1. Security model
We use a practical control model: limit access, reduce data movement, keep an audit trail and separate day-to-day operating access from administrative access.
2. Controls
- Access is granted on a need-to-know basis for the pilot or service.
- Business systems use strong authentication where available.
- Client data is kept in approved systems, not personal inboxes or unmanaged files.
- Operational exports are limited to the minimum needed for delivery.
- Security incidents are escalated quickly to the client contact and handled according to the engagement terms.
3. HVAC-specific risks
| Risk | Control |
|---|---|
| Engineer location or ETA data exposed too broadly | Restrict access to dispatch and management roles |
| Site access notes shared in messaging apps | Move notes into controlled job systems |
| Compliance evidence lost after job close | Store evidence against the work order or client record |
| Former staff retain system access | Remove access during offboarding |
4. Client responsibilities
Security works only if both sides keep the operating model clean. Clients should maintain accurate user lists, tell us when staff leave, avoid sending unnecessary personal data and use approved systems for dispatch and compliance evidence.
5. Reporting concerns
Report suspected security issues to pilot@instaris.co.uk with “Security” in the subject line. Include what happened, what data may be involved and who to contact.