Privacy policy

March 2023

Introduction
This Privacy Policy contains important information about how we use your personal information. We respect the privacy of individuals who interact with our business and where you choose to provide us with information about yourself, you trust us to act in a responsible manner with that information.
In this privacy policy, references “Landor”, “us”, “we”, or “our”, are all references to Landor.
If you have any questions, comments or concerns about any aspect of this policy or how Landor, handles your information please email our privacy team at [email protected].

What information do we collect?
We collect personal information from you in several ways; you may share information with us, or we may collect it using other means. In this section we explain the different ways we collect personal information from you and some ways in which that information will be used.

Requesting information from us and responding to your queries
We process contact information such as name, email address, telephone number or postal address, preferences, and other declared personal information about you when you provide it to us. For example, when you fill out online forms, subscribing to our services, call, or text us, enquire about our products and services.

Interacting with us via Social Media Channels
We process information relating to you when you interact with us through social media platforms such as LinkedIn or Facebook.

Registering for and attending our events, seminars, or conferences
If you choose to attend one our events, we will ask for your contact information to provide you with details of the event and manage your attendance. For in-person events, we may ask you to provide us with accessibility information, if appropriate

Updating you on developments and initiatives
We may process your contact information to keep you updated on updates and developments in our business.

Interacting with our website
When you visit our website we may collect details of your website visit, including name, email, phone number, IP address (a unique identifier for your computer or other device), website URL and mobile device ID. Our website also uses cookies please see our cookie policy here for details.

Applying for a job at Landor
We process information provided by you in relation to submitting a job application to Landor (this may include sensitive personal information for example ethnic origin). Please see our Recruitment Privacy Policy further down below for more information.

Visiting our offices
We may collect information such as contact information (including name, email address, telephone number) and CCTV footage in respect to your visit to our office address.

Interacting with us as a client of Landor
When interacting with us as a client, we process information we may receive from you or from others in relation to our provision of services to our clients. Please see our Client Privacy Policy further down below for more information.

Interacting with us as a supplier or partner to Landor
We process information in relation to you as an individual if you provide services to us (or if you work for a company that provides services to us). Please see our Supplier Privacy Policy further down below for more information.

How do we use it?
We will use your personal information in the following ways. We are also required by law to state a “legal basis for processing”, i.e., to tell you on what grounds we are allowed to use your information, and this is also set out below:

How we will use your personal information Our legal basis for processing
To provide or respond to you, with information that you have requested, e.g., this could relate to a newsletter, bulletin, an invitation for an event, your interaction with us on social media Consent – we only use your personal information for this purpose if you have asked us to do so. You can withdraw your consent at any time.
To keep you updated with developments and initiatives at Landor, its affiliates or partners Our legitimate interests – we use your information to provide you news and updates on Landor, its affiliates or partners. You will always have the opportunity to opt-out in each correspondence.
To process your registration for and attendance at events, seminars, conferences, and meetings with Landor, its affiliates or partners. Our legitimate interests – we use your information to book you on to the requested events and to send confirmation to you and the event organiser.
To respond to specific queries you may raise regarding Landor, its affiliates and partners Consent – we only use your personal information for this purpose if you have asked us to do so. You can withdraw your consent at any time.
To provide you with better ways of accessing information from this website Consent – we only use your personal information for this purpose if you have consented for us to do so. You can withdraw your consent at any time.
To process and consider your job application Our legitimate interests – we use your personal information to assess your job application, update you on its status and keep you informed of other opportunities, if you have asked us to, via the methods you have selected.
To manage your visit to the office Our legitimate interests or any other purposes required by law such as for example, compliance with fire protection regulations.


For how we use your information that is collected using cookies and similar technologies please see the “Cookies” section below.

Do we pass your information to third parties?
We may send your personal information to other Landor and WPP group companies, affiliates and third parties to help us process your personal information for the purposes set out in this policy. Further details of our group companies can be found here.

We may disclose your personal information if we or any of our assets are the subject of a sale or similar corporate transaction. We will ensure that the third parties who receive your personal information are required to keep it confidential.

We may disclose personal information to third parties when we reasonably believe we are required by law, and in order to investigate, prevent, or take action regarding suspected or actual unlawful or otherwise prohibited activities, including, but not limited to, fraud.

Where do we send your information?
We are a global company and therefore we may transfer your personal information to countries around the world including the US and other countries outside of the UK and Europe. We will, where the country to which your data is transferred has not been found to provide an adequate level of protection, put in place appropriate safeguards (we use standard contractual clauses) to ensure your information is protected.

How long do we keep your information?
We only keep your personal information for as long as we need to, to be able to use it for the reasons given in this privacy policy, and for as long as we are required to keep it by law.

Third Party Websites
Our website links to third party sites which we do not operate or endorse. These websites may use cookies and collect your personal information in accordance with their own privacy policies. This privacy policy does not apply to third party websites and we are not responsible for third party websites.

How do we protect your information?
We take appropriate technical and organisational measures to ensure that your personal information disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used.

Children’s Privacy
This website is not intended or designed to attract children under the age of 16. We do not knowingly collect personal information from or about any person under the age of 16. If you are under 16 years old and wish to ask a question or use this site in any way which requires you to submit your personal information, please get your parent or guardian to do so on your behalf.

Your rights
You are entitled to ask:

1. for a copy of the personal information we hold about you, and details about how we are processing your personal information;

2. to have any inaccuracies in your personal information corrected;

3. if we are processing your personal information by automated means and on the basis of your consent (see “How do we use it?”, above), for us to provide your personal information to you in a structured, commonly-used and machine-readable format. You can also ask us to provide your personal information directly to a third party in this format, and, if technically feasible, we will do so; and

4. to have your personal information erased, or for our use of it to be restricted (for example, if your preferences change, or if you don’t want us to send you the information you have requested).

Please contact us using the details set out below if you would like to exercise any of these rights.

You also have the right to make a complaint to the supervisory authority if you’re not happy with how we’ve handled your personal information. Please refer to the data protection authority where you are located. In the UK, the supervisory authority is the Information Commissioner’s Office (http://www.ico.org.uk).

Responsible Disclosures
Landor appreciates and values the identification and reporting of security vulnerabilities carried out by well-intentioned, ethical security researchers. Please see our Responsible Disclosures Policy in full further down below.

How to contact us
If you wish to exercise any of your rights in relation to your personal information or if you have any queries about how we use your personal information, please let us know by contacting us at the following address: Landor, Sea Containers, 18 Upper Ground, London, SE1 9PD, United Kingdom, or by email at [email protected].

Changes to this privacy policy
We review this privacy policy on a regular basis to ensure that it is up-to-date with our use of your personal information, and compliant with applicable data protection laws.

We reserve the right, at our discretion, to revise this privacy policy at any time. The updated privacy policy will be posted on our website. You are encouraged to review this privacy policy from time to time.

Landor Privacy Notice for Recruitment

At Landor, we are committed to ensuring that your personal information is protected and never misused.

Our privacy policy explains what personal information we collect, why we collect it, how we use it, the controls you have over your personal information and the procedures that we have in place to protect your privacy. It applies to personal information we collect through public sources (eg LinkedIn) as well as CVs and other documents you send to us.

By sharing your personal information with us, you confirm that you have read and understood the terms of this privacy policy. We take responsibility for the personal information we collect about you, and we aim to be transparent about how we handle it, and give you control over it.

In this privacy policy, when we refer to "Landor", "us", "we" or "our", we mean Landor and its operating companies.

If you have any questions, comments or concerns about any aspect of this policy or how Landor handles your information please email our privacy team at [email protected]

What personal information do we collect?
We collect personal information from you in several different ways; you may share that information with us, or we may collect it using other means. In this section, we explain the different ways we collect personal information from you and some ways in which that information will be used. For more detail on how we use your personal information, please see the section titled How do we use your personal information?

We collect personal information that you share with us when you contact us or interact with us through our website, email, phone or otherwise. You can decide not to provide certain information, or ask that any information you have previously shared is removed. If you do so, you may not be able to take full advantage of a career at Landor and progress an application.

For example, you may provide information to us when in contact about an opportunity to work at Landor, sharing a CV or Resume or other career information.

Through these interactions you may share with us: your name, address, email address, postal address, contact number, career history (usually in the form of a CV) as well as any other personally identifiable information you include in your interactions with Landor. We may also ask for additional information to assist us with our recruitment process and in the event you are offered a job.

How do we use your personal information?
We may share your personal information with companies in the Landor Group, and given the global nature of our company, your personal information may be transferred from one jurisdiction to another. When we make such transfers, we do so in accordance with data protection legislation, for example by using Standard Contractual Clauses where information is transferred from Landor in the European Economic Area to Landor in the United States of America.

By submitting your personal information to us, you agree to us transferring, storing and handling your personal information in this way.

We share your personal information with certain third parties who provide services on our behalf. They only have access to the personal information they need to perform those services. They are required to keep your personal information confidential and may not use it other than as we ask them to and always in accordance with this privacy policy.

We use the personal information you share with us in the following ways:

  • To communicate with you;
  • To provide you with updates about your Landor application;
  • To provide services and support for any application you make;
  • To facilitate any application you make to Landor;
  • To provide updates to you about any changes to Landor’s policies, terms and conditions and any other matters which we may need to tell you;
  • If you have asked us to keep you informed of other opportunities at Landor, we may periodically contact you to tell you about these; and
  • To respond to your queries and requests.

We are required by law to state a “legal basis for processing”, i.e. to tell you on what grounds we are allowed to use your information. In order to assess your suitability for a role or process and consider your job application, we rely upon legitimate interests for the processing of your personal information as described above.

Contacting you in the future
If you have asked us to we will keep you informed of other opportunities at Landor. We do this in various ways, including email, post, SMS, via social media platforms and by phone, but only if you are happy for us to do so. We keep your information for a period of time reasonable to fulfill this purpose.

If you would like more information on how we share your personal information, please email our privacy team at [email protected]

Links to third party websites
We may provide links to other websites which are not operated and controlled by Landor.

We have no control over and are not responsible for the content of those sites or how the third parties responsible for them collect and use your personal information. We do not endorse or make any representations about third party websites.

Third party websites may have their own privacy policies explaining how they use and share your personal information. You should carefully review those privacy policies before you use these websites to make sure that you are happy with how your personal information is being collected and shared.

How long do we keep your personal information?
We will retain your personal information for as long as needed for the purposes for which it was collected. If we do not employ you, we may retain your personal information for up to 2 years for legal, analytical and system administration purposes and to consider you for potential future roles. Thereafter, we may retain a minimal amount of your personal data to record your recruiting activity with us.

If you are successful in your application, we will retain your information in accordance with our Landor Fair Processing Notice. A copy of this Notice will be provided to you upon joining Landor.

Informing us of changes
If any of the information that you have provided to Landor changes, for example if you change your email address, name or postal address, you can update, amend or request removal of information by submitting a request to [email protected].

How do we protect your personal information?
We use appropriate technical and organisational measures, including encryption, to protect your personal information and privacy, and review those regularly. We protect your personal information using a combination of physical and IT security controls, including access controls that restrict and manage the way in which your personal information and data is processed, managed and handled. Whilst we cannot guarantee the security of your personal information, we commit to taking all reasonable steps to do so.

Your rights
You are entitled to ask:

1. for a copy of the personal information we hold about you, and details about how we are processing your personal information;

2. to have any inaccuracies in your personal information corrected;

3. if we are processing your personal information by automated means and on the basis of your consent (see “How do we use it?”, above), for us to provide your personal information to you in a structured, commonly-used and machine-readable format. You can also ask us to provide your personal information directly to a third party in this format, and, if technically feasible, we will do so; and

4. to have your personal information erased, or for our use of it to be restricted (for example, if your preferences change, or if you don’t want us to send you the information you have requested).

Please contact us using the details set out below if you would like to exercise any of these rights.

You also have the right to make a complaint to the supervisory authority if you’re not happy with how we’ve handled your personal information. In the UK, the supervisory authority is the Information Commissioner’s Office (http://www.ico.org.uk).

Changes to this privacy policy
We will review and update this privacy policy from time to time and will note the date it was last updated below.

Contact us
If you have any questions, comments or concerns, or would like to make a complaint about how we use the personal information we hold about you, please email our privacy team.

You can contact our privacy team at any time at [email protected]. We will get back to you as soon as possible.

Privacy Policy Notice for Clients

March 2023

Where our Clients or Prospects have chosen to engage with Landor (“we”, “us”, or “our”), either before or after entering into a business agreement, we are the controller of any personal data about your business or employees that you choose to give us and are therefore responsible for processing it in accordance with the law. This excludes any personal data that you specifically ask us to process as part of the “Services” we will provide.

We respect the privacy of our clients and those individuals working for our clients and recognise that when you choose to provide us with personal data, you trust us to act in a responsible manner with that information. This privacy policy contains important information about how we use personal data for the following data subjects:

  • Our clients, either historical, existing or prospective, who are natural persons; and
  • representatives or contact persons of our clients who are legal entities.

We will refer to the above together as the “clients”. If you are considered a client of Landor, we invite you to read and understand the contents set out in this privacy policy.

What information do we collect?
At times we may request that information is voluntarily supplied to us by our client themselves or by the legal entity appointed by the client.

We may gather the following information about you during our engagement:

  • Identification and contact information (full name, title, email, phone, address etc)
  • Job Title, position, and name of company
  • Business Financial information (e.g., bank account details), insofar our client is a natural person
  • Identification data relating to the delivery of products or services to our company (e.g., login details, passwords, visitor pass, IP address, online identifiers/ cookies, logs, access times, correspondence)

Clients should ensure their employees are aware that their data is being shared with us, as described in this policy.

How do we use it?
The primary reason we process your personal data is to approve, manage, administer or effect an agreement between Landor and the client you represent or work for. In this respect, we use your personal data, to, issue invoices, perform accounting, manage our contract or review the services or products we supply to you. In addition, we process personal data to meet our legal obligations (such as record keeping obligations), as well as to manage our risks and operations (e.g. prevent and detect security threats, exercise or defend legal claims).

We are also required by law to state a “legal basis for processing”, i.e., to tell you on what grounds we are allowed to use your information, and this is also set out below:

How we will use your personal data Our legal basis for processing
Managing our relationship with our clients. Legitimate interest - in cases where we process data of representatives or contacts of our customers who are legal entities, the processing of your data is necessary for our legitimate interest to communicate with our customers' representatives in a customary, personal manner.
Necessary for the performance of a contract – we use your personal data to liaise with you on matters relating to our relationship, if you, as our client, are a natural person.
Making decisions about supplying goods and services (e.g., determining invoices or the terms of our contractual agreement(s) etc). Legitimate interest – in cases where our client is a legal person, we use your personal data to keep our client updated throughout our relationship. Necessary for the performance of a contract – we use your personal data to supply goods and services to you, and to keep you updated throughout our relationship.
Upholding our company’s economic interests and ensuring compliance and reporting (such as adhering to our policies, local legislation and managing allegations of fraud or misconduct). To comply with our legal obligations – in cases where our client is a natural person, we use your personal data to investigate and prevent fraud or misconduct and to protect our economic interests.
To manage your visit to our offices. Our legitimate interests for any other purposes required by law such as for example, compliance with fire protection regulations.
To keep you informed of news, updates and other information related to our business and that of other companies in our group. Our legitimate interests – ensuring you receive information relevant to you related to the services we provide. Where required by local law, we will ask you for your consent before we process your data for information purposes.
Any other purposes required by law and authorities. Processing is necessary for compliance with a legal obligation to which we are subject.


Do we pass your information to third parties?
We may send your personal data to other WPP and Landor group companies, affiliates and third parties to help us process your personal data for the purposes set out in this policy. Further details of our group companies can be found here.

We may disclose your personal data if we or any of our assets are the subject of a sale or similar corporate transaction. We will ensure that the third parties who receive your personal data are required to keep it confidential.

We may disclose personal data to third parties when we reasonably believe we are required by law, and in order to investigate, prevent, or take action regarding suspected or actual unlawful or otherwise prohibited activities, including, but not limited to, fraud.

Where do we send your information?
We are a global company and therefore we may transfer your personal data to countries around the world including the US and other countries outside Europe. We will, where the country to which your data is transferred has not been found to provide an adequate level of protection, put in place appropriate safeguards (we use standard contractual clauses) to ensure your information is protected.

How long do we keep your information?
We will keep your information for as long as is necessary to fulfil the purpose for which it was collected. The retention time is the term of the clients’ contract until any legal claims under the contract expire, unless an overriding legal or regulatory obligation arises.

How do we protect your information?
We take appropriate measures to ensure that your personal data disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used.

Your rights
Depending on the purposes of processing you may be entitled to ask:

1. for a copy of the personal data we hold about you, and details about how we are processing your personal data;

2. to have any inaccuracies in your personal data corrected;

3. if we are processing your personal data by automated means and on the basis of your consent (see “How do we use it?”, above), for us to provide your personal data to you in a structured, commonly-used and machine-readable format. You can also ask us to provide your personal data directly to a third party in this format, and, if technically feasible, we will do so;

4. to withdraw your consent at any time. The withdrawal of your consent will not affect the lawfulness of processing based on consent before withdrawal

5. to object, on grounds relating to your particular situation, at any time which is based on our legitimate interest; and

6. to have your personal data erased, or for our use of it to be restricted (for example, if your preferences change, or if you don’t want us to send you the information you have requested).

Please contact us using the details set out below if you would like to exercise any of these rights.

You may also have the right to make a complaint to the supervisory authority in your country or jurisdiction if you’re not happy with how we’ve handled your personal data.

How to contact us
If you wish to exercise any of your rights in relation to your personal information or if you have any queries about how we use your personal information, please let us know by contacting us at the following address: Landor, Sea Containers, 18 Upper Ground, London, SE1 9PD, United Kingdom, or by email at [email protected].

Changes to this privacy policy
We review this privacy policy on a regular basis to ensure that it is up-to-date with our use of your personal data, and compliant with applicable data protection laws.

We reserve the right, at our discretion, to revise this privacy policy at any time. The updated privacy policy will be posted on our website. You are encouraged to review this privacy policy from time to time.

Version History
• Version 1: November 2021

Privacy Policy Notice for Suppliers

March 2023

Where, Landor (, "we", "us" or "our"), chooses to enter into a business engagement with supplier, we will be the controller of any personal data, that you give to us, to enable us to process that business engagement and are therefore responsible for processing it in accordance with the law.

We respect the privacy of our suppliers and those individuals working for our suppliers and recognise that when you choose to provide us with personal data, you trust us to act in a responsible manner with that information. This privacy policy contains important information about how we use personal data for the following data subjects:

  • Our suppliers, vendors and service providers, either historical, existing or prospective, who are natural persons; and
  • representatives or contact persons of our suppliers and service providers who are legal entities.

We will refer to the above together as the “suppliers”. If you are considered a supplier of Landor, we invite you to read and understand the contents set out in this privacy policy.

What information do we collect?
We may gather the following information about you during our engagement:

  • Identification and contact information (full name, title, email, phone, address etc)
  • Job Title, position, and name of company
  • Business Financial information (e.g., bank account details), insofar our supplier is a natural person
  • Identification data relating to the delivery of products or services to our company (e.g., login details, passwords, visitor pass, IP address, online identifiers/ cookies, logs, access times, correspondence) and
  • Background checks related to the supplier (which may include related party checks)

Suppliers should ensure their employees are aware that their data is being shared with us, as described in this policy.

How do we use it?
The primary reason we process your personal data is to approve, manage, administer or effect an agreement between Landor and the supplier you represent or work for. In this respect, we use your personal data, to organize our sourcing activities, issue purchase orders, process payments, perform accounting, manage our contract or review the services or products you supply us with. In addition, we process personal data to meet our legal obligations (such as record keeping obligations), as well as to manage our risks and operations (e.g. prevent and detect security threats, exercise or defend legal claims).

We are also required by law to state a “legal basis for processing”, i.e., to tell you on what grounds we are allowed to use your information, and this is also set out below:

How we will use your personal data Our legal basis for processing
Managing our relationship with our suppliers. Legitimate interest - in cases where we process data of representatives or contacts of our suppliers who are legal entities, the processing of your data is necessary for our legitimate interest to communicate with our suppliers' representatives in a customary, personal manner.
Necessary for the performance of a contract – we use your personal data to liaise with you on matters relating to our relationship, if you, as our supplier, are a natural person.
Making decisions about procuring goods and services (e.g., determining payment or the terms of our contractual agreement(s) etc). Legitimate interest – in cases where our supplier is a legal person, we use your personal data to keep our supplier updated throughout our relationship.
Necessary for the performance of a contract – we use your personal data to assess your status as a new or existing supplier, and to keep you updated throughout our relationship.
Upholding our company’s economic interests and ensuring compliance and reporting (such as adhering to our policies, local legislation and managing allegations of fraud or misconduct). To comply with our legal obligations – in cases where our supplier is a natural person, we use your personal data to investigate and prevent fraud or misconduct and to protect our economic interests.
To manage your visit to our offices. Our legitimate interests for any other purposes required by law such as for example, compliance with fire protection regulations.
To keep you informed of news, updates and other information related to our business and that of other companies in our group. Our legitimate interests – ensuring you receive information relevant to you related to the services we provide.
Where required by local law, we will ask you for your consent before we process your data for information purposes.
Any other purposes required by law and authorities. Processing is necessary for compliance with a legal obligation to which we are subject.


Do we pass your information to third parties?
We may send your personal data to other WPP and Landor group companies, affiliates and third parties to help us process your personal data for the purposes set out in this policy. Further details of our WPP group companies can be found here.

We may disclose your personal data if we or any of our assets are the subject of a sale or similar corporate transaction. We will ensure that the third parties who receive your personal data are required to keep it confidential.

We may disclose personal data to third parties when we reasonably believe we are required by law, and in order to investigate, prevent, or take action regarding suspected or actual unlawful or otherwise prohibited activities, including, but not limited to, fraud.

Where do we send your information?
We are a global company and therefore we may transfer your personal data to countries around the world including the US and other countries outside Europe. We will, where the country to which your data is transferred has not been found to provide an adequate level of protection, put in place appropriate safeguards (we use standard contractual clauses) to ensure your information is protected.

How long do we keep your information?
We will keep your information for as long as is necessary to fulfil the purpose for which it was collected. The retention time is the term of the suppliers’ contract until any legal claims under the contract expire, unless an overriding legal or regulatory obligation arises.

How do we protect your information?
We take appropriate measures to ensure that your personal data disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used.

Your rights
Depending on the purposes of processing, you may be entitled to ask:

1. for a copy of the personal data we hold about you, and details about how we are processing your personal data;

2. to have any inaccuracies in your personal data corrected;

3. if we are processing your personal data by automated means and on the basis of your consent (see “How do we use it?”, above), for us to provide your personal data to you in a structured, commonly-used and machine-readable format. You can also ask us to provide your personal data directly to a third party in this format, and, if technically feasible, we will do so; and

4. to withdraw your consent at any time. The withdrawal of your consent will not affect the lawfulness of processing based on consent before withdrawal

5. to object, on grounds relating to your particular situation, at any time which is based on our legitimate interest; and

6. to have your personal data erased, or for our use of it to be restricted

Please contact us using the details set out below if you would like to exercise any of these rights.

You may also have the right to make a complaint to the supervisory authority, in your country or jurisdiction, if you’re not happy with how we’ve handled your personal data.

How to contact us
If you wish to exercise any of your rights in relation to your personal information or if you have any queries about how we use your personal information, please let us know by contacting us at the following address: Landor, Sea Containers, 18 Upper Ground, London, SE1 9PD, United Kingdom, or by email at [email protected].

Changes to this privacy policy
We review this privacy policy on a regular basis to ensure that it is up-to-date with our use of your personal data, and compliant with applicable data protection laws.

We reserve the right, at our discretion, to revise this privacy policy at any time. The updated privacy policy will be posted on our website. You are encouraged to review this privacy policy from time to time.

Version History
• Version 1: November 2021

Responsible Disclosures Policy

July 2021

Introduction
Landor (“We”, “Us”, “Our”) appreciates and values the identification and reporting of security vulnerabilities carried out by well-intentioned, ethical security researchers (“You”).

This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to us. We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it.

We do not offer a bug bounty program or monetary rewards for responsible disclosures and compensation requests will not be considered in compliance with this Responsible Disclosure Policy.

Reporting
If you believe you have found a security vulnerability, please submit your report to us using the following email address: [email protected]

Your report should include details of:

  • The website, domain, IP or page where the vulnerability can be observed.
  • Steps to reproduce which should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately.

If you have any concerns or queries with regard reporting, please email [email protected] for advice.

What to expect
We aim to confirm receipt of your vulnerability report within 5 working days and triage your report within 10 working days. We also aim to keep you informed of our progress and completion of any remediation activities. We may contact you if we require further information regarding your report.

Remediation of any reported vulnerabilities are assessed based upon their impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but we ask that you avoid doing so more than once every 14 days to allow our teams to focus on the remediation.

Guidance
You must NOT:

  • Break any applicable law or regulations.
  • Access unnecessary, excessive or significant amounts of data or modify data in our systems or services.
  • Disrupt our services or systems, use high-intensity invasive or destructive scanning tools to find vulnerabilities or attempt any form of denial of service.
  • Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
  • Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support.
  • Social engineer, ‘phish’ or physically attack our staff or infrastructure.
  • Demand financial compensation in order to disclose any vulnerabilities.

You must:

  • Always comply with data protection rules and must not violate the privacy of our users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us to be in breach of any legal obligations.