Skip to Main Content
Telephone Icon Contact Us

Privacy Policy

May 15, 2026

Mondas Consulting Ltd (“Mondas”, “we”, “our”, “us”) is a provider of cyber security, information security, privacy, governance, risk and compliance consulting services operating across the United Kingdom and Europe.

Mondas Consulting Ltd is registered in England & Wales under company number 06404381.

Registered Office:
The Hub, Fowler Avenue, Farnborough, Hampshire, GU14 7JP

Mondas acts as a Data Controller, determining the purposes and means of processing personal data. In certain circumstances, Mondas may also act as a Data Processor on behalf of clients, processing personal data strictly in accordance with client instructions and contractual obligations.

We are committed to protecting personal data and processing information lawfully, fairly and transparently in accordance with:

  • The UK General Data Protection Regulation (“UK GDPR”),
  • The Data Protection Act 2018,
  • The Privacy and Electronic Communications Regulations (“PECR”),
  • and other applicable privacy and information security legislation.

Mondas maintains an Information Security Management System (ISMS) aligned to ISO/IEC 27001 standards and is certified with ISO 27001, Cyber Essentials, and Cyber Essentials Plus certifications as part of our commitment to protecting information assets and maintaining appropriate technical and organisational security measures.

For privacy-related queries, requests, or complaints, you can contact us using the details below:

Email: dataprivacy@mondas.co.uk
Telephone: 01252 494 020

Postal Address:
The Hub, Fowler Avenue, Farnborough, Hampshire, GU14 7JP

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: 🔗https://www.ico.org.uk

Categories of Personal Data We Process

Depending upon the nature of our relationship with you, Mondas may process the following categories of personal data:

  • Identity Data (such as name, title)
  • Contact Data (such as business address, email address and telephone number)
  • Employment Data (such as employer details, role, department and professional background)
  • Technical Data (such as IP addresses, browser information and device identifiers)
  • Usage Data (such as website interaction data and service usage information)
  • Marketing and Communications Data (such as communication preferences and consent records)
  • Compliance and Security Data (such as audit records, access logs, vulnerability information and investigation records)
  • Recruitment Data (such as CVs, qualifications, references and right-to-work documentation)

Where necessary and lawful, Mondas may also process limited categories of special category personal data or criminal offence data in accordance with Articles 9 and 10 UK GDPR and Schedule 1 of the Data Protection Act 2018.

International Transfers

Mondas primarily stores and processes personal data within the United.

We do not transfer data outside the UK. Should any personal data be transferred outside the United Kingdom or the EEA, Mondas ensures that appropriate safeguards are implemented in accordance with Chapter V of the UK GDPR. These safeguards may include:

  • UK adequacy regulations,
  • the UK International Data Transfer Agreement (IDTA),
  • the UK Addendum to the EU Standard Contractual Clauses (SCCs),
  • Binding Corporate Rules,
  • or other lawful transfer mechanisms approved by the UK Information Commissioner’s Office (“ICO”).

Where third-party cloud or technology providers are used, Mondas undertakes due diligence and contractual assessments to ensure personal data receives an equivalent level of protection consistent with UK data protection law.

Security of Personal Data

Mondas implements and maintains appropriate technical and organisational measures (“TOMs”) designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, or other unlawful forms of processing.

These measures include, where appropriate:

  • ISO/IEC 27001-aligned Information Security Management Systems (ISMS),
  • Cyber Essentials and Cyber Essentials Plus security controls,
  • Multi-factor authentication (MFA),
  • Encryption of data in transit and at rest,
  • Role-based access controls and least privilege principles,
  • Vulnerability management and patching procedures,
  • Logging, monitoring and threat detection capabilities,
  • Supplier and third-party security due diligence,
  • Secure backup and disaster recovery processes,
  • Staff confidentiality and security awareness training,
  • Incident response and breach management procedures,
  • Physical and environmental security controls.

Access to personal data is restricted to authorised personnel and approved third parties who require access for legitimate business purposes and who are subject to confidentiality and security obligations.

Mondas regularly reviews and improves its security controls to ensure continued alignment with evolving cyber security threats, regulatory obligations and industry best practices.

Retention of Personal Data

Mondas retains personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, regulatory, contractual, tax, accounting, audit, and reporting obligations.

Retention periods may vary depending on the nature of the data and processing activity. Typical retention periods include:

  • Client contractual and project records: up to 7 years following contract termination
  • Financial and accounting records: 6 years
  • Recruitment records for unsuccessful applicants: up to 12 months
  • Security monitoring and audit logs: in accordance with operational and security requirements
  • Marketing suppression lists: retained as necessary to ensure continued compliance with opt-out requests
  • Website analytics and cookie-related data: retained in line with cookie and analytics settings

Where personal data is no longer required, it will be securely deleted, anonymised, or made unavailable for operational use in accordance with our data retention and disposal procedures.

Legitimate Interests

Where Mondas relies on legitimate interests as a lawful basis for processing, we ensure that our interests are balanced against individuals’ rights and freedoms through appropriate assessment procedures and safeguards.

You have the right to object to processing carried out under legitimate interests at any time.

Automated Decision-Making and Profiling

Mondas may use limited profiling, analytics and monitoring activities to support:

  • cyber security monitoring,
  • fraud prevention,
  • service optimisation,
  • compliance monitoring,
  • business analytics,
  • and risk management activities.

Such processing may include the use of technical logs, behavioural indicators, website analytics and security monitoring technologies.

Mondas does not carry out solely automated decision-making that produces legal effects or similarly significant effects on individuals unless:

  • explicitly authorised by law,
  • necessary for entering into or performing a contract,
  • or based upon your explicit consent.

Where applicable, individuals retain the right to request human intervention, challenge decisions, and express their views.

Cookies and PECR Compliance

Mondas uses cookies and similar technologies on its website to support functionality, security, analytics and user experience improvements.

Non-essential cookies, including analytics and marketing cookies, are only deployed where you have provided consent through our cookie preference management platform, in accordance with the Privacy and Electronic Communications Regulations (PECR).

You may manage or withdraw your cookie preferences at any time through our website cookie settings.

Further information can be found within our Cookie Policy.

Children’s Privacy

Mondas services and websites are not directed toward children under the age of 18, and we do not knowingly collect personal data relating to children.

If we become aware that personal data relating to a child has been collected inadvertently, we will promptly delete the information.

Mondas reserves the right to update this Privacy Notice periodically to reflect legal, regulatory, operational or business changes. Any material changes will be published on this page.

Document Control

Version: 4.0
Effective Date: 15 May 2026
Last Reviewed: 15 May 2026
Document Owner: Compliance & Privacy Team