Gyre

United Kingdom

1. Introduction 1.1 This Data Retention Policy ("Policy") outlines the principles and procedures governing the retention of data collected and processed by The Developing Leaders Partnership trading as - Gyre ("Company") a digital team development platform. 1.2 The Policy applies to all data pertaining to the Company's customers ("Customers") and their employees ("Users"). 2. Definitions 2.1 Data: Any information collected, processed, or stored by the Company in the course of its business operations. This includes personal data, activity data, and any other information associated with Customers and Users. 2.2 Personal Data: Data that can be used to identify a natural person, directly or indirectly, such as name, email address, and Job Title. 2.3 Activity Data: Data generated by a User's interaction with the platform, such as login times, sessions completed, and feedback provided. 3. Data Retention Principles 3.1 The Company is committed to retaining data only for as long as necessary for the purposes for which it was collected and processed, or as required by law. 3.2 The Company will regularly review its data retention periods to ensure compliance with this Policy and relevant legal obligations. 3.3 The Company implements appropriate measures to safeguard data against unauthorized access, disclosure, alteration, or destruction. 3.4 The Company will Adhere to relevant laws, regulations, and industry standards governing data retention and privacy. 4. Data Retention Periods 4.1 Customer Data: Active Customers: Customer data will be retained for the duration of the Customer's subscription with the Company. Inactive Customers: Customer data will be retained for a period of 5 years following account inactivity, after which it will be securely anonymized or deleted, unless longer retention is mandated by law. 4.2 User Data: Active Users: User data will be retained for the duration of their employment with the Customer and their active use of the platform. Inactive Users: User data will be retained for a period of 3 years following their last login, after which it will be securely anonymized or deleted, unless longer retention is mandated by law. 4.3 Exceptions: The Company may retain data for longer periods than outlined above in the following circumstances: 4.3.1 To comply with a legal obligation, such as a court order or regulatory investigation. 4.3.2 To resolve disputes or enforce the Company's terms and conditions. 4.3.2 To preserve business records for legitimate business purposes, such as tax or accounting purposes. 5. Data Anonymization and Deletion 5.1 When data reaches the end of its retention period as outlined in this Policy, the Company will take steps to securely anonymize or delete the data. 5.2 Anonymization will involve irreversibly modifying the data to render it impossible to identify an individual. 5.3 Deletion will involve the permanent erasure of the data from the Company's systems. 6. User Access and Control 6.1 Users have the right to access and modify their personal data stored by the Company. This includes the ability to request the deletion of their data, subject to the restrictions outlined in Section 4.3. 6.2 Customers can manage User access and data within the platform administration settings. 7. Review and Updates 7.1 The Company reserves the right to review and update this Policy periodically. Any changes will be communicated to Customers and Users through the platform or by email. 8. Contact 8.1 If you have any questions about this Policy or the Company's data retention practices, please contact us at support@gyreteams.com

1. Introduction The Developing Leaders Partnership trading as - Gyre recognises the importance of effective data management throughout its lifecycle, encompassing archival and removal processes. This Data Archival and Removal Policy outlines our commitment to: • Maintaining data integrity • Complying with regulations • Minimising risks associated with data retention 2. Purpose This policy establishes guidelines for the archival and removal of data collected and processed by Gyre. By adhering to these guidelines, we aim to: • Optimise storage resources • Mitigate security risks • Ensure compliance with legal and regulatory requirements 3. Policy Statement Gyre is committed to: • Archiving data that is no longer actively used but may be required for historical, legal, or business purposes • Removing data that has reached the end of its retention period or is no longer necessary for operational or legal purposes • Implementing secure and documented processes for both data archival and removal to ensure data integrity and confidentiality • Regularly reviewing and updating archival/removal procedures to align with evolving business needs and legal requirements 4. Scope This policy applies to all data collected, processed, and stored by Gyre, including: • Customer information (e.g., names, contact details, payment information) • Employee records (e.g., personnel files, performance evaluations) • Operational data (e.g., transaction logs, system logs) 5. Definitions • Data Archival: The process of transferring data to a long-term storage solution for retention beyond its original purpose. • Data Removal: The secure deletion or destruction of data that is no longer needed for operational or legal purposes. • Data Lifecycle: The stages through which data passes from creation or acquisition to archival or removal. 6. Data Archival Procedures • Identification: Gyre will identify data that is no longer actively used but may be required for historical, legal, or business purposes. • Selection: Data for archival will be selected based on criteria such as legal or regulatory requirements, business needs, and data classification. • Storage: Archived data will be stored in secure, long-term storage solutions with appropriate access controls to prevent unauthorised access or modification. • Documentation: All archival activities will be documented, including the type of data archived, the reason for archival, and the date of archival. 7. Data Removal Procedures • Identification: Gyre will identify data that has reached the end of its retention period or is no longer necessary for operational or legal purposes. • Secure Deletion: Data selected for removal will be securely deleted or destroyed using methods that prevent unauthorised access or retrieval. • Documentation: All data removal activities will be documented, including the type of data removed, the reason for removal, and the date of removal. 8. Compliance and Enforcement Gyre's Data Protection Officer (DPO) is responsible for ensuring compliance with this policy and related data protection laws and regulations. Violations of this policy may result in disciplinary action, up to and including termination of employment or legal consequences, depending on the severity of the breach. 9. Review and Revision This Data Archival and Removal Policy will be reviewed annually and updated as necessary to reflect changes in legislation, technology, or business practices. 10. Contact Information For questions or concerns regarding this policy, please contact Gyre's Data Protection Officer (DPO) at lisa.mcfall@gyreteams.com

Executive Summary • Gyre is ISO 27001 certified, the most robust international standard for information security. • Gyre is an approved Crown Service Supplier, available as part of the digital marketplace on G-Cloud 13. • Gyre is independently audited on an annual basis under the UK Government’s Cyber Essentials Framework (Cyber Essentials Plus certified). • Our digital services are hosted on Microsoft’s Azure Cloud Platform, which provides the highest levels of security and governance. • All data is encrypted at rest using industry-standard algorithms (AES-128/256). • All data is transferred and accessed securely using TLS 1.2 or greater. • Data is securely replicated across multiple geographic regions to provide resilience against data loss. • Gyre complies with all relevant data protection legislation, including GDPR. • Data is restricted internally to operational support roles, and all actions are logged. • Software development follows industry security best practices, including consideration of the OWASP Top 10. • Use of Gyre is subject to the published Terms and Conditions and Privacy Policy. Data Storage and processing locations In line with data protection legislation, including GDPR, we store and process data in the following locations: • United Kingdom • European Economic Area (EEA) • US, under the 2021 EU Standard Contractual Clauses and having performed Transfer Impact Assessment (TIA) Data Centres Our databases and digital platform served are hosted in Microsoft Azure Data Centres. Our data centres include strong physical controls (e.g. secured perimeter, 24-hour security monitoring and response, full-body metal detection screening on entry and exit) Our Azure data centres comply with (among others): CSA CCM v3.0 SSAE-16 / ISAE 3402 ISO 27001 HIPAA Cyber Essentials Plus G-Cloud FedRAMP SOC 1 and SOC 2 Data is deleted from data centers using best practice procedures and a wiping solution that is NIST 800-88 compliant. For assets that can’t be wiped, a destruction process is used that destroys and renders the recovery of information impossible. Network and data protections Pseudonymisation OR Anonymization of personal data is used where appropriate Encryption of all data at rest using (AES-128/256). No personal data is held on removable media. Data is secured using the industry-standard TLS 1.2, ECDHE_RSA with P-256, and AES_256_GCM or greater. Internally we use TLS 1.2 2048-bit RSA/SHA256 encryption keys or greater to access the cloud platform. Personal data is segregated from other unrelated networks Access control and user authentication processes – The Principle of Least Privilege is applied to access control and user authentication processes. Management interfaces are restricted to operational support roles. • All actions are audited. Antivirus/malware protection and patching kept up to date on all systems that store or process personal data. Platform components hosted on Azure receive regular and automated security updates. Protective Monitoring We use both Azure's industry-leading security monitoring and our own defined processes to monitor for application and data compromises. Security incidents reserve immediate top priority as part of our operational processes and are mitigated as soon as possible, subject to our agreed SLAs. Vulnerability scanning is performed by Microsoft on server operating systems, databases, and network devices. The vulnerability scans are performed on a quarterly basis at a minimum. Regularly third-party penetration tests are performed on our external production systems. Microsoft Azure contracts with independent assessors to perform penetration testing of the Azure boundary. Red-team exercises are also routinely performed and the results are used to make security improvements.

no

You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or you withdraw your consent (where applicable). We will process removal of your data in accordance with all relevant legislation.

no

no

no

support@gyreteams.com

no

no

no

no