Security & Confidentiality

Our Commitment

At JHC Consulting, the protection of client information is not a compliance exercise. It is the foundation on which all advisory work depends. Leadership teams share sensitive information with us because they trust it will remain protected. We treat that trust as the central condition of effective advisory work.

This page describes the security measures, confidentiality practices, and data protection commitments that underpin our advisory relationships. These commitments apply to all client engagements and extend to prospective clients during the inquiry and evaluation process.

Information Security Measures

We implement comprehensive technical, administrative, and physical security measures to protect information entrusted to us:

Technical Safeguards

• Encryption in transit: All data transmitted to and from our systems is protected using TLS 1.3 encryption. Email communications involving sensitive information are encrypted using end-to-end encryption where supported by the recipient.
• Encryption at rest: Client documents and working files are stored using AES-256 encryption on systems with full-disk encryption enabled.
• Access controls: Multi-factor authentication is required for all systems containing client information. Access is restricted on a need-to-know basis and reviewed regularly.
• Network security: Our systems are protected by enterprise-grade firewalls, intrusion detection systems, and regular vulnerability scanning.
• Endpoint protection: All devices used for client work are equipped with endpoint protection software, automatic security updates, and remote wipe capabilities.

Administrative Safeguards

• Information access policies: Clear policies govern who may access client information, under what circumstances, and for what purposes.
• Personnel security: All personnel with access to client information undergo background verification and sign confidentiality agreements.
• Security training: Regular training ensures that all team members understand their obligations regarding information security and data protection.
• Incident response: Documented procedures govern the detection, reporting, and resolution of security incidents.
• Vendor management: Third-party service providers are selected based on their security practices and are bound by contractual security requirements.

Physical Safeguards

• Secure facilities: Physical access to our offices is controlled through key card systems and visitor management procedures.
• Clean desk policy: Sensitive documents are secured when not in active use and disposed of through secure shredding.
• Secure disposal: Electronic media is securely wiped or physically destroyed before disposal in accordance with recognized standards.

Confidentiality Practices

Confidentiality is central to our advisory work. The most important conversations happen because clients trust that what they share will remain protected.

Client Information Handling

• Strict compartmentalization: Client information is never shared between engagements or discussed with personnel not involved in the specific engagement.
• Need-to-know access: Access to client information is limited to those directly working on the engagement and only for the period required.
• No cross-referencing: We do not use information from one client engagement to inform work for another client, even where such information might be relevant.
• Discrete handling: Client names and engagement details are not disclosed externally without explicit client permission.

Engagement Boundaries

• Conflict management: We evaluate potential conflicts of interest before accepting new engagements and decline work where appropriate information barriers cannot be maintained.
• Scope boundaries: Information received for one purpose is not used for unrelated purposes without client authorization.
• Departure procedures: When team members leave the firm or transition between engagements, clear procedures ensure that access to client information is appropriately terminated.

External Communications

• No unauthorized disclosure: Client identities, engagement details, and work product are not disclosed to media, industry bodies, or other third parties without explicit client permission.
• Case studies and references: Where clients agree to serve as references or to be mentioned in case studies, we obtain written consent for each specific use.
• Professional discussions: General discussions of methodologies or approaches never reveal client-specific information that could identify an organization or its situation.

Data Retention and Disposal

We retain client information only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal and professional obligations, and to protect our legitimate interests.

• Active engagement materials: Working files and documents are maintained during the engagement and for the period necessary to support any follow-up questions or related work.
• Post-engagement retention: Following the conclusion of an engagement, most working materials are securely disposed of within 90 days unless the client requests otherwise or continued retention is required by law.
• Engagement records: Basic engagement records (scope, dates, fees) are retained in accordance with applicable legal and regulatory requirements, typically 7-10 years.
• Secure disposal: When information is no longer needed, it is securely deleted using methods that prevent recovery. Physical documents are cross-cut shredded.

Third-Party Services

We carefully select and manage third-party service providers to ensure they meet our security and confidentiality standards:

• Due diligence: We evaluate the security practices of potential service providers before engagement.
• Contractual protections: Third-party service providers are bound by contractual confidentiality obligations and data protection requirements.
• Limited data sharing: We share only the minimum information necessary with third parties and avoid sharing client-identifiable information where possible.
• Ongoing monitoring: We regularly review the security practices of key service providers and require notification of security incidents.

Incident Response

Despite our security measures, no system is entirely immune to security incidents. In the event of a security incident affecting client information:

• Prompt detection: We maintain monitoring and logging to detect potential security incidents.
• Immediate response: Our incident response procedures are activated immediately upon detection of a potential incident.
• Client notification: Affected clients are notified promptly of any security incident that may have compromised their information, in accordance with applicable legal requirements.
• Regulatory notification: Where required by law, we notify relevant regulatory authorities of security incidents within applicable timeframes.
• Post-incident review: Following any significant incident, we conduct a thorough review and implement appropriate improvements to prevent recurrence.

Compliance and Standards

Our security and confidentiality practices are designed to comply with applicable laws and regulations and align with recognized industry standards:

• GDPR compliance: We comply with the General Data Protection Regulation for processing personal data of individuals in the European Economic Area.
• Industry standards: Our security practices are informed by recognized frameworks including ISO 27001 and NIST Cybersecurity Framework.
• Professional obligations: We adhere to applicable professional standards regarding client confidentiality and information handling.

Client Responsibilities

Effective information security requires cooperation between JHC and our clients. We ask clients to:

• Identify any particularly sensitive information and any specific handling requirements before sharing it with us
• Use secure methods to transmit sensitive information (we can provide secure file transfer options)
• Promptly notify us of any changes in authorized contacts or access requirements
• Implement appropriate security measures on their own systems when receiving information from us

Questions and Concerns

If you have questions about our security and confidentiality practices, or if you wish to report a security concern, please contact us: