OVERVIEW

Optimum Health Ltd (Trading as ‘Kinhub’) takes the protection of Personal Data seriously and is committed to using the highest levels of security for all users and clients.

Kinhub has in place a number of frameworks and procedures designed to ensure good information and cyber security governance, which are outlined in this Policy.

The purpose of this policy is to:

• Ensure the confidentiality, integrity, and availability of partner, client, and staff personal data and sensitive information.

• Comply with all relevant UK and European legislation, including the UK GDPR, the Data Protection Act 2018, and the EU AI Act. Kinhub maintains ISO27001 certification and Cyber Essentials accreditation to ensure international standards of information security.

• Meet contractual obligations regarding data security and privacy with our enterprise clients.

• Minimise risks associated with information security threats and data breaches.

• Foster a culture of security awareness, responsibility, and data protection compliance within Kinhub.

• Provide a clear and comprehensive framework for managing and protecting client and staff information assets.

• Build and maintain the trust of our enterprise clients and their staff by demonstrating our commitment to data security.

DATA GOVERNANCE PRINCIPLES

Kinhub recognises that data is a critical and sensitive resource to our clients and users and is managed as such. Data is held and provided by Kinhub in accordance with the Data Governance Principles shown below, the Data Protection Policy (separate document) and other relevant policies and procedures.

Key Data Governance Principles

• Data must be processed lawfully, fairly and transparently.

• Personal Data must only be collected and processed for specified, explicit and legitimate purposes.

• Personal Data must be adequate, relevant and limited to what is necessary for the purpose(s) for which it is processed.

• Personal Data must be accurate and where necessary, kept up to date.

• Personal Data must not be kept for longer than is necessary for the purposes for which it is processed.

• Personal Data must be processed securely and appropriate measures must be taken to protect against unauthorised or unlawful Processing and against all accidental loss, destruction or damage to the Personal Data.

• Both enterprise and user data must be secure by design and kept safe and secured.

• All staff are made aware of their role in relation to data use and data protection.

• AI-driven guidance is provided using privacy-preserving techniques. User interactions with the AI Coach are processed to provide instant support but are not used to identify individuals in employer-facing reports. We ensure that our AI models are audited for bias and security in line with the EU AI Act.

Key Principles in Records Management

• Information and records relating to customers is stored securely (any systems will have been verified as GDPR compliant) and are only be accessible to authorised staff.

• Information is be stored for only as long as it is needed or required by statute and is disposed of appropriately, in line with Kinhub’s Data Retention & Disposal Policy.

• All systems and processes are designed to minimise data collection and ensure data security by design.

• All individuals have the right to access the information Kinhub holds about them. Kinhub takes reasonable steps to ensure that this information is kept up to date by asking data subjects whether there have been any changes.

• All workforce sentiment and engagement data provided to enterprise clients (HR Dashboards) is anonymised and aggregated. No individual user’s private coaching data is shared with their employer in an identifiable format, ensuring a ‘privacy-first’ approach.

AI SECURITY AND ETHICAL GOVERNANCE

Purpose & Scope: This section outlines the controls governing Kinhub’s Work-Life Intelligence™ engine and AI Coach. These measures ensure that AI-driven insights do not compromise individual privacy or introduce algorithmic bias.

• Privacy by Design in AI: Our AI models are engineered to provide instant guidance without the need for persistent storage of identifiable sensitive conversational data beyond the immediate session necessity.

• Anonymisation & Aggregation: All data surfaced to HR via dashboards is subject to strict aggregation thresholds. No report shall be generated that allows for the “de-anonymisation” of an individual employee.

• Non-Discriminatory AI: Kinhub conducts regular reviews of its AI-driven guidance to identify and mitigate potential biases, ensuring that the “Sense & Prioritise” and “Recommend & Coach” pillars operate fairly.

• Compliance with the EU AI Act: Kinhub classifies and manages its AI systems in accordance with the EU AI Act. This includes maintaining transparency about when a user is interacting with an AI (the AI Coach).

• Data Integrity for Training: Any data used to fine-tune Kinhub’s “Hybrid-Intelligence” model is stripped of personally identifiable information (PII). Raw, identifiable client data is never used to train models in a way that could lead to leakage between different enterprise clients.

• Human-in-the-Loop: The “Sense & Prioritise” pillar acts as a routing mechanism. For high-risk or sensitive “early warning signs,” the system facilitates a transition to human expert coaches.

ACCESS CONTROL AND PASSWORDS

Employees and contractors at Kinhub must access a variety of IT resources, including computers and other hardware devices, data storage systems, and other accounts. Access to client and staff data is strictly controlled and granted based on the principle of least privilege and a demonstrable business need.

Passwords are a key part of Kinhub’s IT strategy to ensure only authorised individuals can access those resources and data. All staff who have access to any of those resources are required to choose strong passwords and protect their login information from unauthorised people, in accordance with the company’s password policy.

Principles applied within the Password Policy are summarised below:

• Robust authentication methods, including multi-factor authentication where appropriate, are implemented to access systems containing client and staff data.

• Role-based access controls are used to ensure users only have access to the data necessary for their specific job responsibilities.

• Access rights are reviewed at least quarterly and updated promptly when job roles change or individuals leave the organisation.

• A transparent process for requesting, approving, granting, modifying, and revoking access to client and staff data is documented and strictly adhered to.

• Audit trails of access to client and staff data are maintained and regularly reviewed for suspicious activity.

ALL STAFF TECHNOLOGY USE AND CONFIDENTIALITY

Kinhub understands the importance of governing the use of its technology in relation to its data protection requirements, specifically in complying with the GDPR legislation. All staff are required to read and sign Kinhub’s All Staff Technology Use and Confidentiality Policy.

In summary, use of Kinhub systems that process client and staff data are restricted to legitimate business purposes directly related to serving our enterprise clients. The following activities are strictly prohibited:

• Unauthorised access, viewing, modification, or disclosure of client and staff data.

• Using client and staff data for personal gain or any purpose other than the agreed-upon contractual obligations.

• Downloading, copying, or distributing client and staff data to unauthorised locations or individuals.

• Attempting to circumvent security controls protecting client and staff data.

• Introducing malicious software (malware) into systems handling client and staff data.

• Sharing access credentials to systems containing client and staff data.

CYBER SECURITY AND THIRD-PARTY SUPPORT

Kinhub recognises that third-party vendors and partners may process client and staff data on our behalf, as such a framework is in place to ensure adequate checks are made against such third parties and arrangements.

• Rigorous due diligence are conducted to assess the security posture and data protection practices of third-party vendors before granting them access to client and staff data.

• Contracts with third-party data processors include specific data processing agreements (DPAs) that outline their responsibilities, security obligations, and compliance with the UK GDPR.

• Third-party access to Kinhub’s systems and client/staff data are strictly controlled, monitored, and regularly reviewed.

INCIDENT MANAGEMENT

Kinhub supports an environment of transparency and constant improvement in relation to its IT systems and processes.

• All suspected data breaches or security incidents must be reported immediately to the designated Security Team and Data Protection Officer (DPO).

• Incident response procedures are documented, regularly tested, and include steps for containment, eradication, recovery, and notification (where legally required).

• Kinhub complies with all legal requirements regarding the notification of data breaches to the Information Commissioner’s Office (ICO) and affected individuals.

• Lessons learned from security incidents and data breaches are used to improve security controls and processes.

Kinhub maintains comprehensive Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP).

• BCPs outline procedures for maintaining essential business functions that involve processing client and staff data during disruptions.

• DRPs detail the procedures for restoring IT systems and recovering client and staff data after a disaster, including defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

• BCP and DRP plans are regularly tested and updated, including simulations relevant to data recovery.

ROLES AND RESPONSIBILITIES

Management:

• Bears ultimate responsibility for approving and supporting the implementation and enforcement of this policy. They ensure that adequate resources (financial, human, and technological) are allocated.

• Promotes a strong culture of security awareness, data protection compliance, and ethical data handling throughout the organisation.

• Users have the right to opt-in to specific workforce insight features. Personal privacy is maintained even when participating in platform activities, with clear distinctions between private coaching and anonymised reporting.

Data Protection Officer (DPO):

• Is responsible for overseeing Kinhub’s data protection strategy and its implementation.

• Monitors compliance with data protection laws and this policy.

• Provides advice and guidance on data protection matters.

• Acts as the point of contact for the Information Commissioner’s Office (ICO) and data subjects.

• Responsible for conducting and documenting AI Impact Assessments (AIIA) to ensure algorithmic transparency and compliance with the EU AI Act.

• Acts as the final arbiter on the ethical use of workforce data, ensuring that “Sense & Prioritise” features do not cross into unauthorised employee monitoring.

Information Owners and Data Processors:

• Are responsible for classifying client and staff data under their control.

• Are responsible for defining access requirements and ensuring access controls are implemented for client and staff data.

• Are accountable for the security and appropriate handling of client and staff data.

• Must ensure data is processed in accordance with this policy and relevant legal requirements.

All Users:

• Are responsible for reading, understanding, and strictly adhering to this policy.

• Are responsible for protecting their passwords and access credentials and using them appropriately.

• Must complete mandatory data protection and security awareness training.

Security Team:

• Is responsible for developing, implementing, and maintaining this policy and related security procedures.

• Is responsible for investigating and responding to security incidents and potential data breaches.

• Is responsible for conducting regular security assessments, vulnerability scans, and penetration testing.

• Responsible for verifying that the “Work-Life Intelligence™” engine maintains strict data silos, preventing “data leakage” where one client’s data could inadvertently influence the AI’s response to another client.

• Conducts periodic reviews of AI routing logic to ensure that “urgency cues” are being handled securely and routed to expert coaches without data exposure.

Product & Engineering Teams:

• Transparency by Design: Responsible for ensuring that the user interface clearly identifies when a user is interacting with the AI Coach versus a human expert.

• Anonymisation Verification: Ensures that all HR-facing dashboards meet the “minimum group size” threshold (e.g., not showing data for groups smaller than 5-10 people) to prevent accidental identification of individuals.

REMOTE ACCESS

All Kinhub’s information security and data privacy frameworks (including its Cyber Essentials accreditation) have been designed for a hybrid/remote-first working arrangement.

• Staff are permitted to access the Organisation’s Cloud-hosted infrastructure from any secure location with required authorisation.

• Staff must not connect from public computers unless the access is for viewing publicly available information.

• Kinhub’s All Staff Tech Use And Confidentiality Policy contains further information on remote working requirements.

ENFORCEMENT

Failure to comply with this policy and related data protection policies and procedures may result in disciplinary action, up to and including termination of employment or contracts, and potential legal consequences.

POLICY REVIEW AND UPDATES

This policy is reviewed and updated at least annually, or as needed to reflect changes in business operations, legal requirements, the threat landscape, or client contractual obligations. The Security Team and DPO are jointly responsible for initiating and managing the review process.

CONTACT INFORMATION

For any questions or concerns regarding this policy or data protection matters, please contact the Data Protection Officer at dataprivacy@kinhub.com or the Security Team at support@kinhub.com.