Filmster Network Limited (“we”, “us”, “our”) is committed to protecting the confidentiality, integrity and availability of the data we process across our digital services, including Filmster.ID, Filmster Studio, Reel Sense and associated collaboration tools. This Data Security and Encryption Policy sets out how we secure data and manage encryption in accordance with applicable data protection laws, including UK GDPR requirements for appropriate technical and organisational measures.
1. Purpose and Scope
This policy describes the principles, responsibilities and controls that govern data security and encryption across all systems and platforms under the operational control of Filmster Network.
It applies to:
- All personal and sensitive information processed by or on behalf of Filmster Network.
- All systems, applications, infrastructure, and devices used to provide our services.
- All personnel, contractors and third-party service providers engaged in or supporting our operations.
2. Legal and Regulatory Framework
Under Article 5 of UK GDPR, data must be processed securely by means of appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction or damage. Encryption is recognised as an example of such a measure, and must be implemented where appropriate based on risk assessment. Filmster Network considers the state of the art, cost of implementation, and risk to individuals’ rights and freedoms when selecting security controls.
3. Security Governance and Risk Assessment
- We maintain an overarching Information Security Management Framework that includes documented risk assessments, threat modelling and annual reviews of controls.
- We assess the **nature, scope, context and purposes** of data processing operations to determine appropriate measures.
- We identify risks related to confidentiality, integrity and availability and implement controls accordingly.
- Findings and decisions are documented, reviewed periodically, and updated when services or threat landscapes change.
4. Encryption Principles
Encryption is used to protect data when stored (“encryption at rest”) and transmitted (“encryption in transit”) where appropriate:
4.1 Encryption in Transit
- We use secure communication protocols such as HTTPS with strong Transport Layer Security (TLS) to protect personal data transmitted over networks.
- Outdated or insecure protocols (such as SSL) are not permitted.
4.2 Encryption at Rest
- Personal and sensitive data stored on servers, cloud infrastructure and device storage is encrypted using industry-standard algorithms.
- Full disk or database encryption is applied where required based on risk and sensitivity.
4.3 Key Management
- Encryption keys are stored and managed securely. Keys are not co-located with encrypted data.
- Access to encryption keys is controlled and logged, and multi-factor controls or hardware security modules are used where appropriate.
4.4 Residual Risk Considerations
Encryption is a significant protective control, but residual risks remain and are managed through layered security controls, including:
- Access controls
- Monitoring & logging
- Intrusion detection
- Secure backups
- Patch management
5. Data Integrity and Availability
In addition to encryption, we implement controls intended to ensure data remains accurate and accessible when needed:
- Role-based access control (RBAC) enforced across services.
- Least privilege principles for system access.
- Regular backups and disaster recovery procedures to restore access after incident.
- Regular vulnerability scanning and penetration testing.
6. Organisational Measures
6.1 Security Policies and Workforce Awareness
- All personnel with access to data or systems receive training on security responsibilities and best practice.
- Security policies are reviewed at least annually.
6.2 Incident Response
- A documented incident response plan governs how security events are detected, investigated and remediated.
- Notification procedures align with regulatory breach reporting requirements.
6.3 Supplier and Third-Party Risk
- We only engage service providers that implement appropriate technical and organisational measures.
- Contracts with processors include security requirements and obligations to support compliance with UK GDPR security obligations.
7. Security Logging and Monitoring
- System and access logs are captured and retained for security monitoring, audit and forensic purposes.
- Anomalous activity triggers alerts and investigation protocols.
8. Secure Development and Deployment
Security is integrated into the lifecycle of all software development and deployment operations:
- Secure coding standards
- Code reviews and automated security analysis
- Environment-specific access controls
- Configuration management
All infrastructure follows hardened baseline configurations.
9. Encryption Technology Standards
Where encryption is used, we adopt widely accepted cryptographic standards and protocols that meet current industry expectations, and we review them periodically in light of evolving standards and threats.
Examples of good practice include:
- Advanced Encryption Standard (AES) with appropriate key lengths.
- TLS versions recommended by recognised authorities.
- Cryptographic modules compliant with recognised certification schemes.
10. Data Retention and Secure Disposal
Data is retained only as long as needed to fulfil the purposes defined in our Privacy Policy. When data is no longer required:
- Secure deletion or irreversible anonymisation procedures are applied.
- Media sanitisation follows industry best practice to prevent re-construction of data.
11. Policy Review and Change Control
This policy is reviewed at least annually, or whenever significant changes to technology, services, legal requirements or risk landscapes occur.
12. Contact and Responsibility
Filmster Network’s Data Protection Officer (DPO) and security leadership are responsible for implementation and oversight of this policy. For questions or incident reporting, contact: Data Protection Officer: privacy@filmster.network