Copy of Texthelp_Master_Logo_RGB.png

Information Security Policy

ISMS 1.2 Information Security Policy : Issue 1  Rev 19 : Last reviewed 08-02-2022

Policy Summary

Texthelp will:

The Texthelp group of companies  recognizes that its first priority regarding information security and privacy is to avoid causing harm to individuals.  Predominantly  this means keeping information securely, on a need to know basis, in the right hands.

This is the top-level policy and, as well as outlining the company’s information security objectives and how to meet them, it also includes a requirement for all security related documents to be reviewed periodically to ensure conformity and applicability.

It is the responsibility of all employees to comply with the requirements of this and all policies.

Although Texthelp’s ISO 27001 scope of certification, at this time, includes just Texthelp Ltd, Texthelp Inc & Texthelp PTY this information security policy is a description of best practice and is applicable across the Texthelp group of companies.


Texthelp will:

GDPR Compliance & International Data Transfers

Texthelp Billing & Contact Data and Customer/User data (name only)  is stored in Amazon Web Services (AWS). The Texthelp Group have entered into Standard Contractual Clauses with AWS to ensure we comply with the GDPR rules on international transfers.  We have also included Standard Contractual Clauses in our End User License Agreements to cover the transfer of personal data from end users in the EU to AWS data centers based in the United States. This complies with data protection requirements and GDPR legislation when transferring data belonging to EU citizens outside the EU. 

Key Risks & Mitigations

Texthelp has identified the following potential key risks, which this policy, in conjunction with the Risk Treatment Plan, is designed to address:



Breach of security by an external party of an information asset

The development and implementation of information security Standards to minimize the risk of data being obtained by hacking or interception. Network security controls and physical perimeter security devices prevent the physical theft of the company’s information assets by on-site contractors.

Release of data by a staff member

Staff Awareness Training will be delivered to help staff understand their responsibilities when handling personal data in order to prevent accidental disclosure of sensitive information.

Access controls are in place to prevent unauthorised access to the company’s information assets.

Regular Audits will be conducted to ensure staff are complying with this policy

Exposure of sensitive information through hacking of Texthelp products or services

Secure development/coding practices will be employed and development staff training delivered. Testing of our products prior and after release will include, but not be limited to, the OWASP top-ten online vulnerabilities.

Not being able to respond to a security breach effectively

Texthelp will develop and manage an information security management system to maximize information security and manage security incidents. A Security Incident Response Policy exists outlining steps to be taken in the event of a security breach.


information security Committee

The role and responsibilities of this committee will be to provide:

Data Protection Officer

The Data Protection Officer is currently David Hankin who deals with both the day to day management of the Information Security Management System as well as continuous communication of the importance and value of security measures. with the following responsibilities:

Specific other staff

IT & Network Administrator:

Chief Technical Officer:

Chief Data Officer:


All staff are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.


Significant breaches of this policy will be handled under Texthelp’s disciplinary procedures.


Because confidentiality applies to a much wider range of information than Data Protection, Texthelp has a separate Data Privacy Policy.


This Policy applies to all employees and third-party agents of Texthelp as well as any other Company affiliate who is authorized to access customer Data. Third party agents of Texthelp will be required to have an Information Security Policy at least as stringent as this policy.

Third party agents will also be contractually required, where this is possible, to return or destroy information assets belonging to Texthelp upon termination of a contract with a third party. This will apply to both virtual and physical information assets.

Texthelp will comply with requests under the General Data Protection Regulation (GDPR, EU), Data Protection Act (2018)(UK), Regulation of Investigatory Powers Act 2000 (RIPA) from UK authorities and under the USA Patriots Act from US authorities and Freedom of Information and Protection of Privacy Act (FOIPPA)(British Columbia) and other agencies where obliged to do so if requested.

The full list of regulatory and legislative requirements with which Texthelp complies are given in this table of Legislative & Regulatory bodies

What we do with customer data

Texthelp has a privacy policy for Users, setting out how their information will be used.

Texthelp Staff Responsibilities

All Texthelp Staff are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.  (See Appendix A)

Information Security Standards

All information that is stored by Texthelp is classified as one of the following data types:

All data that is classified as ‘Customer Information’ or ‘Company IP’

 must be stored in compliance with the following standards.

Physical Media Transfer : no customer or private data will be transported using physical media

In order to comply with relevant legislation:

Texthelp must operate a Business Continuity Plan to deliver continuity of service in the event of a disaster.  This plan should cover situations such as:

Information Security Management System

A system must be maintained to manage and control the security of all data stored by Texthelp.

The system must:

Staff training & acceptance of responsibilities


Information for staff and temporary workers is contained in the staff handbook.


All staff who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.

Data Protection will be included in foundation training for all staff.

Continuing training

Texthelp  will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.

Procedure for staff signifying acceptance of policy

All staff are required to sign an electronic form signifying that they have read, understood and accept this policy.

Specific Focus Training for Key Handling Roles

Software Developers

Software Developers at Texthelp will be trained to ensure that the architecture  of any system that stores personal data is in compliance with the information security Standards above.

Prior to release the software will be tested to ensure that it is in compliance.

All Product Owners, Scrum-masters or Project leaders should ensure that an Information Security Risk Assessment is carried out for each sprint, and when needed,  a risk treatment plan is created and followed.


Marketing Staff

Marketing Staff who have access to personal customer information will receive specific training regarding the secure transit and storage of personal data for the purposes of outbound marketing. 

Policy review


Ryan Graham (CTO) will be responsible for reviewing this policy. This Information Security Policy will be audited as a part of the company’s scheduled ISO 27001 audits. Audits of all processes within the company will take into account this Information Security Policy at all times.


An annual review of  the policy will be performed  to ensure continuing relevance. The results of this review will be available on request.


An audit of this policy will be carried out once per year. However, the requirements of this policy, with regard to data privacy/security, will form a part of the company’s regular ISO 27001 internal audits. The ISO 27001:2013 audits are performed at least annually.

information security Incidents

All information security incidents will be logged in the Downtime/Security Events Register in Sugar. information security incidents will be classified according to severity.  Incidents such as unsuccessful exploit attempts that do not involve data loss will be classified as Level 1 - Non Critical Incidents. Level 1 incidents should not trigger a customer notification since there has been no impact to privacy.

Incidents that do involve data loss will be classified as Level 2 - Critical Incidents & should trigger a notification to all customers that are impacted by the data loss. The Information Commissioner's Office should also be notified within 72 hours of the breach being discovered 

Appendix A:  Confidentiality statement for staff

When working for Texthelp , you will often need to have access to confidential information which may include, for example:

Personal information about individuals who are customers or users of Texthelp software.

Information about the internal business of Texthelp.

Personal information about colleagues working for Texthelp.

Texthelp  is committed to keeping this information confidential, in order to protect people and Texthelp.  ‘Confidential’ means that all access to information must be on a need to know and properly authorized basis.  You must use only the information you have been authorized to use, and for purposes that have been authorized.  You should also be aware that under the Data Protection Act, unauthorized access to data about individuals is a criminal offence.

You must assume that information is confidential unless you know that it is intended by Texthelp  to be made public.  Passing information between staff members in our international office, or between Texthelp  and a 3rd party marketing partner who is in compliance with our policy, or vice versa does not count as making it public, but passing information to another organization does count.

You must also be particularly careful not to disclose confidential information to unauthorized people or cause a breach of security.  In particular you must:

not compromise or seek to evade security measures (including computer passwords);

be particularly careful when sending information between our international offices;

not discuss confidential information, either with colleagues or people outside Texthelp;

not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to, and that they are authorized to have it.

If you are in doubt about whether to disclose information or not, do not guess.  Withhold the information while you check with an appropriate person whether the disclosure is appropriate.

Your confidentiality obligations continue to apply indefinitely after you have stopped working for Texthelp .

Signed: Martin McKay  (CEO)

Signed:      Ryan Graham (CTO)

Public Information