Information Security Policy

Effective Date: 16 - 10 - 2025

Last Updated: 16 - 10 - 2025

Preamble

42 Creative Hub™, located in HQ Rivercourt Penthouse Floor, Cornmarket Square, Limerick - Ireland recognises the critical importance of information security. This Security Policy outlines the comprehensive measures implemented to protect our systems, data assets, and the personal data of our clients and users, in strict accordance with the General Data Protection Regulation (Regulation (EU) 2016/679), the Irish Data Protection Acts 1988-2018, and other pertinent legal and industry standards.

We are unwavering in our commitment to preserving the confidentiality, ensuring the integrity, and maintaining the availability of all data processed within our digital service provision and consulting operations.

1. Scope of Application

This policy applies without limitation to:

• All individuals accessing or utilising 42 Creative Hub's digital services, including clients, employees, contractors, and business partners.

• All categories of data processed through our digital tools, platforms, websites, and during the course of consulting engagements.

• All systems, software applications, and underlying infrastructure employed in the delivery of our services.

2. Our Commitment to Data Security and Protective Measures

We implement a multi-layered approach, encompassing appropriate technical and organisational measures, to ensure a level of security commensurate with the identified risks associated with the processing of personal and business data. These measures include:

• Access Control and Authentication: Implementation of robust access controls and multi-factor authentication protocols to restrict unauthorised access.

• Data Encryption: Utilisation of industry-standard encryption algorithms to protect data both during transmission (in transit) and when stored (at rest).

• Secure Infrastructure: Maintenance of secure server environments fortified with up-to-date firewall technologies and comprehensive antivirus protection.

• Software Integrity: Adherence to a rigorous schedule of software updates and the timely application of security patches to mitigate known vulnerabilities.

• User Access Management: Granular management of user access privileges based on defined roles, responsibilities, and the principle of least privilege.

• Continuous Security Monitoring: Deployment of continuous monitoring systems to detect and analyse suspicious activities and potential security threats.

3. Data Handling and Confidentiality Protocols

We adhere to stringent data handling and confidentiality protocols, ensuring that:

• Access to personal data is strictly limited to authorised personnel with a demonstrable need to know for legitimate business purposes.

• All employees and contractors involved in the handling of client data are bound by legally enforceable confidentiality agreements.

• Consultants receive comprehensive training on data protection principles and cybersecurity awareness best practices.

• Data is stored within secure data centres located within the European Union/European Economic Area (EU/EEA) or, for international transfers, under legally recognised mechanisms ensuring GDPR adequacy (e.g., Standard Contractual Clauses).

4. Client-Specific Security Provisions for Consulting Services

For clients engaging our consulting services, we offer:

• Customised Data Processing Agreements (DPAs) tailored to the specific nature of the engagement and applicable legal requirements.

• Provision of bespoke security assessments and actionable recommendations as an integral part of our service offerings.

• Expert guidance on cyber risk management frameworks, regulatory compliance obligations, and the implementation of secure data handling practices.

5. Incident Response and Personal Data Breach Notification Procedures

We maintain well-defined procedures for the effective detection, comprehensive response to, and timely recovery from security incidents, including personal data breaches:

• Any identified or suspected personal data breach is subject to immediate investigation and containment measures.

• We maintain a detailed incident log documenting all security incidents and conduct thorough root cause analysis to prevent recurrence.

• In the event of a personal data breach, we will comply with the mandatory notification requirements outlined in Articles 33 and 34 of the GDPR, informing the Data Protection Commission (DPC) and affected individuals without undue delay, where legally obligated.

• Notifications of personal data breaches will be made within 72 hours of our awareness of the breach, where applicable under GDPR.

6. Management of Third-Party Service Providers and Data Processors

Our engagement with third-party service providers (e.g., cloud storage providers, payment gateway operators) is subject to rigorous due diligence:

• We conduct thorough vetting of prospective providers to assess their security practices and GDPR compliance status.

• We ensure that legally sound Data Processing Agreements (DPAs) are established with all third-party processors.

• The scope of data shared with third-party providers is strictly limited to that which is essential for the provision of the contracted service.

• We unequivocally do not share or sell any personal or business data to unauthorised third parties for their independent purposes.

7. Data Retention Schedules and Secure Data Disposal

We adhere to defined data retention schedules, retaining personal data only for the period necessary to fulfil the specified purposes for which it was collected or as mandated by applicable legal obligations.

Upon expiry of the retention period:

• Data is securely deleted or rendered anonymous through irreversible anonymisation techniques.

• Data backups are purged in accordance with our established retention timelines.

• We employ secure data disposal methods, including cryptographic erasure and physical destruction (where applicable), to ensure the non-recoverability of data.

8. User Responsibilities for Maintaining Security

Users of our services bear a responsibility for maintaining the security of their own accounts and data:

• Account credentials, including usernames and passwords, must be kept strictly confidential.

• Users are expected to utilise strong, unique passwords and to enable two-factor authentication where this security feature is offered.

• Any suspicious activity or potential security concerns must be reported to us immediately.

• Users are required to comply with our Acceptable Use Policy and Terms of Service, which outline acceptable and prohibited conduct.

9. Policy Compliance and Periodic Review

This Security Policy is subject to regular review and updates to ensure ongoing compliance with:

• General Data Protection Regulation (Regulation (EU) 2016/679).

• Data Protection Acts 1988-2018 (Ireland).

• ePrivacy Directive (2002/58/EC) and any national implementing legislation.

• Industry best practices and relevant standards for information security, such as the principles outlined in ISO/IEC 27001.

Any material updates to this policy will be communicated to users via our website or through direct email notification where appropriate.

10. Contact for Security-Related Matters

For any concerns regarding the security of your data, or to report a potential security vulnerability, please contact our dedicated security team at:

42 Creative Hub™

• Email: legal@42creativehub.com

• Registered Address: HQ Rivercourt Penthouse Floor, Cornmarket Square, Limerick V94 FVH4 - Ireland

By continuing to utilise our services, you acknowledge and signify your agreement to the terms and conditions articulated within this Security Policy.