Intuitive Support | Data Protection

Intuitive Support Services Limited is not regulated by the Financial Conduct Authority (FCA). However, we directly support firms who are.

Responsibility for outsourced business activities, including compliance with FCA rules, always remains with you, the regulated financial advice firm. For that reason, we place strong emphasis on data protection, information security, and transparency around how client data is handled.

GDPR Responsibilities
Under UK GDPR, when you outsource administrative services:
• You (the financial advice firm) are the Data Controller
• We (Intuitive) act as your Data Processor

Data Controllers are required to ensure they only work with third parties that can demonstrate GDPR compliance. As part of this process, you should carry out due diligence on us — and we fully support this.

Our Due Diligence document provides detailed information on our systems, controls and procedures and is available on request.

Where Client Data Is Held
We only access and use client data with your permission and solely for the duration of our engagement.
Access may be granted by you through a variety of systems, including:
• Back-office systems
• Cloud-based storage
• Third-party investment platforms & research software
• Product provider online portals
• Email accounts hosted on your domain
• Your own servers or hosted desktops

You retain full ownership of the data at all times and control access rights across all third-party systems.

You are also responsible for:
• Assessing the security and compliance of the platforms you use
• Informing data subjects if data is transferred outside the EEA
• Obtaining consent where required

During the course of business, data may:
• Be received into an Intuitive email account
• Be temporarily downloaded to our secure hosted environment

All data:
• Is stored within the UK
• Is fully segregated by firm
• Is subject to strict role-based access controls

If you disengage from our service, all data owned by you will be returned and securely deleted from our systems within 14 days.

Data Sharing
• We do not share your client data with any third parties, unless instructed by you as part of delivering our service
• We do not share data about your firm with any third parties

Secure Transmission of Data
When sending confidential information from our own email accounts, we can use Mimecast Secure Messaging, providing a secure email channel.

However, responsibility for secure data transmission ultimately rests with the financial advice firm. This includes:
• Providing encrypted email solutions, or
• Using secure portals for data exchange

Where we use an email account owned by your firm, you retain responsibility for the security, encryption and maintenance of that account.

If you do not currently have appropriate secure transmission technology in place, we can discuss alternative procedures, such as password-protected PDF documents.

Systems & IT Security
We operate within secure hosted desktops, which provide:
• Email and software hosting
• Secure data storage and backups

Our IT infrastructure is provided by Key Computers and protected by:
• Multi-Factor Authentication (MFA)
• Role-based access permissions
• Regular security monitoring

Only staff who require access to data to perform their role are permitted to do so.

Full technical details are available in our Due Diligence document.

Software & Tools
Our team may use:
• ILovePDF (PDF tools)
• 4Admin (LOA data analysis)

You may opt out of these tools or request that we use your own systems instead. We are also happy to learn and work within any platforms you require.

Cyber Security Controls
Our security framework includes:
• Enterprise-grade antivirus (Webroot) with ransomware protection
• Regular Microsoft security updates across all servers
• Enterprise firewalls with geo-filtering, IDS/IPS, application control and content filtering
• Huntress MDR for advanced endpoint threat detection
• ITDR (Identity Threat Detection & Response) to protect against phishing and unauthorised access

Internal Policies & Staff Controls
We operate under strict internal policies, including:
• Data Protection and Security Policy
• Computer Systems and Internet Policy
• Company Standards and Rules Policy
• Telephone Usage Policy

These cover areas such as:
• Caller and email authentication
• Email encryption
• Secure desk practices
• Password and user ID controls
• Confidential waste destruction
• Device and printer security

Staff are asked to confirm their understanding of, and compliance with, these policies on an annual basis.

Staff Training
All staff complete annual training and testing in:
• Anti-Money Laundering & Financial Crime
• Data Protection
• Cyber Security
• Vulnerable Clients
• Health & Safety

Operational Controls & Business Continuity
We maintain documented operational procedures and best-practice guidelines. When supporting your firm, we will follow your procedures wherever possible, while ensuring appropriate audit trails are always maintained.

We also have a robust Business Continuity Plan, reviewed and updated regularly.

Registrations, Certifications & Confidentiality
• Intuitive Support Services Limited is registered with the Information Commissioner’s Office (ICO) LINK
• The Intuitive team is Cyber Essentials PLUS certified LINK
• Confidentiality obligations form part of both our Service Agreement and Contracts of Employment
• We are also happy to sign your own NDA if required.

Privacy Policy
HERE