Coaley Peak®

Pre-Engagement Resources

Data & Security Overview.

What data Owlpen accesses, how it is stored and protected, our ISO 27001 scope, and how we handle your data under UK GDPR. Written for IT and security teams.

Notice

This overview provides a summary of Coaley Peak's data security practices and is intended as a reference document for technical due diligence. It is not a substitute for the full Data Processing Agreement (DPA), which is required before any data sharing begins. Security arrangements are subject to change as part of continuous improvement under ISO 27001. ISO 27001 certification status can be independently verified through the UKAS accredited bodies register. © Coaley Peak Ltd 2026.

← Back to Pre-Engagement Resources

What Data Owlpen Accesses

In scope

  • Financial transaction data and cost line items within agreed scope
  • Supplier and vendor invoice data relevant to agreed cost categories
  • Process timing and volume data for workflow automation assessment
  • Marketing spend data — only where marketing is within engagement scope
  • Operational metrics relevant to agreed KPIs

Not in scope by default

  • Personal employee data or HR records — unless explicitly agreed and covered by the DPA
  • Customer personal data — unless explicitly agreed and covered by the DPA
  • Payroll data — unless operational cost reduction within scope requires it
  • Commercially sensitive data outside the agreed scope
  • Any data not directly relevant to the agreed KPI framework

Nothing is accessed beyond the agreed scope. Scope is confirmed in writing in the KPI Agreement before deployment begins.

Data Storage & Residency

Location

All client data is processed and stored within the UK or EEA. No data is transferred outside the EEA without explicit written agreement. For international clients or engagements with specific residency requirements, alternative data regions are available — we use AWS as our preferred hosting provider, which supports a wide range of international regions. Specific arrangements are agreed in writing as part of the DPA.

Encryption at rest

AES-256 encryption for all stored client data.

Encryption in transit

TLS 1.2 or higher for all data in transit. No unencrypted data transmission.

Retention

Client data is retained only for the duration of the engagement plus any statutory minimum. Deletion certificate provided post-engagement on request.

Access Controls

  • Role-based access control (RBAC): Access to client data is limited to personnel with a direct operational need.
  • Multi-factor authentication (MFA): Mandatory for all Coaley Peak staff accessing client data or platforms.
  • Least-privilege principle: No standing elevated access; permissions are granted per-engagement and revoked on termination.
  • Audit logs: All access to client data is logged with timestamps; logs are retained for a minimum of 12 months.
  • Third-party access: No third party has access to client data without the client's prior written consent.

ISO 27001:2022 — Information Security Management

Coaley Peak Ltd holds ISO 27001:2022 certification, independently audited and UKAS accredited. The certification covers our information security management system (ISMS), including client data handling, access controls, incident response, and supplier management.

Certification status can be verified at ukas.com using the accredited bodies register. A summary of our ISMS policy is publicly available.

Incident Response & Breach Notification

1

Detection & containment

All security events are logged via our ISMS. On detection of a confirmed or suspected breach, the affected system is isolated immediately and an incident team convened within one hour.

2

Notification

In the event of a personal data breach meeting the UK GDPR threshold, we notify the ICO within 72 hours and affected clients as soon as practicable — and in any event within 72 hours of becoming aware.

3

Post-incident

A written root-cause analysis and remediation report is provided to the affected client within 10 business days of resolution.

Our named data protection contact for breach notification is legal@coaleypeak.co.uk.

Data Processing Agreement & UK GDPR

A Data Processing Agreement (DPA) is required before any client data is shared with or accessed by Coaley Peak. The DPA is provided as part of the pre-engagement documentation and must be countersigned before the process audit (Phase 1) begins.

Coaley Peak acts as data processor in relation to client personal data within the agreed scope. The client remains the data controller. Our ICO registration number is ZA505303.

Sub-processors

A full list of sub-processors is available on written request. Clients are notified of any material changes to the sub-processor list with a minimum of 30 days' notice.

View sub-processors register →

Data subject rights

Coaley Peak will assist the client in responding to data subject rights requests within the timeframes required by UK GDPR. The mechanism for this is set out in the DPA.

To request a DPA:

Email legal@coaleypeak.co.uk with your organisation name and the name of your authorised signatory. A countersigned DPA is returned within five business days.

Document reference: ISO_webpage_get-started_data-security_v1

Last modified: 29 March 2026

Pre-Engagement Resources·Data & Security Overview