Confidentiality and security

Our commitment

We protect client confidentiality and handle all information with care. Data is only used for agreed purposes, access is minimised, and information is deleted once it is no longer required. Diver maintains systems and processes that meet or exceed industry standards for security and data integrity.

Confidentiality and NDAs

We can work under your NDA, or to issue one of our own. We do not publish client or project names without explicit consent. Every team member signs a confidentiality agreement before any engagement begins.

Information we handle

Typical information includes project schedules, risks and issues, technical documentation, and contact details for relevant stakeholders. We collect only what is required to deliver the contracted work effectively.

Where your data lives, and vendor security information

Our primary workspace is Notion and Microsoft 365. We may also use ChatGPT Business and several core Apple apps (Freeform, Notes, and Mail) on business devices.

Each provider offers enterprise-grade encryption and compliance with GDPR and ISO standards. You can review their security policies here:

• Microsoft 365 Trust Center

• Notion security overview

• OpenAI Security for ChatGPT Business

• Apple Platform Security and iCloud security overview

We rely on these vendors for encryption in transit and at rest and configure our own systems with role-based access and restricted permissions.

Systems we use and how we use them

Notion

Used to manage project delivery, with databases built to restrict access by project and client. Sensitive items are held in restricted pages.

Microsoft 365, SharePoint, OneDrive, Teams

Used for secure file storage, email, and project communication. Data resides in SharePoint or OneDrive, both protected by Microsoft’s global security infrastructure.

ChatGPT Business

Used for drafting, analysis, and reporting. No confidential data is uploaded without explicit client consent. All prompts and data are stored under OpenAI’s business-tier privacy terms.

Apple devices, Freeform, Notes, Mail

Apple hardware and software are used on managed devices only. All local data is encrypted at disk level, and backups are performed through encrypted Time Machine or iCloud storage.

Access control

Access follows the principle of least privilege. Only authorised personnel working directly on your engagement can access related information. All accounts use multi-factor authentication, and permissions are reviewed regularly.

Storage, processing, and encryption

Client files are stored in cloud environments with role-based access. Data is encrypted both in transit and at rest, per provider policy. Portable devices used by our team are encrypted and remotely managed.

Device and account security

Company devices are secured with biometric access and up-to-date operating systems (MacOS 26, iPadOS 26, and iOS 26). We forbid the use of personal devices for client work.

Data segregation

Each client has a dedicated project hub (in Notion) and folder structure (in SharePoint). We do not mix materials between clients.

Retention and deletion

Data in Microsoft 365 and Notion is retained only for as long as necessary to fulfil contractual requirements or as legally required. Once the retention period ends, files are securely deleted or anonymised.

Third parties and location of data

We use only secure, vetted cloud providers located in jurisdictions compliant with UK data protection law. Upon request, we can provide a list of current vendors and data storage locations.

Incident management

If a security incident affects client data, we will promptly notify your nominated contact, investigate, and share corrective actions transparently.

Business continuity and backups

Workspaces are backed up by our cloud providers (OneDrive, SharePoint, and Notion). We can agree project-specific backup rules if your risk profile requires it. Company devices are backed up to secure iCloud (MacOS, iPadOS, and iOS) and encrypted Time Machine (MacOS only).

Physical security

We operate in secure, access-controlled environments. When printing is unavoidable, documents are destroyed using shredding or certified services.

Intellectual property

Ownership of deliverables follows the contract. We do not reuse client materials, templates, or code outside the scope of engagement.

Shared responsibility

Data security works best when collaborative. We ask clients to assign a single contact for data coordination, to use secure transmission methods, and to notify us immediately if an account is compromised.

Insurance

We maintain professional indemnity and public liability insurance appropriate to our services. Proof of coverage is available upon request.

Contact us

For security or confidentiality questions, or to report a concern, email privacy@diverltd.com or contact your project lead.