INFORMATION SECURITY STATEMENT
Portmill Engineering Limited (“we”, “us”, “our”) is committed to protecting the confidentiality, integrity, and availability of information entrusted to us by our customers, partners, and suppliers. This Information Security Statement outlines the principles, controls, and practices we apply to safeguard information across our operations.
This statement applies to all information processed by Portmill Engineering Limited, including personal data, fleet and business-related data, technical records, and operational information.
Company Name: Portmill Engineering Limited
Company Number: 11084121
Registered in: England and Wales
Registered Office: 109 Nathan Way, London, England, SE28 0AQ
Email: sales@pmautocare.co.uk
Our information security framework applies to:
- Personal data of individual customers
- Fleet and business customer data (B2B)
- Vehicle identification data and service records
- Diagnostic, inspection, and repair documentation
- Commercial, contractual, and billing information
- Website, communication, and operational systems
This includes information stored or processed electronically, verbally, or in physical form.
We operate our information security practices in accordance with the following principles:
- Confidentiality: Information is accessible only to authorised individuals
- Integrity: Information is accurate, complete, and protected from unauthorised modification
- Availability: Information is available when required for legitimate business purposes
We only collect data that is necessary, relevant, and proportionate to our services.
Access to information is restricted based on job role and operational necessity.
- Staff access is granted on a least-privilege basis
- Authentication credentials are protected and must not be shared
- Access rights are reviewed periodically and revoked when no longer required
- Staff are trained to handle information securely and responsibly
Only authorised personnel may access customer, fleet, or business-sensitive data.
We implement a combination of technical and organisational safeguards, including but not limited to:
- Secure hosting and infrastructure environments
- Password-protected systems and role-based access
- Regular software and system updates
- Secure communication channels for business correspondence
- Controlled physical access to systems and documentation
We avoid publicly disclosing specific technical configurations to reduce security risk.
Information is retained only for as long as necessary to:
- Deliver requested services
- Comply with legal, regulatory, or contractual obligations
- Resolve disputes or enforce agreements
When information is no longer required, it is securely deleted or destroyed in accordance with our data retention policies.
Where third-party service providers are used (including hosting, payment facilitation, communication tools, or software platforms), we take reasonable steps to ensure they:
- Meet appropriate security and data protection standards
- Process data only for agreed and lawful purposes
- Implement safeguards consistent with UK GDPR requirements
Third-party access is limited strictly to what is necessary to deliver their services.
Fleet and business customer data is treated as commercially sensitive.
- Access is restricted to authorised personnel
- Data is used solely for service delivery, reporting, and contractual obligations
- Information is not disclosed to unauthorised third parties
- Additional contractual controls may apply to fleet agreements
Where required, separate fleet-specific agreements may supplement this statement.
We maintain procedures to identify, assess, and respond to information security incidents.
In the event of a suspected or confirmed data breach:
- Immediate steps are taken to contain and mitigate the incident
- Impact is assessed without undue delay
- Relevant authorities and affected parties are notified where legally required
- Corrective actions are implemented to prevent recurrence
- Immediate steps are taken to contain and mitigate the incident
- Impact is assessed without undue delay
- Relevant authorities and affected parties are notified where legally required
- Corrective actions are implemented to prevent recurrence
All incidents are reviewed to improve future security posture.
Information security is an ongoing process.
- Policies and procedures are reviewed periodically
- Security practices are updated in line with regulatory and operational changes
- Lessons learned from incidents or audits are incorporated
We aim to maintain security measures proportionate to the nature and scale of our operations.
Users interacting with our website or services are expected to:
- Provide accurate and lawful information
- Protect any credentials or access details issued to them
- Notify us promptly of any suspected unauthorised access
We cannot be held responsible for security failures resulting from user negligence.
Our information security practices align with applicable UK laws and regulations, including:
- UK GDPR
- Data Protection Act 2018
- Applicable contractual and industry obligations
This statement should be read in conjunction with our link Privacy Policy and Terms & Conditions.
We reserve the right to update this Information Security Statement to reflect changes in legal requirements, business operations, or security practices. The latest version will always be published on our website.
Continued use of our services indicates acceptance of the current version.
Questions or concerns regarding information security may be directed to:
Effective from: 14 December 2025