personal DataName, email address, manuscriptsHigh
Confidential DataInternal documentation, system architectureMedium
Public DataOpenly available article metadata (e.g., OpenAlex)Low

5. Access Control

  • Principle of Least Privilege: Access to systems and data is granted only to those who require it for their role.
  • Authentication: All systems require strong authentication (minimum: password + 2FA for administrative access).
  • Access Logs: All access to sensitive systems is logged and reviewed periodically.
  • Offboarding: Access is revoked immediately upon termination of employment or contract.

6. Data Storage and Transmission

  • Encryption in Transit: All data transmitted between client and server is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: All personal and manuscript data is stored in encrypted formats (AES-256 or equivalent).
  • Backups: Encrypted backups are taken regularly and stored in a geographically separate, secure environment.
  • Server Locations: All servers are located in either the United Kingdom or Ireland and managed by compliant cloud service providers namely AWS and Google Workspace.

7. Application and Infrastructure Security

  • Code Review: All code is peer-reviewed before deployment and tested for vulnerabilities.
  • Dependency Scanning: Automated tools scan for known security vulnerabilities in dependencies.
  • Environment Separation: Production, staging, and development environments are logically separated.

8. Device and Endpoint Security

  • Company-managed devices must:
    • Have full disk encryption enabled.
    • Require strong passwords and screen lockouts.
  • Personal devices may only be used for work with prior approval and proper security controls.

9. Data Retention and Deletion

  • Data is retained only for as long as necessary for operational or legal purposes.
  • Upon request or expiration, data is securely deleted using irreversible deletion methods.
  • Decommissioned hardware is wiped using secure erasure tools before disposal.

10. Incident Response and Breach Notification

  • Reporting: All suspected data breaches must be reported to the DPO within 24 hours.
  • Investigation: A formal incident response procedure is triggered to assess and contain the breach.
  • Notification: If a personal data breach occurs, affected users and the ICO will be notified within 72 hours, where required by law.
  • Post-Incident Review: A retrospective is conducted to identify root causes and prevent recurrence.

11. Third-Party Risk Management

  • Vendors are evaluated for security practices, including certifications (e.g., ISO 27001, SOC 2).
  • Regular reviews are conducted to assess ongoing risk exposure.

12. Employee Training and Awareness

  • All staff receive onboarding training on data protection and information security.
  • Annual refresher training is mandatory.
  • Phishing simulations or awareness exercises may be conducted periodically.

13. Compliance and Monitoring

  • Regular internal audits are conducted to ensure compliance with this policy.
  • System logs, access records, and security events are monitored and retained.
  • Non-compliance with this policy may result in disciplinary action or termination.

14. Policy Review and Updates

This policy will be reviewed annually or whenever significant changes occur to the infrastructure, regulations, or business model. Updates will be communicated to all stakeholders.

15. Contact Information

For any questions regarding this policy or to report a concern:

📧 Email: security@research-signals.com 📍 Address: 167-169 Great Portland Street, 5th Floor, London, United Kingdom, W1W 5PF