Data Protection & Cybersecurity Statement

At Treasure Well, we recognize the critical importance of data security, privacy, and regulatory compliance in all aspects of our operations. We are committed to maintaining the highest standards of data protection, cybersecurity, and client confidentiality in compliance with international and jurisdictional regulations.

This Data Protection & Cybersecurity Statement outlines our governance framework, security protocols, and regulatory obligations to ensure that client information, corporate data, and sensitive communications remain protected against unauthorized access, data breaches, and cyber threats.

Treasure Well strictly adheres to international data protection laws and ensures that all employees, consultants, and third-party service providers comply with our information security and confidentiality policies.

Regulatory Compliance & Data Protection Standards

Adherence to International Data Privacy Laws

Treasure Well complies with all applicable data protection and privacy regulations, including but not limited to:

• UK General Data Protection Regulation (UK GDPR)

• European Union General Data Protection Regulation (EU GDPR)

• Data Protection Act 2018 (UK)

• California Consumer Privacy Act (CCPA) (where applicable)

• Financial Services Data Security Standards & FCA Guidelines

• OECD Guidelines on Privacy and Cross-Border Data Transfers

All client and corporate data is handled in accordance with these legally binding frameworks, ensuring compliance with privacy, security, and financial data management standards.

Data Collection, Processing & Storage

• Transparency & Lawfulness: Treasure Well collects, processes, and stores client data solely for legitimate business, regulatory, and compliance purposes.

• Purpose Limitation: Personal and corporate data is collected strictly for specified and lawful purposes and will not be processed in a manner that is incompatible with those purposes.

• Data Minimization: Only the minimum necessary amount of personal or business information is collected and stored, ensuring compliance with data proportionality requirements.

Legal Basis for Data Processing

Treasure Well processes data under the following lawful bases, as permitted by GDPR and other data privacy frameworks:

• Contractual Necessity: Processing required for the provision of agreed-upon services.

• Legal & Regulatory Compliance: Processing necessary for compliance with financial, regulatory, and tax obligations.

• Legitimate Interests: Processing required to enhance service delivery, cybersecurity, and fraud prevention.

• Client Consent: Where necessary, explicit client consent is obtained for data processing activities.

Third-Party Data Sharing & Cross-Border Transfers

• Treasure Well does not share client data with unauthorized third parties or external entities without explicit consent or legal obligation.

• Where data transfers occur between jurisdictions, such transfers comply with:
  ✔ Standard Contractual Clauses (SCCs) under GDPR
  ✔ UK & EU Data Adequacy Decisions
  ✔ Binding Corporate Rules (BCRs) for international compliance

Any data transfer agreements are subject to rigorous due diligence and security assessments to ensure compliance with financial and regulatory obligations.

Cybersecurity & Information Protection

Advanced Security Measures

Treasure Well implements robust cybersecurity frameworks to protect against data breaches, cyber threats, and unauthorized access.

• End-to-End Encryption – All sensitive data and communications are encrypted using industry-leading cryptographic protocols (AES-256, TLS 1.3).

• Multi-Factor Authentication (MFA) – Secure access controls enforced for employees, partners, and authorized third parties.

• Zero-Trust Security Model – Continuous authentication and strict access management protocols.

• 24/7 Intrusion Detection & Cyber Threat Monitoring – Advanced Security Information and Event Management (SIEM) technologies deployed.

Incident Response & Data Breach Mitigation

Treasure Well maintains a comprehensive Incident Response Plan (IRP) to mitigate risks associated with cyber threats, fraud, and data breaches.

• Real-Time Threat Monitoring: Continuous surveillance to detect unauthorized access, malware, or cyberattacks.

• Immediate Breach Containment & Risk Mitigation: Rapid-response protocols executed upon detecting cybersecurity vulnerabilities.

• Regulatory Compliance & Notification: In the event of a confirmed data breach affecting client information, Treasure Well follows mandatory regulatory reporting procedures as outlined by GDPR and global privacy frameworks.

Clients and relevant authorities will be notified within the legally prescribed timeframe if a data breach occurs that poses a risk to personal data security.

Employee Training & Cybersecurity Awareness

• All employees and consultants undergo mandatory cybersecurity training to mitigate phishing, social engineering, and insider threat risks.

• Strict access control mechanisms and device management policies are enforced to protect corporate and client-sensitive data.

• Employees must report any suspicious activity, unauthorized data access, or attempted security breaches to the Information Security & Compliance Team.

Data Subject Rights & Client Protections

Data Access, Rectification & Erasure Rights

Under GDPR and applicable privacy laws, clients have the right to:

• Request access to their personal and financial data held by Treasure Well.

• Request corrections to any inaccurate or incomplete personal data.

• Request data deletion where permissible under law (e.g., when data is no longer needed for regulatory or contractual purposes).

• Restrict or object to specific types of data processing.

• Request a data portability transfer in structured, machine-readable format (where applicable).

All data access or modification requests should be submitted in writing to the Data Protection Officer (DPO) for verification and processing.

Data Subject Requests: dpo@treasurewelllaaw.co.uk

Right to Lodge a Complaint

Clients who believe that their data privacy rights have been violated may submit a formal complaint to:

• Treasure Well Data Protection Office (internal review).

• Relevant Data Protection Authority (DPA) under applicable jurisdictional law.

Treasure Well fully cooperates with data protection regulators and will provide all legally required documentation upon request.

Enforcement & Legal Recourse

Internal Compliance & Auditing

• Regular internal audits and security assessments are conducted to ensure full compliance with data protection laws.

• Non-compliance with this Data Protection & Cybersecurity Statement may result in:
  ✔ Internal disciplinary actions, including termination of employment or contractual agreements.
  ✔ Regulatory reporting obligations to relevant Data Protection Authorities (DPAs).
  ✔ Civil and/or criminal legal proceedings under applicable laws.

Legal Disclaimer

• This Data Protection & Cybersecurity Statement serves as a binding policy governing Treasure Well’s data handling, cybersecurity, and compliance obligations.

• Treasure Well reserves the right to revise, update, or supplement this Statement in response to regulatory developments or industry best practices.

• Treasure Well does not act as a legal representative in matters concerning data protection disputes, and clients are advised to seek independent legal counsel for formal privacy-related litigation matters.

For legal inquiries, contact: legal@treasurewelllaw.co.uk