Security
A controlled, documented approach to access and data handling
Client information should only be accessed when required for an authorised task. Here is how we approach access control, confidentiality and escalation.
Depending on the engagement and client requirements, controls can include the measures below. Not every control applies to every engagement — the specific configuration is agreed during scoping.
- Individual user accounts
- Restricted and least-privilege access
- Multi-factor authentication where supported
- Company-managed work devices
- Updated operating systems
- Approved software only
- Automatic screen locking
- Password-manager usage
- No shared passwords
- No personal USB storage
- No transfer of customer information through personal messaging accounts
- Confidentiality agreements
- Access logs where supported
- Documented onboarding and offboarding
- Prompt access revocation
- Supervisor review
- Security incident escalation
- Retention and deletion procedures
- Client-defined access windows
- Approved communication channels
Access control
Team members are granted individual accounts scoped to the specific task they are assigned. Access follows a least-privilege approach: associates receive only the permissions required for their documented responsibilities, and broader access is not requested by default.
Employee confidentiality
Team members working on client engagements sign confidentiality agreements before receiving any access to client systems or information.
Device and account management
Depending on the engagement, work can be performed on company-managed devices with updated operating systems, approved software, automatic screen locking and password-manager usage. Personal USB storage and unapproved software are not permitted on engagement work.
Data minimisation
We request access to the specific records, fields or systems required for the assigned task rather than broad or standing access to entire databases. Where practical, we work inside client-controlled accounts rather than receiving data exports.
Incident escalation
Team members are trained to escalate anything unusual — a suspected security issue, an access error or an unclear instruction — to a supervisor immediately rather than attempting to resolve it independently.
Client ownership and control
Client systems, accounts and data remain under client ownership and control at all times. iClick Solutions operates within the access and permissions the client defines, and access can be adjusted or removed by the client at any time.
Vendor and subcontractor restrictions
Engagement work is performed by trained iClick team members. Any use of subcontractors on a specific engagement is disclosed and agreed with the client in advance.
Business continuity
Engagements are structured with a trained backup team member so that planned or unplanned absences do not interrupt agreed service levels.
Secure offboarding
When an engagement, task or individual assignment ends, access to client systems, accounts and communication channels is removed promptly as part of a documented offboarding process.
Specific security controls, regulatory requirements and technical configurations are confirmed during the scope and contracting process. iClick Solutions Inc. does not currently hold SOC 2, ISO 27001, HIPAA, PCI DSS or GDPR certifications, and we do not claim guaranteed prevention of security incidents. Where certification becomes relevant to a specific engagement, requirements are addressed contractually.
Discuss access requirements for your process
Tell us which systems and data are involved so we can propose an access model that fits your policies before any pilot begins.