Crestmont Business Services
Crestmont
Business Services
How We Work Who We Are Packages Contact

Data & Security

How Crestmont Business Services protects the information entrusted to us

Our position

Security is an operational standard, not a policy document

The work we do involves sensitive commercial information — receivables data, client account details, payment histories, and business financials. We treat the security of that information as an operational responsibility, not a compliance checkbox. The controls below reflect how we operate in practice.

Access control

Who can access client data

Access to client data is restricted to personnel directly involved in the delivery of that client's engagement. We do not operate shared environments where data from multiple clients is accessible to the same individuals without a specific operational reason.

All access to client systems, where applicable, is conducted under credentials provided explicitly by the client and revoked at engagement end. We do not retain access beyond the active engagement period.

Data in transit and at rest

How data is transmitted and stored

All correspondence containing client data is conducted over encrypted channels. We use Google Workspace for email and document management — all data is encrypted in transit (TLS) and at rest.

Client documents and engagement files are stored in dedicated, access-controlled environments. We do not use public file-sharing services or consumer-grade storage tools for client data.

Sub-processors

Third-party tools we use

We use a small set of third-party tools to deliver our work. Each has been selected in part for its security posture and GDPR compliance. The full list is maintained in our Privacy Notice. The key tools that may handle client data include:

  • Google Analytics — website traffic measurement (activated only with visitor consent)
  • Google Workspace — email and document storage (ISO 27001 certified, GDPR compliant)
  • Airtable — pipeline and engagement management (SOC 2 Type II, GDPR compliant)
  • Yousign — e-signature for service agreements (eIDAS compliant, European-based)
  • Dinero — accounting and invoicing (Danish provider, GDPR compliant)

We do not use tools that profile, monetise, or share client data. We do not use advertising platforms in any part of our workflow.

Incident response

What happens in the event of a breach

In the event of a personal data breach that poses a risk to individuals, we will notify the affected client within 72 hours of becoming aware of the incident, and will report to the Danish Data Protection Authority (Datatilsynet) as required under GDPR Article 33.

We maintain a written incident log and review our controls following any security event, regardless of severity.

Retention and deletion

How long we keep your data and how we delete it

Retention periods are set out in our Privacy Notice. At the end of the applicable retention period, client data is deleted from all systems, including sub-processor environments where we have the ability to action deletion. Where deletion is not technically possible, we apply appropriate access restrictions.

Clients may request deletion of their data at any point by writing to founder@crestmontbusinesservices.com. We will confirm deletion within 30 days, subject to any legal retention obligations.

Regulatory framework

Applicable law and supervisory authority

Crestmont Business Services operates under Danish law and is subject to the General Data Protection Regulation (GDPR) as implemented in Denmark. Our supervisory authority is the Danish Data Protection Authority:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
datatilsynet.dk

For all data protection enquiries: founder@crestmontbusinesservices.com