How does Pathzero ensure confidentiality of customer data?

In this article, we provide details about Pathzero's data management policy and how we safeguard your sensitive data.


We understand that sensitive information is uploaded to our platforms and the need to keep it confidential. This is one of our cornerstone priorities.

Refer to Clause 10 ‘Confidentiality and privacy’ of our Terms and Conditions which are signed as part of your contract with Pathzero. All customers who have access to our platforms are required to agree to these terms.

You can find detailed information about how we protect any personal information we come across in our Privacy Policy.

Sharing with your stakeholders

One or more other customers may request access to view your data through the Pathzero Product. If another customer requests access to your data in this way, you will be notified through the Product of the data to which the other customer has requested access. You may withdraw your consent to sharing of customer data with other customers at any time through the Product settings.

Information Security Management System ('ISMS')

We have established an Information Security Management System ('ISMS'), based on the ISO 27001 standard, to ensure comprehensive governance throughout our organisational operations and product offerings. This includes a suite of formal policies covering (amongst others): Compliance Requirements, Information System Security, Access Control, Data Protection, Systems Management, System Ownership and Return, Password Management and Email Management.

Our Information Security Team regularly reviews our suite of policies and security training as part of continuous improvement efforts to enhance the security posture of our organisation.

We have Compliance Management systems in place to continuously monitor our security posture and have rolled out across the organisation other security systems such as Password Management, Anti-Virus, Multi-Factor Authentication, and VPN access for internal systems.

An extract of our internal Data Management Policy are outlined below:

Confidential Data Handling Protocols at Pathzero

  • Data must only be used for the particular purpose for which it was collected

  • Access for non-preapproved roles requires documented approval from the data owner

  • Access is restricted to specific employees, roles and/or departments

  • Confidential systems shall not allow unauthenticated or anonymous access

  • Confidential customer data shall not be used or stored in non-production

  • Confidential data shall be encrypted at rest and in transit over public networks in
    accordance with the Cryptography Policy

  • Mobile device storage containing confidential data, including laptops and mobile
    phones, shall be encrypted

  • Mobile devices storing or accessing confidential data, including laptops and mobile
    phones, shall be protected by a log-on password (or equivalent, such as biometric) or
    passcode and shall be configured to lock the screen after five (5) minutes of non-use

  • Backups shall be encrypted

  • Confidential data shall not be stored on personal phones or devices or removable media
    including USB drives, CDs, or DVDs

  • Paper records shall be labelled “confidential” and securely stored and disposed of in a
    secure, approved manner in accordance with data handling and destruction policies and

  • Hardcopy paper records shall only be created based on a business need and shall be
    avoided whenever possible

  • Hard drives and mobile devices used to store confidential information must be securely
    wiped prior to disposal or physically destroyed

  • Transfer of confidential data to people or entities outside the company shall only be
    done in accordance with a legal contract or arrangement, and the explicit written
    permission of management or the data owner

Data Retention

Pathzero shall retain data as long as the company has a need for its use, or to meet regulatory
or contractual requirements. Once data is no longer needed, it shall be securely disposed of or
archived. Data owners, in consultation with legal counsel, may determine retention periods for
their data.

Legal Requirements

Under certain circumstances, Pathzero may become subject to legal proceedings requiring
retention of data associated with legal holds, lawsuits, or other matters as stipulated by
Pathzero legal counsel. Such records and information are exempt from any other requirements
specified within this Data Management Policy and are to be retained in accordance with
requirements identified by the Legal department. All such holds and special retention
requirements are subject to annual review with Pathzero’s legal counsel to evaluate continuing
requirements and scope.

Where Pathzero is requested or required by a law enforcement or other legal authority to
disclose data, the matter shall be referred to the Chief Executive Officer and company legal

Should affected data not belong to Pathzero (e.g. client data), Pathzero shall endeavour to
notify the data owner in a timely manner unless disclosure is prohibited by law or otherwise
deemed inappropriate.

Violations & Enforcement

Any known violations of this policy should be reported to Head of Finance and Operations.
Violations of this policy can result in immediate withdrawal or suspension of system and
network privileges and/or disciplinary action in accordance with company procedures up to and
including termination of employment.