Company: Quil Holdings Ltd
Company Registration Number: 021904V
Effective Date: 1st February 2026
Review Date: 1st February 2027

1. Purpose

The purpose of this Information Security Policy is to protect the confidentiality, integrity, and availability of information held by Quil Holdings Ltd (“the Company”) and to ensure that information is managed securely and in accordance with legal, regulatory, and contractual obligations.

2. Scope

This policy applies to:

  • All employees, directors, contractors, and third parties acting on behalf of the Company
  • All information assets owned, processed, or managed by the Company
  • All systems, devices, networks, applications, and data used in the course of Company business

3. Information Security Objectives

The Company’s information security objectives are to:

  • Protect personal data in line with UK GDPR and the Data Protection Act 2018
  • Prevent unauthorised access, disclosure, alteration, or destruction of information
  • Maintain the availability and reliability of information systems
  • Reduce information security risks to an acceptable level
  • Ensure staff understand and meet their information security responsibilities

4. Roles and Responsibilities

Management

  • Approve and support the implementation of this policy
  • Ensure appropriate resources are allocated to information security

Employees and Contractors

  • Comply with this policy and related procedures
  • Protect information assets they access or handle
  • Report any suspected or actual security incidents immediately

Information Security Responsibility

Overall responsibility for information security rests with QuilHoldings Ltd management, supported by designated personnel as required.

5. Information Classification

Information shall be classified according to sensitivity and risk, including:

  • Public – Information approved for public release
  • Internal – Information for internal business use only
  • Confidential – Sensitive business or personal information requiring protection

Handling controls must be applied based on the classification level.

6. Access Control

  • Access to information and systems is granted on a least-privilege basis
  • User access is authorised, reviewed, and removed when no longer required
  • Strong passwords and secure authentication methods must be used
  • Access credentials must not be shared

7. Physical and Environmental Security

  • Physical access to offices and equipment is restricted to authorised individuals
  • Devices must be secured when unattended
  • Paper records containing confidential information must be stored securely and disposed of safely

8. System and Network Security

The Company will:

  • Use up-to-date security controls such as firewalls, anti-malware, and     encryption where appropriate
  • Apply security updates and patches in a timely manner
  • Protect systems against unauthorised access and cyber threats
  • Monitor systems for security events where appropriate

9. Data Protection and Privacy

  • Personal data is processed in accordance with the Company’s Privacy Policy
  • Appropriate technical and organisational measures are implemented to protect personal     data
  • Data is retained only for as long as necessary and disposed of securely

10. Incident Management

  • All actual or suspected information security incidents must be reported promptly
  • Incidents will be investigated and appropriate corrective action taken
  • Where required, data breaches will be reported to the Information Commissioner’s Office (ICO) and affected individuals in accordance with legal obligations

11. Business Continuity and Backup

  • Critical information and systems are backed up regularly
  • Backup data is protected against unauthorised access and loss
  • Business continuity arrangements are in place to minimise disruption

12. Third-Party Security

  • Third parties handling Company information must implement appropriate security controls
  • Information security requirements are addressed in contracts where appropriate
  • Third-party access is limited to what is necessary for business purposes

13. Training and Awareness

  • Employees and contractors are expected to understand this policy
  • Information security awareness is promoted across the Company
  • Additional training may be provided where appropriate

14. Compliance and Monitoring

  • Compliance with this policy is mandatory
  • Breaches of this policy may result in disciplinary action
  • The Company may monitor systems to ensure compliance with this policy and applicable laws

15. Policy Review

This policy will be reviewed at least annually, or sooner if there are significant changes to business operations, technology, or legal requirements.

16. Approval

This Information Security Policy is approved by the management of Quil Holdings Ltd and is effective from the date shown above.