Privacy policies

Introduction

This Cookie Policy explains how Bros&Co ("we," "us," or "our") uses cookies and similar technologies to collect, process, and handle data about visitors to our website ("you" or "your"). It also outlines your rights regarding the use of cookies. By continuing to use our website, you consent to the use of cookies as described in this policy.

What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, or mobile) when you visit a website. They are widely used to make websites work efficiently and to provide information to website owners. Cookies allow us to improve your browsing experience and understand how our site is being used.

Data We Collect Using Cookies

Data We Collect Using Cookies

User Data

  • User Demographics: Age, gender, and interests (if enabled via analytics settings).
  • Geolocation: Country, region, city, and in some cases, more specific locations.
  • Device Information: Device type (e.g., desktop, mobile, tablet), operating system, and browser used.
  • User Type: Identification of users as new or returning visitors.

Traffic Source Data

  • Acquisition Channels: How users arrive at our site, including direct traffic, organic search, paid search, referral links, social media, and email campaigns.
  • Source/Medium: Details of the source (e.g., Google, Facebook) and the medium (e.g., organic, paid, referral).
  • Campaign Data: Tracking data for marketing campaigns using UTM parameters (source, medium, campaign name).
  • Referral Sources: Websites or sources that direct traffic to our website.
  • Search Queries: Organic search terms, if integrated with Google Search Console.

Session Data

  • Sessions: Total number of user sessions.
  • Session Duration: Time spent on the website per session.
  • Pages Per Session: The average number of pages viewed during a session.
  • Bounce Rate: Percentage of sessions where users view only one page before exiting.
  • Engaged Sessions: Sessions lasting longer than 10 seconds, involving a conversion event or multiple page views.

Behavioural Data

  • Pageviews: Total number of pages viewed.
  • Unique Pageviews: Number of sessions where specific pages were viewed.
  • Top Pages: Pages with the highest number of visits.
  • Exit Pages: Pages where users most commonly leave the site.
  • Events: Tracked interactions, such as video plays, clicks, downloads, or form submissions.
  • Scroll Depth: Percentage of page scrolled by users (if enabled).
  • Site Search: Internal search terms entered by users on the website.

Conversion Data

  • Goal Completions: Total number of goal conversions (e.g., form submissions, sign-ups).
  • Funnel Visualisation: Path users take through predefined steps to complete a goal.

Engagement and Interaction Data

  • User Engagement: Metrics such as average session duration and engagement rate.
  • Event Tracking: Custom interactions like video plays, outbound clicks, and form submissions.
  • Scroll Depth: How far users scroll down a page.
  • Video Interactions: Play, pause, and completion events for embedded videos.

Site Speed Data

  • Page Load Time: Time taken for pages to load.
  • Server Response Time: Time taken by the server to respond to a request.
  • Page Timings: Average load times for different pages.

Technical Data

  • Device Category: Desktop, tablet, or mobile device.
  • Browser and Operating System: Types of browsers (e.g., Chrome, Firefox) and operating systems (e.g., Windows, macOS).
  • Network: Information about network providers or ISPs.
  • Screen Resolution: Users’ screen resolution to optimise design.

Real-Time Data

  • Active Users: Number of users currently active on the site.
  • Real-Time Traffic Source: Current sources directing visitors to the site.
  • Current Page Views: Pages currently being viewed by users in real-time.

User Flow and Behaviour Flow

  • User Flow: Navigation paths taken by users, starting with the first page visited.
  • Behaviour Flow: Visual representation of interactions and navigation across pages.

Audience Segments and Comparisons

  • Custom Audiences: Grouping of users based on behaviours, demographics, or acquisition methods.
  • Comparisons: Metrics comparing different audience segments (e.g., new vs. returning users, mobile vs. desktop).

Data Retention

  • Event Data: Retained for 14 months.
  • User Data: Retained for 14 months.

Data Captured via Forms

When you submit an enquiry through our website, we collect the following information, which is stored securely in our database for up to 7 years:

  • Full name
  • Email address
  • Organisation
  • Job role
  • Message
  • Timestamp
  • Agreement to newsletters (if opted-in).

This data is sent directly to Bros&Co operations via email for follow-up purposes.

Types of Cookies Used

  • Strictly Necessary Cookies: Essential for website functionality and cannot be disabled.
  • Performance Cookies: Collect data on how visitors use the website, including the above-mentioned metrics.
  • Functional Cookies: Remember user preferences to enhance their experience.
  • Targeting/Advertising Cookies: Track users for personalised advertising and marketing purposes.

Third-Party Tools and Cookies

We use third-party analytics tools such as Google Analytics, which may place their own cookies on your device. These cookies enable us to analyse user behaviour and improve our services. Third-party providers are contractually obligated to comply with applicable data protection laws.

Managing Your Cookie Preferences

You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

Your Rights

Under the UK GDPR and other applicable regulations, you have the right to:

  • Request rectification or deletion of your data.
  • Restrict processing or object to certain data uses.
  • Lodge a complaint with a supervisory authority (e.g., the ICO in the UK).

Updates to This Policy

We may update this Cookie Policy periodically to reflect changes in technology, legislation, or our business operations. Any changes will be posted on this page, and where significant, we will notify you. Access the personal data we hold about you.

Contact Us

For further information about this Cookie Policy or our data practices, please contact us at: contact@brosand.co

This Confidentiality Policy outlines the expectations and requirements for employees, independent workers and workers supplied by consultancies (referred to as "Worker") engaged in providing services to Bros&Co and/or our Customers (referred to as “Customer”). The primary goal of this policy is to ensure a safe and secure work environment, aligning with the Customer's commitment to workplace safety.

1. Obligations in relation to Confidential Information

1.1       Worker shall treat all non-public Customer information as strictly confidential and not disclose or use any Confidential Information.

1.2       Prior to disclosing any Confidential Information to the Worker, the Customer may require the Worker to notify the Customer of the names of those of its Worker Personnel and/or Subcontractors (if applicable) that will be given access to such Confidential Information and obtain the Customer’s consent to such disclosure.

2. Exceptions

The provisions of clause 1 (Obligations in Relation to Confidential Information) shall not prohibit disclosure or use of Confidential Information if and to the extent:

2.1.       necessary for the provision of the Services;

2.2       required by law, or regulatory Authority, provided that, except where prohibited by Applicable Law, prior to disclosure of any Confidential Information pursuant to this clause, Worker shall promptly notify the Customer of such requirement with a view to providing the Customer with the opportunity to contest such disclosure or otherwise to agree the timing and content of such disclosure;

2.3       it becomes publicly available except as a result of a breach of an obligation of confidentiality;

2.4       Customer has given prior written approval to the disclosure;

2.5       the Confidential Information is independently developed by the Worker without violating its obligations under this Confidentiality Policy or the Customer Group’s proprietary rights; or

2.6       the Confidential Information is already in the possession of the Worker and is not subject to an obligation of confidentiality or a restriction on use.

3. Unauthorised Access

3.1       The Worker shall immediately notify the Customer, in writing, of any unauthorised possession, disclosure, use or knowledge, or attempt thereof, or loss of any Confidential Information of which it is or becomes aware.

3.2       The Worker shall, as soon as reasonably practicable, furnish to the Customer full details of the unauthorised possession, disclosure, use or knowledge, or attempt thereof, and use reasonable efforts to assist the Customer in investigating or preventing the recurrence of any unauthorised possession, disclosure, use or knowledge, or attempt thereof, of Confidential Information. 

3.3       If an incident referred to in this clause 2.3 occurs, Worker shall, at its own cost, provide all necessary assistance as requested by Customer with notifications that may be required under Applicable Laws.

3.4       The Worker shall use reasonable efforts to co-operate with the Customer in any litigation and investigation against Third Parties deemed necessary by the Customer to protect its proprietary rights. The Customer shall have the right to conduct and control any investigation relating to such breach or potential breach of its Confidential Information that it determines is appropriate.

3.5       The Worker shall use all reasonable efforts to prevent a recurrence of any such unauthorised possession, disclosure, use or knowledge of any Confidential Information.

4. Return of Confidential Information

The Worker shall, in the event of the expiration or termination of their contract, or at Customer’s earlier request, return to the Customer all Confidential Information and all copies thereof in the format requested by Customer, or at Customer’s option, destroy such Confidential Information and provide certificates evidencing such return or destruction. Under no circumstances will the Worker deny (or place unreasonable conditions on) the Customer or its Affiliates access to Confidential Information and/or any data created from it.

5. Injunctive Relief

The Worker acknowledges that damages may not be an adequate remedy for breach of this clause (Confidentiality Policy) and therefore agree that the Customer shall be entitled to seek injunctive relief, in addition to all other rights and remedies available herein, in equity or at law, for any breach of this Confidentiality Policy.

6. Superseded Agreements

For the avoidance of doubt, this policy supersedes any previous contract between the Parties or their respective Group Companies (if applicable), in relation to any Confidential Information.

7. Parties

For the avoidance of doubt, references to “Party” in this policy includes the Worker, Worker Personnel and the Customer (whether Bros&Co and/or their Customers and Customer Group Companies) shall procure compliance with this Confidentiality Policy.

8. No Customer Obligations

Except with respect to the license rights provided in Intellectual Policy and as expressly provided in this clause, nothing herein restricts the right of Customer to use, disclose, or otherwise deal with any information, data, or other materials provided by the Worker. 

9. Publicity and Public Announcements

9.1       The Worker will not make any public announcement or issue any circular relating to their contract with or on behalf of the Customer without the prior written approval of the Customer. This does not affect any announcement or circular required by law or any Authority or the rules of any recognised stock exchange, but the Worker shall consult with the Customer so far as is reasonably practicable before complying with such obligation.

9.2       The Worker shall not make any oral or written statement or perform any act indicating that any Customer Group Company endorses or approves the Worker or its work products. The Worker may not use any Customer Group Company trademarks, logos, names, trade names or service marks without the Customer’s prior written approval.

Introduction

This Data Handling Policy defines the principles, standards, and procedures for managing data within Bros&Co. It establishes a robust framework to ensure compliance with UK GDPR, the Data Protection Act 2018 (DPA 2018), and relevant international regulations. By safeguarding the confidentiality, integrity, and availability of data, Bros&Co supports operational resilience, regulatory compliance, and stakeholder trust.

Purpose

The purpose of this policy is to provide a structured approach to data classification, lifecycle management, access control, and data protection. It ensures that data is handled securely and transparently while mitigating risks associated with improper data management or breaches.

Scope

This policy applies to:

  • All employees, contractors, contingent workers, and third-party partners.
  • Data in all forms: electronic, printed, or verbal.
  • All systems, infrastructure, applications, and external data-sharing activities.
  • The classification levels of Public, Internal, Confidential, Highly Confidential, Restricted, and Critical.

This policy adheres to the principles of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and other applicable UK and international data protection regulations. It is designed to align with industry best practices, including ISO/IEC 27001 standards for information security management. This policy is formally approved by Bros&Co Executive Management and authorised by the Information Security Officer.

User Data

Information Security Officer (ISO)

  • Oversee the implementation, audits and risk assessments.
  • Respond to incidents and lead DPIA reviews.

Departmental Managers

  • Ensure their teams comply with the Data Handling Policy and related procedures.
  • Approve and monitor access requests for sensitive data based on business needs and the principle of least privilege.
  • Conduct regular reviews of data access and handling practices within their departments.
  • Collaborate with the ISO and IT Administrators to address data security issues or incidents within their teams.

IT Administrators

  • Implement and maintain technical controls such as encryption, backups, and secure transmission protocols.
  • Monitor access control logs for suspicious activity and ensure compliance with security standards.
  • Revoke access rights immediately upon termination or role changes.
  • Provide technical support to ensure secure data handling processes.

Employees and Contractors

  • Follow all data handling procedures, including classification, secure storage, and transmission protocols.
  • Report any suspected or actual data breaches immediately to the ISO or their line manager.

Third-Party Vendors

  • Initiate access requests for team members as needed for project requirements.
  • Ensure access permissions are revoked when no longer required for the project.
  • Monitor compliance with access controls within the scope of their projects.

Associated policies

Policy documents

  • Data Protection Policy
  • Access Control Policy
  • Information Security Policy
  • Incident Response Policy
  • Bring Your Device (BYOD) Policy
  • Change Management Policy
  • Risk Management Policy

Definitions

  • Data Classification Levels: Public, Internal, Confidential, Highly Confidential, Restricted, and Critical.
  • Access Control Integration: Mechanisms that ensure secure access, including multi-factor authentication (MFA).
  • Encryption Standards: Technical controls for protecting data at rest (AES-256) and in transit (TLS 1.3).
  • Data Lifecycle Management: Procedures for collection, retention, archival, and secure deletion.
  • Data Protection Impact Assessment (DPIA): Risk evaluation process for high-risk data handling activities.
  • Audit Trail: The process of determining if a user or system has permission to access a specific resource or perform a specific action.
  • Audit Trail: Logs that document access and modifications for accountability.
  • Third-Party Data Handling: Vendor assessments and contractual safeguards for external data sharing.

Legal Requirement

Bros&Co must ensure compliance with relevant data protection laws, cybersecurity regulations, and international standards when implementing data handling practices. The key legal requirements for data handling include:

  • Purpose: Data handling activities must align with Bros&Co’s business objectives and legal obligations. All data processing must have a clear and lawful purpose, such as fulfilling contractual obligations, complying with regulatory requirements, or protecting the organisation’s interests.
  • Necessity: Data must only be collected, stored, and processed when necessary for specific and legitimate purposes. Measures must minimise the amount of data processed and mitigate risks of unauthorised access, breaches, or misuse. All actions must be reasonable and justified based on the sensitivity of the data.
  • Proportionality: Data handling controls must balance regulatory and security requirements with operational efficiency. Controls should not create excessive administrative burdens or hinder productivity while ensuring data is adequately protected.
  • Transparency: All data handling activities must be documented and communicated transparently to stakeholders, including individuals whose data is being processed. Bros&Co must provide clear information on how personal data is handled, in line with GDPR’s transparency principles.
  • Auditability: All data handling activities, including classification, storage, access, and deletion, must be logged to create a comprehensive audit trail. This ensures compliance with legal and regulatory requirements and facilitates internal and external audits.
  • Data Subject Rights: Bros&Co must enable individuals to exercise their data rights, including access, rectification, erasure, and objection to processing, in accordance with GDPR and other applicable regulations.

Adhering to these requirements ensures Bros&Co handles data lawfully and securely, protects individual rights, and maintains compliance with global data protection and cybersecurity laws. This approach also reinforces Bros&Co’s commitment to safeguarding its data assets and upholding its reputation as a trusted organisation.

Data Classification Framework

To ensure consistent and secure data handling, Bros&Co adopts a Data Classification Framework that defines data into distinct levels based on its sensitivity, business impact, and regulatory requirements. All employees, contractors, and third parties are required to adhere to these classifications to maintain data security

For Data Classification framework please refer to Information Security policy Appendix 1.

Access Control Integration

Role Based Access: Access to data is determined by job role and data classification, with the principle of least privilege applied.

Authorisation Procedures:

  • Approval by department heads is required for restricted data access.
  • Multi-factor authentication (MFA) is mandatory for accessing sensitive systems.

Access Revocation: 

Access rights are reviewed biannually and revoked immediately upon role changes or termination.

Privileged Access Management: 

Privileged accounts are monitored for anomalies, and usage logs are reviewed regularly.

Data Lifecycle Management

Collection and Quality: 

Data collection must align with business needs and minimize unnecessary data. Data accuracy checks are conducted during input and review.

Retention and Archival Retention periods:

  • Financial records: 7 years
  • Personal data: As per contractual or legal requirements
  • Critical data: Until explicitly approved for secure deletion or archival

Restoration Procedures: 

Data restoration processes must be tested quarterly to ensure business continuity. Restoration logs must be documented and audited.

Technical Controls

Encryption Standards: 

Encryption must meet NCSC and ISO 27001 standards:

  • In transit: TLS 1.3 or above
  • At rest: AES-256

Backup and Data Masking

  • Backups must occur daily and be stored offsite.
  • Masking techniques apply to sensitive data in testing environments.

Secure Transmission: 

Only approved protocols (e.g., SFTP, HTTPS) are permitted for transmitting sensitive data.

Security Controls by Data Type Specific controls:

  • Public: Minimal
  • Internal: Password protection
  • Confidential: Encryption, role-based access
  • Highly Confidential: Access strictly controlled with Multi-Factor Authentication (MFA)
  • Critical: Access restricted to designated personnel with just-in-time access policies.

Data Protection Impact Assessments (DPIAs)

Criteria and Procedure: 

DPIAs are required for high-risk data processing activities. The standardised template outlines:

  • Nature and scope of data processing
  • Risks and mitigation strategies

Risk Methodology: 

A qualitative risk assessment matrix to evaluate likelihood and impact. Risk scenarios include third-party data breaches and insider threats

Review Requirements:

DPIAs are reviewed annually and prior to major changes in data processing.

Incident Management


Response Procedures Breach response includes:

  • Immediate containment
  • Root cause analysis
  • Notification to the ICO within 72 hours if required

Incident Classification: 

Incidents are categorised as low, medium, or high impact, determining escalation and reporting timelines.

Post-Incident Review: 

A lessons-learned report must be completed for all major incidents and include action plans to prevent recurrence.

Compliance and Monitoring

Audit Framework: 

Annual audits assess compliance with internal and external standards.

Metrics and Reporting Compliance:

These metrics include:

  • % of incidents resolved within SLAs
  • % adherence to retention schedules

Audit findings are to be reported to senior management quarterly. Spot-checks are conducted for critical data handling.

Verification Process:
Compliance verification involves internal and third-party audits, with documented findings.


Third-Party Data Handling

Vendor Assessment:

Vendors must undergo a data security assessment before onboarding.

Data Sharing Agreements: 

All agreements must specify:

  • Data ownership
  • Security controls
  • Termination protocols
  • Liability in case of breaches

International Transfers: 

Transfers outside the UK require standard contractual clauses or equivalent safeguards. Regular reviews ensure ongoing compliance.

Vendor Monitoring: 

Third-party compliance must be reviewed annually through audit reports or certifications. Breaches by vendors must be reported and mitigated immediately.

Training and Awareness

All employees must complete annual training on data handling, covering:

  • UK GDPR principles
  • Incident response
  • Emerging threats
  • Secure data handling techniques

Review and Updates

Review of this policy this will be reviewed annually by the Operations Director. Next review date: December 2025.

Contact Information

For any questions or concerns regarding this policy, please contact Bros&Co’s Operations Director at:

  • Postal Address: Bros&Co Group Ltd, Coopers Hill Lodge, Coopers Hill Lane, Englefield Green, TW20 0JX

Introduction

The purpose of this Information Security Policy is to safeguard Bros&Co's information assets, ensuring the confidentiality, integrity, and availability of data. This policy establishes the principles and guidelines for protecting Bros&Co and/or client information from potential security threats.

Purpose

This policy aims to define Bros&Co’s approach to information security, fostering a culture of accountability and compliance. It supports legal and regulatory requirements, such as GDPR and ISO27001, while mitigating risks associated with security breaches.This policy also outlines the specific expectations and requirements for employees, contractors, and vendors in managing, storing, and processing Bros&Co and/or client data. The policy aligns with standards including NIST, ISO27001, and GDPR to ensure a comprehensive security framework.

Scope

This policy applies to all employees, contractors, third-party vendors, and anyone with access to Bros&Co’s information systems, data, or assets. It covers:

  • Electronic and physical data storage
  • Internal and external communication channels
  • Software, hardware, and network systems
  • Access to Bros&Co and/or client systems and data

Responsibilities

  • Senior Management: Ensure adherence to and enforcement of this policy.
  • IT Department: Implement technical controls, monitor security systems, and provide training.
  • Employees: Comply with policy guidelines and report security incidents promptly.
  • Third-Party Vendors: Align practices with Bros&Co’s security standards

Associated policies

Policy documents

  • Data Handling Policy
  • Data Protection Policy
  • Access Control Policy
  • Network Security Policy
  • Remote Working for Accessing Client Network Policy

Policy Framework

Policy Framework and Compliance Alignment

  • Regular Updates: The Information Security Policy will be reviewed and updated annually to ensure alignment with evolving standards and practices. Updates will incorporate changes in regulations and lessons learned from incidents.
  • Governance: The Bros&Co Leadership team form the Information Security Steering committee who will oversee updates and ensure compliance with GDPR, NIST, and ISO27001.
  • Compliance Assessments: Workers must conduct periodic compliance assessments against this policy. Independent third-party audit reports or certifications may be used to demonstrate compliance.
  • Support for Bros&Co and/or Bros&Co client Assessments: Workers will support Bros&Co and/or Bros&Co clients in assessing compliance with this policy by providing documentation and resources as required

Enhanced Risk Management

Bros&Co must ensure compliance with relevant data protection laws, cybersecurity regulations, and international standards when implementing data handling practices. The key legal requirements for data handling include:

  • Dynamic Risk Assessment: Ongoing risk assessments will monitor and address emerging threats and vulnerabilities using automated tools and annual comprehensive reviews (see Risk Management Policy).
  • Risk Categorisation Framework: Risks will be categorised by likelihood and impact to prioritise mitigation efforts effectively (Risk Category Framework available in the Risk Management Policy).
  • Penetration Testing: Workers will conduct periodic penetration testing of internet-facing systems, ensuring prompt remediation of identified vulnerabilities.
  • Reporting Material Risks: Workers must report material risks promptly to Bros&Co and/or Bros&Co clients to ensure appropriate action.

Incident Response and Communication

  • Detailed Incident Response Plan: The plan will outline detection, containment, eradication, recovery, and lessons learned to improve resilience.
  • Reporting Requirements: Confirmed security incidents must be reported promptly to the Operations Director and documented using the Security Incident Template available in Appendix 1.
  • Post-Incident Reviews: Reviews will identify root causes and actions required to minimise the recurrence of similar incidents.

Detection Processes

  • Monitoring: Security events will be continuously monitored using automated tools and reviewed by the Leadership team for accuracy and relevance.
  • Classification: Predefined criteria will be used to classify security events, with critical incidents escalated immediately. Security Classifications available in Appendix 1.
  • Vulnerability scans:  Scans will be conducted regularly to identify and address weaknesses in systems and applications.
  • Security breaches or threats: Breaches or threats will be detected promptly, and appropriate mitigation actions will be initiated.

Protective Technology

  • Advanced security technologies:  Security technologies including firewalls, intrusion detection systems (IDS), and endpoint protection, will be deployed to safeguard organisational assets.
  • Software and hardware systems:  All software and hardware systems will be regularly patched and updated to prevent exploitation of known vulnerabilities.
  • Event logs:  Event logs will be collected and stored securely, with real-time analysis to identify anomalous behaviour.
  • Anti-malware software: Anti-malware software will be installed and updated on all devices accessing the network.

Access Control and Privileged Account Management

  • Just-in-Time Access: Access to privileged accounts will follow a just-in-time model to minimise exposure and reviewed every three months.
  • Enhanced Logging and Reviews: All activities of privileged accounts will be logged and reviewed quarterly to ensure accountability.
  • Strong Passwords: Strong password policies will be enforced, and passwords will be protected from unauthorised access by the use of Multi-factor authentication (MFA)
  • Firewall Management: Network zones will be separated with firewalls, and policies will be reviewed annually.
  • Use of Managed Devices: Only corporately managed devices will be allowed to access Customer networks and information systems

Data Handling and Encryption Protocols

  • Comprehensive Data Classification: Data will be classified as Public, Internal, Confidential, High Confidential, Restricted or Critical, with handling protocols defined for each category (available in Appendix 1).
  • Advanced Encryption Standards: AES-256 encryption will secure data at rest and in transit.
  • Data Retention and Disposal: Secure sanitisation and disposal procedures will ensure the protection of data throughout its lifecycle. Data retention and disposal procedures will comply with NIST 800-88 standards or equivalent.
  • Handling Information: Confidential information must be shared on a need-to-know basis, while secret data requires additional protection measures. Secret information must not be emailed and must be encrypted or protected per Customer instructions. See Data Handling Policy for more information.

Security Awareness and Training

  • Tailored Training Modules: Role-specific training addresses the unique risks associated with each role, these will be conducted periodically, it is mandatory for all employees must complete the training.
  • Phishing Drills: Regular phishing simulations will test and improve employee awareness of social engineering threats will be conducted by Bros&Co and its clients.
  • Awareness Activities: Annual information security training will include practical guidance on handling Confidential and Secret information such as maintaining strong passwords, avoiding suspicious links, and securing physical workspaces

Monitoring and Threat Intelligence

  • Threat Intelligence Sharing: Participation in threat intelligence sharing initiatives with industry peers and relevant bodies will enhance awareness of current threats.
  • Automated Security Monitoring: Security Information and Event Management (SIEM) systems will continuously monitor and assess security event logs.

Third-Party Risk Management

  • Vendor Security Assessments: Vendors will be assessed for security compliance prior to onboarding, using security questionnaires and audits (see appendix 1 – Vendor security assessment template)
  • Third-Party Incident Reporting: Vendors must promptly report any incidents that impact Bros&Co systems or data.
  • Contractual Obligations: Contracts will include clauses requiring vendors to adhere to this policy.

Performance Metrics and Reporting

  • Key Performance Indicators (KPIs): KPIs will measure the effectiveness of security controls, awareness training, and incident response timelines.
  • Routine Management Reporting: Regular reports summarising security trends and risk assessments will be provided to senior management.

Business Continuity and Disaster Recovery

  • Business Continuity Plans (BCP):  Plans will be tested twice annually, and updated based on findings from incidents and organisational changes.
  • Cybersecurity Integration: BCPs will include ransomware recovery procedures and continuity during data breaches. Backups of critical data will be securely stored and regularly tested for reliability.

Asset Management

For any questions or concerns regarding this policy, please contact Bros&Co’s Operations Director at:

  • Email: privacy@brosand.co
  • Postal Address: Bros&Co Group Ltd, Coopers Hill Lodge, Coopers Hill Lane, Englefield Green, TW20 0JX

Asset Management

  • Inventory: An inventory of all IT assets, including physical devices, software platforms, and third-party systems, will be maintained.
  • Responsibilities: Roles and responsibilities for managing and securing assets, including hardware and software, will be clearly defined.
  • Asset tracking: All IT assets will be tracked throughout their lifecycle, from procurement to disposal, ensuring compliance with security standards.
  • Security: Physical security controls will be enforced to protect on-premises assets, including restricted access and surveillance.
  • Assets not in use: Lost, stolen, or decommissioned assets will be reported and assessed promptly to mitigate potential risks.

Policy Enforcement and Review

  • Enforcement: All Bros&Co employees and third-party partners are expected to comply with this policy. Non-compliance may result in disciplinary action, including termination of employment or contract.
  • Policy Reviews: Annual reviews will ensure the policy remains relevant and effective
  • Approval and Distribution This policy has been reviewed and approved by Bros&Co leadership and will be distributed to all relevant parties.

Policy Review and Updates

For any questions or concerns regarding this policy, please contact Bros&Co’s Operations Director at:

  • Email: privacy@brosand.co
  • Postal Address: Bros&Co Group Ltd, Coopers Hill Lodge, Coopers Hill Lane, Englefield Green, TW20 0JX

Asset Management

Review of this policy this will be reviewed annually by the Operations Director. Next review date: December 2025.

Contact Information

For any questions or concerns regarding this policy, or for information about security classifications of the Security Incident form, please contact Bros&Co’s Operations Director at:

  • Email: privacy@brosand.co
  • Postal Address: Bros&Co Group Ltd, Coopers Hill Lodge, Coopers Hill Lane, Englefield Green, TW20 0JX

Modern slavery is a crime and a violation of fundamental human rights. It takes various forms, such as slavery, servitude, forced and compulsory labour, and human trafficking, all of which have in common the deprivation of a person's liberty by another to exploit them for personal or commercial gain.

We have a zero-tolerance approach to modern slavery, and we are committed to acting ethically and with integrity in all our business dealings and relationships. We also uphold international human and labour rights principles, including the International Bill of Rights, the International Labour Organisation (ILO) Core Conventions, and the United Nations Guiding Principles on Business and Human Rights (UNGPs). We are dedicated to implementing and enforcing effective systems and controls to prevent modern slavery, forced labour, child labour, and human trafficking from occurring within our own business or supply chain.

We are also committed to ensuring transparency in our own business and in our approach to tackling modern slavery throughout our supply chain. We expect the same high standards from all our contractors, suppliers, and other business partners. As part of our contracting processes, we include specific prohibitions against the use of forced, compulsory, or trafficked labour; child labour; and anyone held in slavery or servitude. We expect that our suppliers will hold their own suppliers to the same ambitious standards.

Scope of the Policy This policy applies to all persons working for us or on our behalf in any capacity, including employees at all levels, directors, agency workers, volunteers, agents, contractors, external consultants, third-party representatives, and business partners. This policy does not form part of any employee’s contract of employment, and we may amend it at any time.

Responsibility for the Policy The Directors are responsible for ensuring those reporting to them understand and comply with this policy and receive any required training.

Compliance with the Policy You must ensure that you read, understand, and comply with this policy. The prevention, detection, and reporting of modern slavery, including forced labour, child labour, and human trafficking, in any part of our business or supply chain is the responsibility of all those working for us or under our control. You are required to avoid any activity that might lead to, or suggest, a breach of this policy. You must notify your manager and Bros&Co as soon as possible if you believe or suspect that a conflict with this policy has occurred or may occur in the future.

You are encouraged to raise concerns about any issue of suspicion of modern slavery in any parts of our business or the supply chains of any supplier tier at the earliest possible stage. If you believe or suspect a breach of this policy has occurred, or that it may occur, you must notify your manager or report it in accordance with our Whistleblowing Policy as soon as possible. If you are unsure about whether a particular act, the treatment of workers more generally, or their working conditions within any tier of our supply chain constitutes any of the various forms of modern slavery, raise it with your manager and Bros&Co.We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken. We are committed to ensuring no one suffers any detrimental treatment because of reporting in good faith their suspicion that modern slavery in any form is or may be taking place in any part of our own business or in any part of our supply chain. If you believe that you have suffered any such treatment, you should inform your manager immediately.

Communication and Awareness of Policy Training on this policy, and on the risk our business faces from modern slavery in its supply chain, will be given where needed. Our zero-tolerance approach to modern slavery, forced labour, child labour, and human trafficking must be communicated to all suppliers, contractors, and business partners at the outset of our business relationship with them and reinforced as appropriate thereafter.

Breaches of Policy Any employee who breaches this policy will face disciplinary action, which could result in dismissal for misconduct or gross misconduct. We may terminate our relationship with other individuals and organisations working on our behalf if there are breaches, and we will contact the appropriate regulatory bodies or the Modern Slavery & Exploitation Helpline at 08000 121 700 or the police.

Appendices
Useful sources of information and guidance

Modern slavery awareness booklet

Good Work Plan

Human Trafficking Foundation

Modern slavery helpline website