Remote Working and BYOD Policy

Overview

Last updated March 2026. Next review March 2027.

Enterprise Skills Ltd is a fully remote organisation. This policy sets out how we protect personal data and maintain information security when staff and contractors work remotely using personal or company-provided devices (BYOD: Bring Your Own Device).

This policy applies to all employees, contractors, and consultants who access Enterprise Skills systems or handle personal data in the course of their work.

Access Controls

All access to the Skills Hub platform's administrative systems is via SSO-protected accounts with two-factor authentication enforced. There is no direct database access from personal devices.

All data is accessed through the browser-based platform, with full encryption in transit and at rest. Staff access to the following services is controlled via individual SSO accounts with 2FA enabled on each:

• GitHub (source code)
• Supabase (database administration)
• Netlify (hosting)
• Cloudflare (CDN and WAF)

Access is granted on a least-privilege basis. Staff are given access only to the systems and data required for their role. Access is reviewed when roles change and revoked promptly on offboarding.

Device Requirements

Any device used to access Enterprise Skills administrative systems must meet the following minimum requirements:

• Full-disk encryption enabled (BitLocker on Windows, FileVault on macOS, or equivalent on other operating systems)
• An up-to-date operating system with automatic security updates enabled
• A screen lock configured to activate after no more than 5 minutes of inactivity
• Antivirus or anti-malware software installed and actively running, where applicable to the operating system

Staff are responsible for ensuring their devices meet these requirements before accessing any Enterprise Skills system. If in doubt, contact the DPO before proceeding.

No Local Data Storage

No customer personal data is downloaded to or stored on personal devices. All data is accessed via the browser-based platform and remains within our cloud infrastructure (Supabase, AWS eu-west-2, London).

Staff do not have the ability to export bulk personal data to local storage. Where data exports are required for legitimate operational purposes, these must be approved in advance, handled securely, and deleted once the purpose is fulfilled.

Network Security

Staff are required to use secure network connections. Public Wi-Fi may be used, as all platform connections are encrypted via TLS 1.2+. However, staff are strongly encouraged to use a VPN on untrusted networks when accessing administrative systems.

Staff must not access administrative systems from networks that are shared with untrusted parties without VPN protection.

Lost or Stolen Devices

Because no customer data is stored locally on staff devices, the loss or theft of a staff device does not in itself constitute a personal data breach under UK GDPR.

However, staff must report any lost or stolen device to the DPO immediately so that:

• Active SSO sessions can be revoked across all connected services
• Account passwords can be changed as a precaution
• A risk assessment can be completed to confirm whether a notifiable breach has occurred

Failure to report a lost device promptly may itself constitute a policy breach.

Password Policy

All staff accounts use SSO with 2FA as the primary authentication method. Where password-based authentication is used as a fallback, the following rules apply:

• Passwords must be at least 12 characters in length
• Passwords must not be reused across services
• Passwords must be stored in an approved password manager; they must not be written down or stored in plain text

Staff are encouraged to use a reputable password manager for all work-related credentials. The use of memorable but weak passwords is not permitted.

Training

All staff receive data protection and information security training annually. Additional training is provided when significant changes are made to the platform, our data handling practices, or relevant legislation.

New staff and contractors are required to complete data protection induction training before being granted access to any system that processes personal data.