Data Storage and Protection Policy — Black Box Smart Data LLP

​

This policy outlines how Black Box Smart Data LLP stores and protects client data using Fasthosts UK for data hosting and AmberSearch for secure knowledge access and processing workflows.

 

1) Purpose

The purpose of this policy is to define how client data is securely stored, accessed, and protected across our hosting and AI-assisted search stack.

 

2) Scope

This policy applies to all client data stored within Fasthosts UK data centres and any client-related information accessed via amberSearch within our environment.

It covers technical controls, access management principles, hosting locations, and compliance claims directly provided by our vendors.

 

3) Data Storage Architecture

Black Box Smart Data LLP stores client data in Fasthosts UK data centres located in Worcester and London. These facilities provide geo‑redundant 100Gb/s fibre optic connectivity, and the Worcester data centre is Tier IV certified with 99.999% availability.

Fasthosts UK data centres are ISO 27001 certified and implement extensive physical security, including perimeter protection, CCTV, rigorous access control, and advanced intruder alarms. They also employ certified fire-rated construction, very early fire detection, and nitrogen fire suppression for critical rooms.

amberSearch is hosted on German servers in the Open Telekom Cloud and follows ISO 27001 and SOC2 standards, with additional TISAX and BSI C5 certifications for the hosting environment.

​

4) Data Processing with amberSearch

The stated purpose of amberSearch is not to process personal data, and it does not store user data.

amberSearch does not create copies of the source data; instead, it integrates with existing repositories and respects existing access controls.

amberSearch adopts existing access rights from Active Directory/SSO and does not create new access structures, helping ensure least‑privilege enforcement remains consistent with our identity provider.

amberSearch is 100% GDPR compliant and has successfully addressed GDPR compliance and integration of existing access rights in customer deployments.

 

5) Technical and Organisational Measures (TOMs)

Fasthosts UK provides a physically secure and resilient environment with ISO 27001 certification, Tier IV availability in Worcester, perimeter security, CCTV, rigorous access controls, advanced intruder detection, early smoke detection, and nitrogen fire suppression in critical rooms.

amberSearch’s hosting environment follows ISO 27001 and SOC2 standards, and is operated on German servers within the Open Telekom Cloud, with additional certification including TISAX and BSI C5 for the hosting provider.

amberSearch integrates with existing enterprise identity (Active Directory/SSO) and does not replicate access structures, which reduces risk from access drift and shadow permissions.

amberSearch does not store user data and does not create copies of the underlying data, which supports data minimisation and reduces data spread across systems.

 

6) Compliance Alignment

Fasthosts UK data centres carry ISO 27001 certification, evidencing information security best practices at the data centre level.

amberSearch states adherence to ISO 27001 and SOC2 standards and communicates 100% GDPR compliance.

​

7) Sustainability and Data Centre Operations (Informational)

Fasthosts UK operates on 100% renewable energy with additional sustainability measures such as solar PV at Worcester and renewable power sources in London, alongside energy‑efficient designs and ISO 50001 for energy management.

 

8) Access Control Principles

Access to data via amberSearch is constrained by the organisation’s existing identity and access management, as amberSearch adopts existing Active Directory/SSO permissions without creating new access structures.

 

9) Data Replication and Retention

amberSearch does not create copies of the data being searched, supporting a minimisation approach to data replication across tools.

Organisation‑specific retention schedules, archival rules, and deletion procedures are to be defined by Black Box Smart Data LLP and applied at the data source and hosting levels with each organisation.

 

10) Data Processing Agreements and Documentation

amberSearch provides Data Processing Agreements (DPA) and maintains technical and organisational measures and a SaaS security concept.

 

11) Operational Responsibilities

Black Box Smart Data LLP is responsible with each client for:

Defining and maintaining identity, role‑based access controls, and conditional access policies consistent with our SSO/Active Directory.

Configuring repositories and permissions so amberSearch can correctly inherit and enforce existing access rights.

Managing data lifecycle, retention, and deletion at the data source and storage layers.

Vendors are responsible for the controls and assurances described in their materials, including data centre certifications and security features for Fasthosts, and security posture and integration behavior for amberSearch.

​

12) Exceptions and Changes

Any deviations from this policy require approval by Black Box Smart Data LLP’s information security leadership and must maintain alignment with the vendor‑stated controls and certifications referenced herein.

 

13) Summary of Key Vendor Assurances

Fasthosts UK:

UK data centres in Worcester and London; Worcester is Tier IV certified (99.999% availability).

ISO 27001 certified data centres with strong physical security and fire protection controls.

Sustainable operations including 100% renewable energy and ISO 50001 for energy management.

​

amberSearch:

Hosted on German servers in Open Telekom Cloud; follows ISO 27001 and SOC2 standards, with mentions of TISAX and BSI C5 for the hosting environment.

No user data stored and no copies of source data created; adopts existing AD/SSO access rights.

Ambersearch state 100% GDPR compliance and successful handling of GDPR requirements in customer deployments.