Q: What role do Wealth Wizards perform under your service offering? (e.g., Data Processor; Data Controller; Joint Controller).

Wealth Wizards will be the Data Processor.

Q: In which geographical region will the data processing take place?

UK & EEA

Q: Do Wealth Wizards maintain appropriate organisational and technical measures to protect the confidentiality, integrity and availability of the data being processed?

Yes. Wealth Wizards systems maintain appropriate organisational and technical measures relating to Personal Data through our ISMS and this is monitored and controlled through our ISO27001 & ISO27018 accreditations and our alignment to ISO27701.

We are compliant with the EU Data Protection Directive. To learn more, please read our Data Protection Policy.

• ISO/IEC 27001:2013 Certificate of Registration
• ISO/IEC 27018:2019 Certificate of Registration
• Data Protection Policy
• Data Subject Access Request Process

Q: Do Wealth Wizards have a process in place to detect, investigate and report data incidents and breaches?

Yes. Wealth Wizards have a robust process in place to detect, investigate and inform all relevant parties of a breach within the requirements of all relevant data protection rules & regulations.

We use a combination of the very best AWS security services to achieve this and strictly follow AWS Well-Architected best practices for maintaining our strong security posture.

• AWS Security Services
• AWS Well-Architected - Security Pillar

Q: Can physical deletion of all personal information held on the Wealth Wizards platform be carried out if requested?

All tenant data is held in cloud services hosted on AWS, and we rely on their process for the ultimate destruction of storage devices once they have reached the end of their useful life. In summary:

AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitisation”) to destroy data as part of the decommissioning process. All decommissioned storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

We will delete all tenant data from production and backup environments on termination of our agreement or by request, other than data we are required to retain from a regulatory/legal standpoint e.g. data related to advice cases.

• AWS Compliance & Controls

Q: How do you ensure that you are compliant with all relevant rules and regulations?

We are a regulated business, and maintain a range of controls to ensure we comply with legal, statutory, regulatory and contractual obligations:

• We conform to all the requirements placed upon us by the FCA, Information Commissioner and our certification auditors.
• We maintain registers for all compliance related events in our management system.
• We maintain a registry of all relevant legislation, and its impact on the organisation of operations and security.
• We run an internal audit programme which verifies our adherence to our obligations.
• We have an exception process to respond to any non-conformances.
• We employ third party experts to validate our regulatory and technical approach, and to ensure we are up to date with expert community best practice.