M37's Data Protection Policy sets out our commitment to protecting Client data and how we implement that commitment with regards to the collection and use of Client data.  

​

We are committed to:

​

• Ensuring that we comply with the data protection principles, as listed below.

• Ensuring that data is collected and used fairly and lawfully.

• Processing Client data only in order to meet our operational needs or fulfill legal and contractual requirements.

• Establishing appropriate retention periods for Client data.

• Ensuring that data subjects’ rights can be appropriately exercised.

• Providing adequate security measures to protect Client data.

• Ensuring that all staff is made aware of standard practice for data protection.

• Ensuring that queries about data protection, internal and external to the organization, is dealt with effectively and promptly.

• Regularly reviewing data protection procedures and guidelines within the organization.

​

Our data protection principles:

​

• Client data shall be processed fairly and lawfully.

• Client data shall be obtained with the purpose of completing our contractual obligation to the Client, and shall not be further processed in any manner incompatible with that purpose.

• Client data (processed or unprocessed) shall not be kept for longer than is necessary to complete our contractual obligation to the Client. As such, all Client data will be deleted automatically by our internal data security system 90 days after the Client’s project has been completed.

• Appropriate technical and organizational measures shall be taken against the unauthorized processing of Client data, and against the accidental loss, destruction, or damage to Client data. To this end, Client data will be stored on our servers and protected with 128-bit encryption. Each file will be protected with a unique password, which will be held only by the Project Manager and analysts assigned to the project.

​

​

​