Data Policy

We do not operate platforms, host user accounts, broker data, or monetize information. Our work enables clients to achieve their goals through thoughtful, precise digital systems.

• Lawfulness, Fairness, and Transparency: Data is processed only where a valid legal basis exists and in a manner that is transparent to Data Subjects, consistent with applicable data protection legislation.
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and is not processed in a manner incompatible with those purposes without additional consent or a recognised compatible purpose.
• Data Minimisation: Only the minimum data necessary for the specified purpose is collected and retained. TENETWORKS actively avoids over-collection and implements regular data reviews to identify and remove unnecessary data.
• Accuracy: Reasonable steps are taken to ensure that data held by TENETWORKS is accurate, complete, and kept up to date. Inaccurate data is corrected or deleted without undue delay.
• Storage Limitation: Data is retained for no longer than is necessary for the purposes for which it was collected, consistent with applicable legal and contractual retention requirements.
• Integrity and Confidentiality: Data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
• Accountability: TENETWORKS accepts responsibility for compliance with applicable data protection principles and maintains records, policies, and controls sufficient to demonstrate compliance to regulatory authorities upon request.

All client content, data, credentials, and intellectual property remain fully under the client’s ownership. TENET.WORKS does not claim ownership, resell, or independently exploit any client data or systems.

The classification tier of a data asset determines the security controls, access permissions, transfer protocols, and disposal methods applied throughout its lifecycle.

3.1 Collection

• Data is collected only through identified, documented, and lawful channels.
• Collection is limited to data that is adequate, relevant, and necessary for the specified purpose.
• Where consent is the applicable legal basis, collection occurs only following a freely given, specific, informed, and unambiguous consent act.

3.2 Processing and Use

• TENETWORKS provides design expertise, technical guidance, and implementation judgment. We do not have operational authority over client systems or enforce policies.
• Clients are responsible for compliance, governance, and lawful operation of their systems. Security, privacy, and data minimization principles are built in by design.
• Data is not used for purposes beyond those specified at the point of collection without assessment of compatibility and, where required, additional consent.

3.3 Storage

• Data classified as Confidential or Restricted is stored in encrypted environments, with encryption applied both in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
• Access to storage systems containing Confidential or Restricted data is restricted to authorised personnel via multi-factor authentication and role-based permission systems.
• Cloud storage providers are selected based on compliance posture, including SOC 2 Type II certification or equivalent international security certifications.

3.4 Retention and Disposal

• Data is retained for the minimum period necessary to fulfil the purposes for which it was collected, subject to applicable legal, tax, accounting, and contractual retention obligations.
• Upon expiry of applicable retention periods, data is securely disposed of using methods appropriate to its classification tier.
• Anonymisation or de-identification may be applied where continued retention of non-personal statistical information serves a legitimate analytical purpose, provided the anonymisation is irreversible and effective under applicable law.

TENETWORKS may decline or discontinue work where intent, constraints, or downstream use are unclear. This includes sensitive, regulated, or high-risk projects.

• Access to Confidential and Restricted data is governed by documented role-based access control (RBAC) policies, reviewed and updated upon any change in personnel role or engagement status.
• All access to TENETWORKS's operational systems requires authentication. Access to systems containing Personal Data or Client Confidential information requires multi-factor authentication.
• Credentials are managed through enterprise-grade password management systems. Shared credentials are prohibited for systems containing Confidential or Restricted data.
• Access credentials for all systems are revoked within a defined period following termination of a personnel engagement or contractor relationship.
• Remote access to TENETWORKS systems is conducted over secured, encrypted communication channels.
• Logs of access to Confidential and Restricted data systems are maintained and reviewed periodically to identify anomalous access patterns.

Security and privacy are integrated at every stage of design. Data minimization, access control, and auditability measures are implemented by default.

• All vendors with access to Confidential or Restricted data are subject to prior security assessment, including review of applicable certifications (SOC 2, ISO 27001, or equivalent), privacy practices, and contractual data protection commitments.
• Data Processing Agreements (DPAs) are executed with all vendors engaged as Data Processors, incorporating obligations equivalent to those imposed on TENETWORKS under applicable data protection law.
• Vendors are prohibited from using Client or TENETWORKS data for any purpose beyond providing the contracted service, without separate written authorisation.
• TENETWORKS maintains a register of active vendors with access to Confidential or Restricted data, reviewed annually or upon material changes in vendor scope or status.
• Sub-vendor and fourth-party vendor arrangements of key infrastructure providers are reviewed as part of the initial vendor assessment.
• Vendor engagements are subject to termination and data deletion provisions, requiring secure return or deletion of TENETWORKS and Client data upon contract expiry or termination.

6.1 Technical Controls

• Encryption in transit: all data transmitted over public networks is encrypted using TLS 1.2 or higher.
• Encryption at rest: Confidential and Restricted data stored in TENETWORKS's or its vendors' systems is encrypted at rest using AES-256 or equivalent industry-standard algorithms.
• Endpoint security: devices used to access TENETWORKS systems are subject to up-to-date security software, operating system patching, and screen-lock requirements.
• Network security: TENETWORKS employs network-level controls, including firewall configurations and secure DNS, appropriate to a remote-first operational model.

6.2 Organisational Controls

• Personnel with access to Confidential or Restricted data are subject to confidentiality obligations and receive orientation on TENETWORKS's data security requirements as part of onboarding.
• Security practices are reviewed periodically, with updates implemented in response to evolving threat landscapes and applicable guidance from relevant cybersecurity authorities.

6.3 Incident Response

• TENETWORKS maintains an internal incident response procedure for identifying, containing, assessing, and notifying in connection with data security incidents and Personal Data breaches.
• In the event of a confirmed Personal Data breach meeting the reporting threshold under applicable law, TENETWORKS will notify the relevant supervisory authority and, where required, affected Data Subjects within the timeframes mandated by applicable legislation.
• Incident records are maintained for a minimum of three (3) years following resolution.

TENETWORKS utilises AI and automation tools as part of its operational and creative workflows. The following data standards apply:

• Client-provided Personal Data and Confidential Information is not submitted to third-party AI model training pipelines without explicit written Client consent.
• AI tools used by TENETWORKS are subject to vendor assessment, including review of applicable data processing, training data usage, and retention policies.
• Inputs to AI tools are minimised to the data strictly necessary for the intended purpose.
• AI-generated outputs used in Client Deliverables are subject to human review prior to delivery.
• TENETWORKS does not rely solely on automated decision-making for decisions that have a significant legal or similarly significant effect on any individual without providing for human review and appropriate notification.

As a globally distributed remote-first studio, TENETWORKS processes data across multiple jurisdictions. The following framework governs cross-border data flows:

• TENETWORKS's primary operational data processing takes place within the jurisdictions of its registered entities (UAE, UK, India) and through cloud infrastructure providers operating in associated data centre regions.
• Transfers of Personal Data from the EEA or UK to third countries are made pursuant to applicable lawful transfer mechanisms, including Standard Contractual Clauses (SCCs) and adequacy decisions.
• UAE-originating data transfers comply with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection and applicable implementing regulations.
• Where Client engagements involve data originating from jurisdictions with specific data localisation or transfer restriction requirements, TENETWORKS will identify and agree appropriate data handling arrangements with the Client prior to commencement.
• TENETWORKS does not transfer data to jurisdictions subject to comprehensive international sanctions without independent legal assessment confirming lawful transfer.

TENETWORKS's data governance compliance framework includes the following accountability measures:

• Maintenance of internal records of processing activities, vendor registers, consent logs, and incident records sufficient to demonstrate compliance with applicable data protection legislation upon request.
• Periodic review of data governance policies and procedures, at minimum annually and following any material change in operations, applicable law, or regulatory guidance.
• Data protection impact assessments (DPIAs) are conducted for new processing activities that present a high risk to the rights and freedoms of individuals, in accordance with GDPR Article 35.
• TENETWORKS cooperates with competent data protection supervisory authorities in the exercise of their functions and responds to regulatory enquiries within the timeframes required by applicable law.

For data governance enquiries or to report a potential data protection concern, please contact: privacy@tenet.works