Security & Data Retention

Information security is a leadership priority at Dynamactive Ventures. Our security posture is overseen at the partner level, with day-to-day accountability assigned to a designated Information Security Officer. Key governance principles include:

• Principle of least privilege — access to systems and client data is granted strictly on a need-to-know basis and reviewed periodically.
• Confidentiality by default — all engagement data is treated as confidential unless explicitly classified otherwise.
• Vendor accountability — all technology vendors and subprocessors are subject to security due diligence and contractual data-protection commitments.
• Continuous improvement — security controls are reviewed at least annually and after any material incident.

We deploy the following technical and organisational measures to safeguard data:

• Encryption in transit — all data transmitted between users and our systems, and between our systems and vendors, is protected using TLS 1.2 or higher.
• Encryption at rest — client engagement files, databases, and backups are encrypted at rest using industry-standard algorithms (AES-256 or equivalent).
• Multi-factor authentication (MFA) — enforced for all internal systems, cloud services, and administrative accounts.
• Role-based access controls (RBAC) — granular permissions ensure team members can access only the data and systems relevant to their role and active engagements.
• Endpoint protection — managed endpoint detection, disk encryption, and remote-wipe capability on all firm devices.
• Secure development — our website and any client-facing tools are built with secure coding practices and dependency scanning.
• Network segmentation — internal networks are segmented to contain any lateral movement in the event of a compromise.

Client-confidential data — including strategy documents, financial models, operational data, customer records, and any other non-public information shared during an engagement — receives the highest level of protection:

• Client data is stored separately from other engagements and isolated by project where technically feasible.
• Sharing outside the engagement team requires written authorisation from the engagement lead.
• Third-party subprocessors who may process client data are disclosed to the Client on request and bound by confidentiality and security agreements.
• All team members are subject to written confidentiality obligations that survive the termination of their association with the firm.

We maintain an incident response plan to detect, contain, assess, and recover from security incidents, including personal data breaches. Our procedure is as follows:

1. Detection & triage — anomalies are flagged through automated monitoring, vendor alerts, or human reporting and triaged within 4 hours.
2. Containment — affected systems are isolated to prevent further exposure.
3. Assessment — the nature, scope, and severity of the incident are assessed to determine regulatory and contractual notification obligations.
4. Notification — where a breach is likely to result in a risk to the rights and freedoms of affected individuals, we notify the relevant data protection authority without undue delay and, where appropriate, affected individuals directly. Clients are notified promptly if their confidential data is involved.
5. Recovery & review — systems are restored, root cause is addressed, and a post-incident review is conducted to prevent recurrence.

Breach notification contact: info@dynamactiveventures.com

Dynamactive Ventures does not store personal data except where it is directly necessary to deliver, invoice, or support the professional services we have been engaged to provide. We do not maintain personal data warehouses, sell contact lists, or retain individual profiles for purposes unrelated to an active or completed engagement.

Where we do hold data, retention is limited to the minimum period required by law or by the specific engagement. Our retention schedule is as follows:

When retention is no longer required, data is securely deleted, destroyed, or anonymised. Engagement data containing client-confidential material is disposed of in a manner that prevents recovery.

At the end of the retention period, digital records are securely erased using cryptographic wiping or certified deletion methods that prevent recovery. We maintain an inventory of disposal actions for audit purposes.

Critical business and client data is backed up regularly to geographically separated, encrypted storage. We test our backup restoration capability periodically. In the event of a major disruption, our objective is to restore essential systems and access to client deliverables within 24 hours.

We rely on a curated set of subprocessors for cloud hosting, productivity, collaboration, secure file sharing, email, analytics, video conferencing, accounting, and payment processing. Each subprocessor is assessed for security maturity before onboarding and bound by contractual confidentiality, data-protection, and security commitments. A current list of material subprocessors is available on request.

If you have questions about our security practices, wish to request a copy of our security questionnaire, or believe your data may have been affected by a security issue, please contact us:

We acknowledge security inquiries within 2 business days and respond substantively within 7 business days.

We may update this Security & Data Retention Policy to reflect changes in technology, regulation, or our business practices. Updates will be posted on this page with a revised effective date. Material changes will be communicated to active clients where contractually required.

Last updated: 26 May 2026