Legal
DATA HANDLING POLICY
Effective Date: January 1, 2026 | Last Updated: March 2026
As a cybersecurity consultancy, The Emporium Agency is held to a higher standard in how we handle data — and we hold ourselves to it. This policy details the technical and operational practices governing all client data across our three service pillars: cybersecurity consulting, social media management, and digital brand protection.
1. Scope
This Data Handling Policy applies to all personal and business information processed by The Emporium Agency LLC in the course of:
- Website inquiries and contact form submissions at TheEmporiumAgency.com
- Cybersecurity consulting engagements, including risk assessments and incident response planning
- Social media management and automation services, including access to client social accounts and analytics
- Digital brand protection services, including IP monitoring and executive privacy engagements
This policy supplements and should be read alongside our Privacy Policy and Terms of Service.
2. Data Classification
We classify all client data into one of four tiers, each carrying corresponding handling requirements:
| Classification | Description | Examples |
|---|
| Public | Information already publicly available | Public social media content, published business information |
| Internal | Business operational data not intended for public disclosure | Engagement summaries, project status records |
| Confidential | Sensitive business and personal information | Security assessments, vulnerability findings, social credentials, brand monitoring reports |
| Restricted | Highest sensitivity — limited access, encrypted at rest and in transit | Executive personal data, incident response details, authentication credentials |
3. Data Handling by Service Area
Cybersecurity Consulting
Security engagements involve access to highly sensitive information. We apply the following controls:
- All security assessment findings are classified as Confidential or Restricted by default
- Vulnerability data, system architecture details, and infrastructure information are never stored beyond the active engagement period without explicit client authorization
- Security reports are delivered via encrypted channels and are not retained on TEA systems after delivery and client confirmation of receipt
- Access to client systems during assessment work is documented, time-limited, and requires written authorization
Social Media Management & Automation
Social media engagements require access to client account credentials and audience data. We manage this as follows:
- Social platform credentials are stored using credential management tools with encryption at rest — never in plain text
- Access is granted on a need-to-operate basis and revoked immediately upon engagement conclusion
- Audience data and analytics processed during engagements are used exclusively for client benefit and are not aggregated, analyzed, or retained for TEA's own purposes
- Content drafts and creative materials are treated as Confidential until published and approved by the client
Digital Brand Protection
Brand monitoring and executive privacy engagements involve collection of publicly available data and may include personal information:
- Monitoring data is collected only through lawful means — no unauthorized access or scraping of private systems
- Executive personal information gathered for privacy assessments is classified as Restricted and handled accordingly
- Brand monitoring reports contain only information relevant to the client's engagement scope
- Crisis management communications are treated as Restricted and are retained only for the duration necessary to resolve the incident
4. Technical Security Controls
As a cybersecurity consultancy, we apply the same controls we recommend to our clients. The following represents our baseline internal security posture.
- Encryption in transit: All data transmitted to and from TEA systems uses TLS 1.3 or higher
- Encryption at rest: Confidential and Restricted data is encrypted at rest using AES-256 or equivalent
- Access control: Role-based access control (RBAC) with least-privilege principles applied to all internal systems
- Multi-factor authentication: Required for all systems storing Confidential or Restricted client data
- Audit logging: Access to client data environments is logged and retained for security review
- Secure deletion: Data is securely deleted or returned to clients upon engagement conclusion per agreed terms
5. Third-Party Sub-Processors
TEA may use third-party tools or sub-processors to deliver services. Any sub-processor with access to client data must meet the following requirements:
- Completion of TEA's vendor security assessment prior to onboarding
- Execution of a Data Processing Agreement (DPA) establishing confidentiality and security obligations
- Demonstration of equivalent or greater security controls to TEA's own standards
- Ongoing compliance monitoring throughout the vendor relationship
Clients may request a list of active sub-processors relevant to their engagement at any time by contacting us at the address below.
6. Data Retention and Deletion
| Data Type | Retention Period | Deletion Method |
|---|
| Website inquiry data | 24 months (or until client relationship established) | Secure deletion |
| Engagement records and deliverables | 7 years from engagement conclusion | Secure deletion or return to client |
| Security assessment findings | Duration of engagement only | Secure deletion upon delivery |
| Social media credentials | Active engagement period only | Immediate revocation and secure deletion |
| Brand monitoring reports | Duration of active monitoring engagement | Secure deletion or export to client |
| Crisis management records | Resolution + 90 days | Secure deletion |
7. Incident Response
In the event of a data security incident affecting client information, TEA will:
- Notify affected clients within 72 hours of becoming aware of the incident
- Provide clear information about the nature, scope, and potential impact of the incident
- Take immediate steps to contain and remediate the incident
- Provide a written incident report within 14 days of resolution
- Cooperate fully with any required regulatory notifications
8. Contact
Data handling inquiries, requests, or concerns: