Phew Compliance, Governance & Due Diligence

At Phew, safeguarding the data of our clients, employees, and stakeholders is paramount. We are dedicated to upholding the confidentiality and security of the information entrusted to us for processing. In light of the increasing prevalence of data breaches worldwide and evolving compliance regulations, we continuously assess and enhance our data protection measures. 

To ensure compliance with relevant data protection laws, Phew conducts thorough due diligence and adheres to various regulatory and legal frameworks, both mandatory and voluntary. We also actively engage with accreditation schemes to reinforce our data security commitment. Below, we outline the methods through which we prioritise data protection and compliance.

Our privacy policy outlines our procedures for gathering, utilising, and sharing personal information obtained from users. 

Read the full Privacy Policy here 

Our cookies policy explains our approach to collecting, utilising, and sharing the cookies acquired from users.. 

Read the full Cookie Policy here 

The General Data Protection Regulation (GDPR) is a thorough European privacy law implemented on May 25, 2018. Phew embraces this regulation as a significant step towards aligning data protection standards across the European Union and as an opportunity to assess our current commitments to data protection. We are committed to implementing robust and best-practice data protection measures in compliance with the GDPR. Phew has taken advantage of the introduction of GDPR to align existing policies, procedures, and practices with GDPR requirements and industry best practices. 

Phew exclusively utilises data storage facilities situated within the UK for all customer data, ensuring onshore data storage. Phew selects solely UK-based zones, regions, and environments for all cloud-based storage.  

Additionally, Phew presently does not have any agreements to transfer or sub-process data to any company outside of the United Kingdom. 

Phew proudly holds both ISO 9001:2015 and ISO 27001:2013 certifications, forming an integrated management system that ensures the highest standards of quality and information security. 

ISO 27001 is a globally recognised standard for information security management, ensuring secure management of office sites, development centres, support centres, and data centres. These certifications undergo renewal audits every three years, along with annual surveillance audits to maintain compliance. 

ISO 9001 is an international standard focused on quality management principles to ensure businesses maintain the quality of processes, products, and services. It emphasises customer focus, involvement of top management, process-oriented approaches, and commitment to continuous improvement. 

We are annually assessed through internal and external audits to uphold both ISO 9001:2015 & ISO 27001:2013 accreditation.  

You can view our certificate here. 

Phew have attained Cyber Essentials Plus certification, reinforcing our dedication to maintaining robust cybersecurity practices. This certification reflects our ongoing commitment to safeguarding our systems and data, underscoring our proactive approach to cybersecurity.  

By achieving Cyber Essentials Plus certification, we demonstrate our capability to mitigate cyber risks effectively and uphold the highest standards of security across our operations, solidifying our position as a trusted partner, assuring our clients and stakeholders of our unwavering commitment to cybersecurity excellence. 

You can view our certificate here. 

Phew conducts penetration tests and security assessments on its public-facing and internal infrastructure and application services through accredited third-party experts, using CREST certified penetration testers. Vulnerabilities identified during these assessments are promptly reported to Phew and subsequently addressed and tracked in accordance with industry best practices. 

Furthermore, Phew engages Paul Robinson Management Services to perform impartial and professional external audits of its Integrated Management System (IMS) governance and security programmes. 

Phew upholds a comprehensive Disaster Recovery (DR) plan designed to fortify our business continuity strategy for critical production services, systems, and platforms. Developed from industry-recognised methodologies, including ISO27000 standards. 

Regular assessments against stringent regulatory and governance requirements ensure the effectiveness of our Disaster Recovery plan. Additionally, Phew conducts scheduled fire drills to continuously test and improve the efficiency of our DR procedures in a proactive cycle of enhancement. 

Phew is registered with the ICO Data Protection Register, reference number Z8143724 (click here to view our ICO registration certificate).  

If you have any inquiries or would like to discuss how your information will be utilised, please reach out to us at hello@phew.org.uk or call 01234 779050. 

Any future policy changes will be posted on the relevant page and, if necessary, communicated to you via email. We encourage you to check back regularly for updates. 

This policy version is dated 21.03.2024.