Privacy Policy

SOTERweb, a trading arm of Montgomery & Coupers Ltd, is committed to protecting the privacy and personal data of all users. As a UK-based SME SaaS company serving public sector and commercial clients, we take our data protection responsibilities seriously. This document sets out how we collect, use, protect, and share personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Overview
We operate a privacy-by-design approach to software development and system implementation. Although we are a small organisation, our systems are designed with enterprise-grade security principles in mind. We collect and process only the minimum personal data necessary to deliver our services, and we do so in a way that is lawful, fair, and transparent. Our systems are hosted in the UK using secure data centres, and all third-party services are carefully assessed for compliance with applicable privacy regulations. The safeguarding of client data is integral to our operation, and we conduct periodic reviews to maintain the confidentiality, integrity and availability of the information we manage.

2. Data Controller
The Data Controller for all data processed through SOTERweb is Montgomery & Coupers Ltd. Rik Hutchins, Director at SOTERweb, has been appointed as our Data Protection Officer. He is responsible for ensuring that our privacy practices are upheld and that any queries or concerns are responded to promptly. He can be contacted via email at rik@soterweb.org.uk for any matters relating to the handling of personal data, data subject rights, or data protection compliance.

3. Purpose of Processing Data
SOTERweb processes personal data to enable the provision, maintenance and support of our online health and safety management systems. This data may include basic contact information such as names, email addresses, job titles, and audit logs of activity within the platform. The platform also allows for the optional upload of documents, photos, and risk-related records, which may contain personal information depending on the client’s use of the system. The data is used exclusively for providing contracted services, maintaining system functionality, delivering user support, and performing essential administration such as account management and security monitoring. SOTERweb does not actively seek or process special category data (such as medical or biometric information), and clients are advised not to upload such data unless there is a lawful basis and it is essential for the intended use of the system.

4. Lawful Basis of Processing
We process personal data under several lawful bases as set out in Article 6 of the UK GDPR. In most instances, data is processed because it is necessary for the performance of a contract, specifically, the licence agreement between SOTERweb and its clients. In some cases, we may also rely on our legitimate interests, such as providing product support or improving system functionality, provided such interests are not overridden by the data subject’s rights. We may also process personal data to comply with legal obligations, such as audit or financial reporting duties. Where consent is required, for instance, in relation to receiving product updates or marketing communications, it will be sought explicitly and may be withdrawn at any time.

5. Preventative Measures
We apply a wide range of security measures to protect personal data from unauthorised access, alteration, disclosure, or destruction. All SOTERweb systems are hosted in secure UK-based data centres. Data is encrypted in transit using HTTPS with TLS protocols, and access is limited through strict role-based permissions and multi-factor authentication. System access is logged and monitored, and our development practices include secure coding, regular vulnerability scanning, and third-party tools that support threat prevention.
SOTERweb is Cyber Essentials Plus certified and has undergone independent penetration testing to verify the effectiveness of our controls. We are also actively working towards full ISO 27001 accreditation, using its framework to guide our internal processes and security governance. For clients requiring heightened controls, we can implement jurisdictional restrictions, define specific access parameters, and ensure data is stored or processed only within GDPR-compliant territories. All administrative processes around data transfer, deletion and retention follow our Information Governance and Security Policy, which is reviewed annually.

6. Data Subject’s Rights
Under the UK GDPR, individuals have the right to access, rectify, or erase their personal data. They may also request restrictions on processing, object to certain uses, or ask for data portability in specific circumstances. Data subjects who wish to exercise any of these rights may do so by writing to our Data Protection Officer at rik@soterweb.org.uk. We will respond to such requests within thirty working days, in line with statutory obligations.
If you are dissatisfied with how your personal data has been handled, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). The ICO is the UK's independent regulator for data protection matters and can be contacted via their website at www.ico.org.uk

7. Insurance
We maintain comprehensive business insurance that includes professional indemnity, and coverage in the event of data breaches. 

8. Accreditations
SOTERweb is Cyber Essentials Plus certified and follows a defined internal roadmap towards achieving ISO 27001 accreditation. Our privacy and security posture is informed by the ISO 27001 framework, and our systems and procedures are reviewed against industry best practice. We also follow guidance from the National Cyber Security Centre (NCSC) to ensure our controls remain proportionate, effective, and aligned with evolving risks.