At Outbooks, safeguarding client information is a fundamental responsibility. We work with sensitive financial data, bookkeeping records and personal data and apply structured technical and organisational controls to protect it from unauthorised access, loss, misuse, alteration or disclosure.

Security is not an add-on. It is embedded into every process, system and infrastructure layer we operate. This document outlines how information is secured across our systems, infrastructure and teams.

This page focuses specifically on security controls and governance. Information about personal data collection and lawful processing is detailed separately in our Privacy Policy.

Data protection compliance in the United Kingdom operates under the supervision of the Information Commissioner’s Office.

1. Our Information Security Governance Framework

Outbooks maintains a structured Information Security Programme designed to reduce risk and maintain operational integrity across all client engagements.

Our governance framework includes:

  • Documented security and confidentiality policies
  • Defined roles and responsibilities for information security
  • Management oversight and accountability
  • Risk-based security assessments
  • Periodic internal review of security controls
  • Formalised disciplinary procedures for security violations

Security practices are reviewed to reflect regulatory updates, operational changes and emerging cyber threats.

Security Standards Alignment

Our information security controls are aligned with recognised frameworks and best practices, including:

  • UK GDPR Article 32 - technical and organisational measures to ensure appropriate security
  • NCSC (National Cyber Security Centre) guidance for SMEs and cloud-based operations
  • ICO Accountability Framework requirements

We continuously assess our practices against evolving standards to maintain a robust and auditable security posture. Outbooks is currently working towards Cyber Essentials certification.

2. Regulatory Compliance

As a GDPR-compliant accounting outsourcing provider, our security practices are designed to meet the standards expected by UK accounting firms and their clients. Our security framework aligns with applicable UK legislation, including:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations 2003 (PECR)
  • Data (Use and Access) Act 2025
  • Data Protection (Charges and Information) Regulations 2018

Security measures are implemented in accordance with Article 32 of UK GDPR, requiring appropriate technical and organisational safeguards to ensure confidentiality, integrity, availability and resilience.

Our Role Under UK GDPR

When processing personal data on behalf of UK accounting firms, Outbooks acts as a Data Processor. Your firm, as the Data Controller, retains responsibility for determining the purposes of processing. We act strictly on documented instructions and only process personal data for agreed, clearly defined purposes.

Our obligations as a Data Processor include:

  • Maintaining records of all processing activities as required under Article 30 of UK GDPR
  • Implementing appropriate technical and organisational measures under Article 32
  • Supporting Data Controllers in responding to data subject rights requests
  • Notifying Data Controllers without undue delay in the event of a personal data breach

Operating under binding Data Processing Agreements with all clients.

Data Subject Rights

Individuals whose data we process retain rights under UK GDPR, including the right to access, rectify, erase, and object to the use of their personal data. These rights are exercised through the Data Controller (your firm). Full details of how personal data is handled are set out in our Privacy Policy.

ICO Registration

Outbooks is registered with the Information Commissioner’s Office (ICO) as required under the Data Protection (Charges and Information) Regulations 2018. The ICO is the UK’s independent authority for data protection. More information is available at ico.org.uk.

3. Data Classification and Handling

All data processed by Outbooks is classified according to its sensitivity and handled with controls appropriate to its classification tier:

  • Public: Information approved for general access, such as marketing content and published service information
  • Internal: Operational information for internal use only, including internal communications and process documentation
  • Confidential: Business-sensitive information including client correspondence, onboarding records and staff data, accessible only to authorised personnel
  • Highly Confidential: Client financial data including payroll records, tax information, accounting records and transaction data, governed by the strictest access, handling and transmission controls

Data is handled in accordance with its classification at every stage of collection, processing, storage, transfer and disposal.

4. Technical and System Security Controls

Data is processed and stored using secure cloud-based infrastructure supported by layered defence mechanisms:

  • Encrypted data storage and encrypted transmission protocols
  • Secure cloud hosting environments
  • Firewalls and network segmentation controls
  • Endpoint protection and anti-malware systems
  • Secure remote access mechanisms
  • Multi-factor authentication for privileged and remote access
  • Role-based system permissions
  • Automated account lockout after defined failed authentication attempts
  • Centralised activity logging and monitoring
  • Regular software updates and security patch management
  • Periodic vulnerability assessments
  • Technical controls restricting unauthorised external storage device usage

Default system passwords are changed before deployment and password sharing is strictly prohibited.

Client Data Segregation

Each client’s data is logically isolated within our systems. Strict access controls ensure that no client’s financial records, correspondence, or personal data is accessible to personnel working on unrelated engagements. Cross-client data exposure is prevented at both the system and process level, providing each firm with confidence that their information remains entirely separate from that of other clients.

5. Access Management and Identity Controls

Access to systems and data is restricted to authorised personnel only. Our access governance framework includes:

  • Role-based access aligned strictly with operational duties
  • Need-to-know access principles
  • Quarterly review of access to restricted or highly sensitive data
  • Annual review of general system access
  • Immediate revocation of access upon role change or termination
  • Unique user identifiers for all employees
  • Administrative approval required for account creation or modification

Credentials are treated as highly restricted information and may not be shared or reused.

6. Secure Email and Communications Controls

Electronic communication is managed to reduce the risk of data leakage. Controls include:

  • Encrypted transmission of sensitive data
  • Verification of recipient details before sending emails
  • Restrictions on attachment size for operational security
  • Protection against phishing, malware and malicious attachments
  • Blocking or restricting access to high-risk external storage platforms
  • Monitoring and filtering of email traffic

These measures support compliance with UK GDPR and PECR obligations.

7. Remote Working Security Controls

Where staff operate remotely, the same security standards that apply on-site are enforced without exception:

  • Mandatory use of secure VPN connections for all remote system access, consistent with our on-site VPN and DLP infrastructure
  • Printing of client data is strictly prohibited in remote settings, in line with our organisation-wide printer restriction policy
  • Remote sessions are subject to monitoring in line with our staff activity monitoring practices
  • Access to client systems and financial data remotely is permitted only through company-authorised devices and approved platforms

8. Device, Asset and Physical Security

Client data is accessed only through company-controlled systems. We maintain:

  • Centrally managed laptops and workstations
  • Prohibition on storing client data on personal devices
  • Technical controls restricting removable media
  • Secure configuration standards for deployed equipment
  • IT asset inventory registers with assigned ownership
  • Secure disposal procedures for obsolete hardware

Physical safeguards include:

  • Controlled access to office premises
  • CCTV monitoring
  • Visitor logging procedures
  • Restricted access to sensitive operational areas
  • Clean desk and clean screen practices

9. Employee Confidentiality and Security Training

Protecting client data is a shared responsibility across our entire team:

  • All employees sign mandatory confidentiality agreements prior to commencing work, covering the handling of client financial data and all sensitive information
  • Regular security awareness training provided to all staff on data handling, secure communication and system use
  • Clear internal guidelines for secure communication and acceptable system use
  • Defined disciplinary procedures for non-compliance with security and confidentiality obligations

Security responsibilities are reinforced at every level of the organisation, from frontline staff to senior management.

10. Data Retention, Deletion and Minimisation

Our approach to data retention is governed by UK legal obligations and data minimisation principles:

  • Data is retained only for as long as necessary to fulfil contractual obligations or comply with applicable UK legal and regulatory requirements
  • Financial and accounting records are retained in line with HMRC requirements, generally a minimum of 6 years
  • Data minimisation principles are applied throughout, only data necessary for the delivery of agreed services is collected and processed
  • Secure deletion procedures are applied when data reaches the end of its retention period, ensuring it cannot be recovered or reconstructed
  • Retention schedules are reviewed periodically and aligned with changes in UK legislation or regulatory guidance

11. Data Storage, Backups and Business Continuity

Client data is stored on secure cloud platforms with restricted access. To ensure availability and resilience, we maintain:

  • Encrypted back-up systems
  • Defined recovery procedures for operational systems
  • Documented business continuity planning for critical services
  • Annual testing of disaster recovery procedures

Continuity measures are reviewed and updated to support operational resilience.

12. Third-Party and Sub-Processor Governance

Where third-party providers support service delivery, structured oversight controls are applied. We maintain:

  • Data processing agreements in line with UK GDPR
  • Contractual confidentiality obligations
  • Data usage restricted strictly to approved purposes
  • Due diligence assessments prior to onboarding providers
  • Periodic review of third-party security practices
  • Escalation procedures for third-party security incidents

Third-party arrangements are governed by accountability requirements under UK GDPR.

13. Incident Response and Regulatory Notification

Outbooks maintains a documented incident response framework to manage security events effectively. Incident management follows defined stages:

  • Preparation and staff readiness
  • Identification and prioritisation
  • Containment and isolation
  • Neutralisation and root cause analysis
  • Recovery and restoration
  • Post-incident review and lessons learned

Where legally required, data breaches are reported to the Information Commissioner’s Office within applicable regulatory timeframes.

All incidents are formally recorded and reviewed to strengthen future controls.

14. Acceptable Use and Prohibited Activities

To protect systems and client data, the following activities are strictly prohibited:

  • Installing unauthorised software
  • Circumventing applied security controls
  • Transferring data through unsecured networks
  • Introducing malicious software into company systems
  • Using systems for unlawful activity

All users must follow defined record retention, data handling and security procedures.

15. Relationship to Privacy and Data Protection Rights

This page explains how data is protected at Outbooks.

Information regarding categories of personal data collected, lawful bases for processing, data subject rights under UK GDPR and privacy-related matters is detailed separately in our Privacy Policy.

16. Policy Review and Continuous Improvement

Cyber threats and regulatory requirements evolve constantly. Outbooks treats information security as an ongoing operational commitment, not a one-time exercise.

Security measures are reviewed periodically to reflect:

  • Legislative changes in UK data protection law
  • Regulatory guidance issued by the Information Commissioner’s Office
  • Technological developments and new security capabilities
  • Emerging cyber risks and threat intelligence
  • Internal and external audit findings

Improvements are implemented to maintain high standards of confidentiality, integrity, resilience and compliance.

Contact Us - Security & Data Protection Enquiries

For questions about data security, GDPR compliance or to report a suspected security concern, please get in touch using the details below.

Email: info@outbooks.co.uk

Phone: +44 330 057 8597

Registered Office:

Suite 18, Winsor & Newton Building, Whitefriars Avenue, Harrow, HA3 5RN, London