Privacy & Confidentiality

Discretion is the foundation of our practice.

This notice sets out how The Office of Corporate Diplomacy & Strategic Services collects, holds and protects information entrusted to us, and the standards we apply to client confidentiality. It is written to comply with the UK General Data Protection Regulation and the Data Protection Act 2018, and to reflect the heightened obligations of advisory work in regulated and sensitive sectors.

Controller
The Office of Corporate Diplomacy & Strategic Services
Jurisdiction
United Kingdom (UK GDPR & DPA 2018)
Contact
office@corporatediplomacy.co
Version
1.0 · Effective 28 June 2026

1. Our position on confidentiality

We act for principals operating in defence, security, regulated finance and adjacent sectors where exposure carries operational, commercial and personal consequence. Confidentiality is therefore not a compliance overlay — it is the precondition for the work itself.

As a matter of firm policy, we do not name clients, disclose mandates, or reference matters publicly. Engagement lists, reference logos and case studies are not published on this website or in any marketing collateral. We will not confirm or deny a relationship with any party without that party's prior written authorisation.

This position is binding on every partner, employee, contractor and adviser of the firm, and survives the termination of any engagement.

2. Information we collect

We collect only the information necessary to assess, accept and deliver an engagement, or to meet our legal and professional obligations. In practice this falls into four categories:

Enquiry data

When you submit the briefing form on this site, contact us by email, or are introduced through counsel, we record the name, organisation, contact details and outline of the matter you provide. We do not request sensitive details at the enquiry stage and ask that none be sent before a non-disclosure agreement is in place.

Engagement data

Once a mandate is accepted under written terms, we hold the records required to deliver it — correspondence, working papers, meeting notes, draft and final deliverables, and any documents shared by the client or its counterparties.

Compliance data

We carry out client due diligence in line with UK anti-money-laundering, sanctions and counter-terrorism financing requirements. This includes identity verification of principals, beneficial-ownership checks and screening against published sanctions lists.

Website data

This website uses only the cookies and analytics strictly necessary to serve pages and detect abuse. We do not deploy advertising trackers, behavioural profiling tools, or third-party social pixels.

3. Lawful bases under UK GDPR

We rely on the following lawful bases under Article 6 of the UK GDPR:

  • Contract — to perform the engagement letter or to take steps at your request before entering one.
  • Legal obligation — to meet anti-money-laundering, sanctions, tax, and records-retention requirements.
  • Legitimate interests — to operate, secure and improve the firm, where those interests are not overridden by your rights. A legitimate-interests assessment is held on file and available on request.
  • Consent — where you have given it for a specific purpose, such as an opt-in briefing distribution. Consent can be withdrawn at any time.

We do not knowingly process special-category data under Article 9 except where it is incidental to a matter and necessary for the establishment, exercise or defence of legal claims, or with the data subject's explicit consent.

4. Non-disclosure handling

All initial correspondence with the firm is treated as confidential from the moment it is received, whether or not a non-disclosure agreement has yet been signed.

  1. Receipt. Enquiries are reviewed in the first instance by a partner. They are not circulated internally beyond a strict need-to-know basis.
  2. NDA. Where substantive discussion is warranted, a mutual non-disclosure agreement is executed before any sensitive material is exchanged. Where instructing counsel is involved, we will sign onto their preferred form.
  3. Engagement letter. Confidentiality, scope, conflicts, data handling and termination provisions are addressed in the engagement letter that governs every mandate.
  4. Conflicts. We operate a written conflicts protocol. Where a potential or actual conflict arises, we will decline or withdraw from the mandate. We do not maintain "Chinese walls" as a substitute for declining a conflicted instruction.
  5. Onward disclosure. Information shared with us is not disclosed to third parties — including counterparties, host-government interlocutors and sub-advisers — without the client's prior written authorisation, except where compelled by law or court order.

5. Security and encryption standards

We apply controls proportionate to the sensitivity of advisory work in regulated and security-adjacent sectors. As a baseline, the firm operates to the following standards:

  • Encryption in transit. TLS 1.2 or higher for all web traffic, email transport (enforced via MTA-STS where supported), and client portals.
  • Encryption at rest. AES-256 encryption applied to all client data held on firm devices, file stores and backups, with keys managed in a hardened key-management service.
  • Endpoint security. Full-disk encryption, mandatory device passcodes, automatic locking, managed software updates and remote-wipe capability on every device with access to client material.
  • Access control. Role-based access on a need-to-know basis, multi-factor authentication on every administrative and client-facing system, and segregation of mandate workspaces.
  • Secure channels. Signal and Proton are available on request for client communications once initial contact is established. We can also operate within client-provided secure environments where required.
  • Physical security. Hard-copy materials are held in locked storage at firm premises and destroyed by cross-cut shredding or certified secure destruction.
  • Vendor management. Sub-processors are limited to a vetted list, bound by written data-processing terms, and reviewed periodically against the firm's security baseline.
  • Incident response. A documented incident-response procedure governs containment, assessment and notification. Personal-data breaches meeting the UK GDPR threshold are reported to the Information Commissioner's Office within 72 hours and to affected individuals without undue delay.

6. Data retention

We hold information no longer than is necessary for the purposes for which it was collected, subject to the legal, regulatory and professional obligations that apply to advisory work. Our standard retention schedule is:

  • Declined enquiries — destroyed within 90 days of the decision not to proceed, unless retention is required for conflicts or regulatory reasons.
  • Active engagement files — held for the duration of the mandate and the limitation period applicable to the matter.
  • Closed engagement files — retained for seven years from the close of the mandate, reflecting the limitation period under the Limitation Act 1980 and our professional duty to defend the work performed.
  • Anti-money-laundering records — held for five years from the end of the business relationship, as required by the Money Laundering Regulations 2017.
  • Accounting records — held for six years from the end of the relevant financial year, in line with HMRC requirements.

At the end of the applicable period, records are securely destroyed. Where a client requires earlier return or destruction of its material, we will agree a written protocol at the close of the mandate.

7. Client anonymity

The firm operates a standing rule of client anonymity. We will not:

  • publish, list or reference clients on this website, in marketing materials, on social channels, or in pitch documents;
  • use client logos, names or matter details to win further work, even in redacted form, without prior written authorisation;
  • comment to journalists, analysts or researchers on whether a relationship exists with any named party;
  • permit personnel to reference firm engagements on personal profiles, professional networks or in published commentary.

Where a client elects to acknowledge the relationship — for example, in a regulatory filing or public statement — we will follow the client's lead and confine any commentary to the perimeter the client has set.

8. Your rights

Where we hold personal data about you, the UK GDPR gives you the right to request access to it, to ask that it be corrected or erased, to restrict or object to its processing, and to receive it in a portable form. You also have the right to withdraw consent where consent is the basis on which we process your data.

Requests should be made in writing to office@corporatediplomacy.co. We will respond within one month and may extend that period by a further two months where a request is complex, notifying you of the extension and the reasons for it.

You have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk) if you believe your data has been handled in breach of the UK GDPR. We would ask for the opportunity to address any concern directly before that step is taken.

9. International transfers

Our work frequently spans the United Kingdom, the European Economic Area, the Gulf and the Levant. Where personal data is transferred outside the United Kingdom, we rely on adequacy regulations where they apply, or on the International Data Transfer Agreement and the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment.

10. Changes to this notice

We review this notice at least annually and whenever the firm's practices materially change. The version and effective date above will be updated on each revision. Previous versions are retained in our records and available on request.

11. Contact

Questions about this notice, or about how the firm handles information entrusted to it, should be directed to the office in writing:

office@corporatediplomacy.co
The Office of Corporate Diplomacy & Strategic Services
London · Amman