a) Due to convergence and the overlap of client's services, the competitive landscape is an ever-shifting web. As a CX agency involved in consulting, data, creative and technology, it makes it truly difficult to fully avoid any competitive conflict.
b) Also, a trend in CX is that our market is smaller, more bespoke, than traditional mainstream advertising agencies. CX agencies tend to work with clients who have sizeable customer bases and are dedicated to delivering an unparalleled customer experience. There are simply less clients in our marketplace. This has led us to adapt in order to manage multiple competing or overlapping client situations.
c) CX projects are vastly different/diverse with data, systems, CX mapping, creative and technology – and the work can often be in the background of a client’s business. Therefore, what’s being done for one competing or overlapping client is likely to be highly different to another. It’s not like mainstream advertising with very obvious TV campaigns. An advantage of representing clients in the same or overlapping industry is our knowledge and expertise in that industry, which ultimately benefits our clients.
d) We respect that this micro market instability is just the opposite of what clients want to hear from us. What they want is exclusive access to top talent and subject-matter experts who will be there for them alone in their sector. In our more contained market this is harder to deliver and leads us to provide a responsible and secure offering to manage overlapping or competing clients.
e) CX Lavender takes the subject of client security very seriously, training employees on the dangers of overlapping or competing clients and the usage of conflict mitigation tools, including firewalls, as well as policies and processes for training, audits, and enforcement. We protect our clients and use a simple but complex system to recognise individual client’s IP, maintaining extensive contractual and physical operating frameworks. We have strict policies and processes to limit information exchange between groups. This includes physical separation of groups, separate geography of offices, distinct file servers and printers, and scope of work defined by area.
2. Purpose and Scope of the Policy
a) This policy sets out procedures and organisational structure for ensuring that one client’s sensitive information is not used or disclosed for the benefit of another client, whether or not those clients are competitors.
b) Full compliance to this policy is mandatory for every employee of CX Lavender and contractors involved in: at least one delivery solution managing CX Lavender day-to-day and high level relationships with clients. Some projects undertaken may require extraordinary levels of restrictions on CX Lavender’s operational flexibility. These are discussed further down as “special procedures.” They may only be implemented with the agreement of the Executive Team and with a client request.
3. Physical Assets
a) Client and Project Teams working on confidential assignments will be appropriately separated from other teams, management of circulation and visibility of physical documents will be monitored so their access is limited to team members only. All project documentation must clearly display one of the appropriate privacy markings:
(i) Commercially in confidence - CX Lavender proprietary information.
(ii) Client in Confidence - Client confidential information or CX Lavender professionally sensitive material relating to the client engagement.
b) Office Services and Technical Support teams will carry out normal support services to the project teams; such services include all that is necessary to allow project work viability. All members from these teams are therefore subject to normal level of security. Documents containing confidential information which are not required any more for the sake of the project must be either shredded or put in a “confidential data protection” bin for destruction. At least one lockable storage facility will be provided to project teams to keep confidential project documentation; this facility will be sufficient to store all documentation which needs to be kept. Each member of a project team working on a confidential assignment shall sign a personal Non-Disclosure Agreement, which will restrict the sharing of confidential information and impose a standard of care.
c) Each project has its own dedicated storage area on the network; this area is restricted to project team members only. Management of circulation and visibility of electronic documents will be controlled so their access is limited to team members only.
a) Information which might endanger project confidentiality will not be divulged during meetings when other people than project team members are attending these meetings, if such information is to be discussed, one or both teams will be asked to leave.
b) Resourcing managers will be kept aware of potential conflicts due to CX Lavender employees’ and contractors’ past assignments, and will be tracked in a resourcing register.
c) Each employee or contractor will confirm in writing that they have read and fully understood this policy and will abide by this policy. This will also form part of the induction process for all new members to the team and ongoing checks will be performed to ensure this is enacted.
d) At the initiation meeting and at suitable intervals, employees will be reminded of their obligations under this policy.
e) Full compliance to this policy is compulsory; breach of this policy is a serious disciplinary offence.
5. Special Procedures
a) Some clients and specific projects may require extraordinary levels of restrictions on CX Lavender’s operational flexibility. These “special procedures” may only be implemented with the agreement of the Executive Team, and with a client request.
b) CX Lavender may, in relation to an employee working full or substantially full time on a project for a particular client, agree in writing not to deploy, for a period of time to be agreed with the client, such employee in providing any services to any competitor (a list to be agreed) of such client.
c) Some projects might require special attention; in that case, details of what requirements would be implemented should be specified as an addendum to this policy. Implementation is subject to approval by the Executive Team. This is also subject to an agreement on incremental costs that such special measures would result in.
d) When specifically requested by the client, CX Lavender shall ensure that each employee or contractor involved in the client’s business signs a personal and client specific Non-Disclosure Agreement which will restrict the sharing of confidential information and impose a standard of care.
e) The project team for each client will be housed, where necessary, in a separated project location, with access thereto only for project team members.
f) All documentation relating to a specific client or project will be kept in the separate location in a lockable storage unit. Client or project documentation may not be removed from the separate location unless expressly authorised by the Group Business Head or Lead Project Manager in writing.
g) Each project will have its own dedicated storage area on the network. This area will be protected by password, and access will be restricted to members of the project team. Where appropriate and as requested an individual client or project can have its own dedicated storage and network with secure access. This is also subject to an agreement on incremental costs that such special measures would result in.
h) Dedicated hardware will be provided for team members to use, including dedicated printers.
i) Client-specific information and any other sensitive client material must not be shared in any weekly or other meetings of each CX Lavender team, or any other CX Lavender internal information and/or knowledge sharing meeting.
j) Any “learning/skills/experience” gained from a project which is commercially sensitive for the relevant client (this will frequently be time dependent; for example, prior to the public launch of a redesigned website) and/or which unavoidably contains client confidential information may only be shared outside the project team with the client’s prior written consent.
k) Confidential and/or sensitive client information contained in documents no longer required must be shredded.
l) All desks must be left clear at the close of business. Any material left on a desk or elsewhere in the office will be removed and stored in a locked cupboard.
m) Each employee must confirm in writing (including email) to the CEO that they have read and fully understood any of the above “special procedure” items listed in clause 3, that may be requested by the client and approved by the Executive team. Breach of this policy is a serious disciplinary offence.
6. Security Policy – Statement of Applicability
a) Authorisation Process for Information Processing Facilities Project Managers are to authorise team members for each discrete client or project, and keep records of the authorisation.
b) Confidentiality Agreements: The Project Manager will obtain Non-Disclosure Agreements if not already in place when people are assigned to sensitive projects. Confidentiality agreements are filed in HR, and NDAs held by the Administrative team.
c) Addressing Security when Dealing with Customers: Once a sensitive project is accepted, interface with client is controlled by the Group Business Head and Project Manager.
d) Inventory of Assets: Client assets are the responsibility of the relevant Group Business Head and Project Manager. Suitable access control is set up at the beginning of a project after liaising with the client to understand security and confidentiality requirements.
e) Information Classification Guidelines: CX Lavender classifies information in terms of its value, legal requirements, sensitivity and criticality to the organisation and client. The information used by Project Teams and security levels is designated according to the needs of the work and requirements of the client.
f) Tier 1 is for normal project operation with dedicated project files on a secure file server with access limited by the Project Managers to relevant staff. Change management for access control to the project files is carried out through the ticketing system and process that provides authorisation and tracking.
g) Tier 2 is tailored according to specific client needs and a physical secure project area is normally established for the project team, together with a clear desk policy.
h) Tier 3 is there to ensure the highest level of security of information, the work is either (Executive team or CEO approval required): (i) Carried out in client premises. (ii) Carried out on CX Lavender premises but with a very high level of security or for CX Lavender staff to work remotely with secure network access to the client’s systems. (iii) The name of the client or system is kept confidential so no-one outside of the immediate team and senior management knows about it. A separate secure area and code name for the project would be used. This has been required for new product launches for clients.
i) Information labelling and handling: CX Lavender separates project information by client account and by project number, each project having a unique identity. Assets are labelled and held in project designated areas. Individual project documentation is labelled according to its degree of confidentiality, i.e. Commercial in Confidence or CX Lavender in Confidence.
j) Screening of Contractors. New Employees and Project Members: Background verification checks are done on all candidates for employment, contractors and third party users where this is relevant and proportional to business requirements, client requirements or relevant laws.
k) References are taken for new employees and although this is intended to verify the identity and integrity of the person it does satisfy an initial view of trustworthiness with regards to security. For any overseas employees or contractors standard Work Permit data is collected and reviewed.
l) HR and Group Business Head Managers are required to carry out any specific security screening as required by a client with respect to Tier 2 and Tier 3 projects.
m) Removal of Access Rights: Low level staff lose rights on day of departure. Others have rights denied immediately once notice to terminate is issued by Group Business Head. Project Managers are responsible for ensuring all access rights to project environments are rescinded when a Project ends even if staff are redeployed within Lavender.
7. Organisational Structure and Solution Delivery
a) In order to facilitate and safeguard the Clients confidential and proprietary information the following team and delivery structure will be adhered to.
b) The client teams will be separated depending on interaction and exposure to sensitive information and data, these may include separate and distinct Business Management, creative, and strategy teams.
c) As discussed with Client, separate physical locations for these functions can be implemented, depending on the nature and size of the specific client/project.
d) For all digital development and delivery aspects of a project, CX Lavender will utilise its technology, digital and production teams as a common resource to be shared by all client teams.
e) All output delivered from the technology, digital or production teams for a specific client will utilise separate and secure project management instances as well as dedicated and compartmentalised storage for all files.
f) Should hosting be a requirement, CX Lavender will ensure that all projects marked as confidential are hosted on a client specific instance on our AWS infrastructure and estimated as such.
g) Should the Client utilise CX Lavender’s SaaS offering separate and unique instances and IP’s will be used to deliver this service.
h) All client data will be segregated at the database level and secured in separate locations on separate virtual devices.
i) Access to data will only be permitted to authorised team members on a required basis and will require login credentials.
j) All source code will be stored and maintained on separate source control instances.