TNV Global Limited ("TNV Global", "we") handles substantial volumes of confidential client information during the conduct of management system audits — including AI use cases, internal procedures, risk registers, employee data, strategic documents, source code, technical designs, and financial information. This Policy explains how we identify, classify, protect, and manage confidential information in accordance with ISO/IEC 17021-1:2015 Clause 8.4, our UAF accreditation obligations, and applicable data protection laws.
This Policy supplements (and does not replace) any specific Non-Disclosure Agreement (NDA) signed with a client. Where a signed NDA contains terms more protective than this Policy, the NDA prevails. Where the NDA is silent, this Policy applies.
1. Purpose and Scope
This Policy applies to all information obtained or created by TNV Global in the course of its certification activities, including but not limited to:
- Client application data and quotation enquiries
- Audit working papers, evidence, and findings
- Client management system documentation reviewed during audits
- Personal data of client employees and third parties encountered during audits
- AI use case descriptions, model designs, training data references, and technical specifications
- Financial information about the client
- Information about non-conformities, suspensions, and withdrawals (until publicly disclosed in accordance with our Public Information Statement)
- Commercial terms in our contracts with clients
- Information received from third parties about clients (e.g., regulator referrals, complaints)
2. Regulatory and Accreditation Basis
- ISO/IEC 17021-1:2015 Clause 8.4: Requires certification bodies to maintain a legally enforceable commitment to manage confidentiality of all information obtained or created during certification activities.
- UAF Accreditation Rules: Require documented confidentiality management consistent with ISO/IEC 17021-1.
- UK GDPR / EU GDPR / India DPDP Act 2023: Govern personal data; this Policy applies in addition to our Privacy Policy where personal data is involved.
- UK Data Protection Act 2018: Statutory framework for confidentiality of personal data in the UK.
3. Classification of Information
TNV Global classifies information into four levels:
| Classification | Description | Handling Requirement |
|---|---|---|
| Public | Information already in the public domain or designated by TNV Global as publicly available (e.g., this Policy, accredited certificate listings on global-aci.org). | No restrictions |
| Internal Use Only | Information about TNV Global operations not for general distribution but not sensitive (e.g., team rosters, internal newsletters). | Available to TNV Global personnel; not externally disclosed |
| Confidential | All client information obtained or created during certification activities, including audit working papers, evidence, findings, scope details, and commercial terms. | Access limited to engaged personnel; encrypted in transit and at rest; NDA-bound |
| Strictly Confidential | Highly sensitive information including security vulnerabilities discovered during audits, trade secrets, M&A-related information, personal data with elevated sensitivity. | Minimum-necessary access; documented access log; enhanced encryption; additional NDAs where required |
4. Personnel Confidentiality Obligations
4.1 Written Undertakings
Every TNV Global employee, contracted auditor, technical reviewer, certification decision maker, and Impartiality Committee member signs a written confidentiality undertaking before being granted access to client information. The undertaking:
- Is legally enforceable
- Survives the termination of employment or contract
- Defines confidential information, permitted uses, and prohibitions
- Includes return or destruction obligations
- Specifies remedies for breach including injunctive relief and damages
4.2 Use Limitations
Personnel use client confidential information ONLY for:
- The specific certification activity (audit, technical review, certification decision)
- Quality assurance and internal audit of TNV Global's processes
- Cooperation with UAF accreditation oversight
- Legal defence of TNV Global
- Other purposes only with the written consent of the client
Confidential information must NEVER be used for:
- Personal benefit of the individual or related parties
- Commercial benefit of another organisation
- Marketing or promotional purposes without explicit consent
- Discussion with persons outside the engagement (including TNV Global colleagues not on the engagement)
5. Technical and Physical Safeguards
TNV Global implements technical and organisational security measures including:
5.1 Encryption
- Encryption in transit: TLS 1.2+ for all data transmissions including client document uploads and email exchanges where supported
- Encryption at rest: AES-256 or equivalent for stored client documentation
- Encrypted backup storage with rotation and access logging
5.2 Access Control
- Role-based access control (RBAC) — personnel access only client information necessary for their role
- Multi-factor authentication for systems holding client confidential information
- Time-limited access — access is revoked when engagement ends or role changes
- Audit logs of who accessed which client file and when
5.3 Device Security
- Encrypted laptops and devices used for audit work
- Password / biometric authentication on all devices
- Remote wipe capability for lost or stolen devices
- No storage of client information on personal devices without explicit authorisation
5.4 Physical Security
- Locked storage for hard-copy audit documents
- Clean-desk policy at TNV Global offices
- Secure document destruction (shredding) when retention period ends
- Restricted physical access to office premises
6. Sub-Contractor and Outsourced Personnel
Where TNV Global engages sub-contractors (e.g., contracted Lead Auditors, technical experts), the sub-contractor:
- Signs a written agreement including confidentiality obligations equivalent to or stricter than this Policy
- Is subject to the same access controls and security requirements
- Is responsible for ensuring any further sub-engagement is similarly bound (with TNV Global written consent)
- Is monitored for compliance through annual reviews
7. Disclosure of Information
7.1 Information We Do Disclose
Notwithstanding confidentiality obligations, TNV Global may disclose:
- To UAF: For accreditation oversight and witness audits. UAF auditors sign confidentiality undertakings with TNV Global.
- To IAF members: Where required to maintain IAF (GAC) recognition for certificate verification.
- On global-aci.org: Limited public-register information (organisation name, certificate number, scheme, scope, accreditation, validity dates, status). Audit details are NOT published.
- To legal advisors: Where necessary for legal advice, under their professional confidentiality obligations.
- To regulatory authorities: Where required by law, court order, or regulator request (e.g., HMRC, ICO, NCSC).
7.2 Mandatory Notification to Client
Where law or regulation requires us to disclose client confidential information, we will notify the client in advance — unless we are legally prohibited from doing so — to allow the client to seek protective measures. Examples include:
- Court orders requiring document production
- Regulator information requests under formal powers (e.g., FCA, ICO, NCSC)
- Tax authority disclosure requirements
- Subpoenas or similar legal instruments
7.3 Information We Do NOT Disclose
Without prior written consent from the client, we do NOT disclose:
- Specific audit findings or non-conformities (beyond the existence/non-existence of an active certificate)
- Internal procedures, AI use cases, technical designs, or other proprietary content reviewed during audits
- Personal data of client employees or third parties
- Commercial terms of our engagement
- Information about complaints or disputes (subject to limited exceptions)
8. Use of Information by TNV Global Itself
TNV Global may use anonymised or aggregated information from audits for:
- Internal quality assurance and continual improvement
- Training of auditors (with all identifying information removed)
- Trend reports and benchmarking (anonymised and aggregated only)
- Sector intelligence (without identifying individual clients)
We do NOT use specific client information for marketing, competitive intelligence, or commercial purposes outside the audit engagement.
9. Client Confidentiality Toward TNV Global
In return, the client agrees not to disclose TNV Global's proprietary information including:
- Audit methodologies, checklists, and proprietary tools
- Internal audit working papers from TNV Global personnel
- Commercial terms of the engagement
- Information about other TNV Global clients incidentally disclosed
This applies during the engagement and for 5 years after engagement termination.
10. Breach Handling
If a confidentiality breach is suspected or confirmed:
- Personnel must report immediately to admin@tnvglobal.com (subject: "Confidentiality Incident") or the Information Security Lead
- TNV Global initiates an incident investigation within 1 business day
- Affected client(s) are notified without undue delay where the breach is likely to result in a risk to them
- Where personal data is involved, notification to ICO / Data Protection Board of India within 72 hours where required
- Corrective and preventive actions are implemented
- Breach records are retained for 6 years
11. Post-Engagement Obligations
At the end of an engagement (including cancellation, surrender of certificate, transfer to another certification body):
- Confidential information is returned or securely destroyed in accordance with the retention schedule in our Privacy Policy
- Audit records are retained for the period required by ISO/IEC 17021-1 (3 certification cycles, approximately 9 years)
- Personal data is handled in accordance with our Privacy Policy
- All TNV Global personnel confidentiality obligations survive engagement termination indefinitely
12. International Confidentiality
Where confidential information is transferred between TNV Global's UK office and India office, or to UAF in the United States, or to sub-contractors based outside the UK, EU, and India:
- The transfer is governed by appropriate safeguards (UK IDTA, EU SCCs) as set out in our Privacy Policy
- Recipient personnel are bound by confidentiality obligations equivalent to or stricter than this Policy
- Encryption is maintained throughout
13. Annex: Auditor NDA Summary
Every auditor signs a Non-Disclosure Agreement containing (at minimum) the following terms:
- Definition of confidential information
- Permitted purposes and prohibited uses
- Duration: indefinite for trade secrets, minimum 5 years for other confidential information
- Return-or-destroy obligation at engagement end
- Carve-outs: information already known, publicly available, independently developed, or rightfully received from a third party
- Remedies including injunctive relief, damages, and indemnity
- Governing law: England and Wales (or India for India-based personnel, with reciprocal recognition)
Full NDA template is available on request for client review prior to engagement.
14. Contact
Confidentiality questions, incident reports, or NDA requests:
| admin@tnvglobal.com (subject: "Confidentiality Query" or "Confidentiality Incident") | |
| Phone (UK) | +44 7877 901727 |
| Phone (India) | +91 98380 70227 |
| Postal | Information Security Lead, TNV Global Limited, Sabichi House, 5 Wadsworth Road, Perivale, Greenford, UB6 7JD |