# Form-Backend Data-Handling Memo — CyberSight Forensics (for Engineering) **Privileged & confidential** · BTC-CS2026-OW-LG-SP-0001-FormBackendDataHandlingMemo_A1-C01.md · **A1-C01 — PUBLISHED** 12 June 2026 · SEC3 SENSITIVE Companion to ON-0001 (A1-C02), IN-0001 (build checklist), WD-0001 (wording). Sets the **legal requirements** the enquiry-form backend must meet (ON-0001 item 05). Engineering owns the technical design within these; legal-intent questions to Themis via the founder. Each requirement is testable; tags **[BLOCKER]** (gates go-live) / **[REQUIRED]**. ## Data in scope The enquiry form collects: **name, organisation, work email, phone number, and free-text enquiry content**. Treat all of it as personal data. No other personal data is captured by the site (no accounts, no analytics — see WD-0001 D-4). ## Requirements - **SP-1 [BLOCKER] — No capture before the notice is live.** The form must not be able to submit or store any enquiry until the Privacy Policy (WD-0001 D-3) is published and linked. *Test: privacy link resolves; submission disabled in any environment where it is not.* - **SP-2 [BLOCKER] — UK/EEA data residency.** Enquiry data (and any backups/logs holding it) is stored and processed in the **UK or EEA**. If any provider processes it outside the UK, an approved transfer mechanism (UK **IDTA** or the EU SCCs + UK Addendum) must be in place **before** that provider is used. *Test: data-location attestation from each provider on file.* - **SP-3 [BLOCKER] — Processor contracts (Art 28).** Every third party that handles enquiry data — the form/email provider and the hosting provider — must be engaged under a **written processor contract meeting UK GDPR Article 28** (purpose limitation, confidentiality, security, sub-processor control, deletion/return, audit). *Test: signed DPA/Art 28 terms for each on file.* - **SP-4 [REQUIRED] — Encryption.** Enquiry data is encrypted **in transit** (TLS) and, where retained, **at rest**. *Test: TLS enforced site-wide; at-rest encryption confirmed for the store/mailbox.* - **SP-5 [REQUIRED] — Access control.** Access to enquiries is **least-privilege** (only those who handle enquiries), authenticated, and logged. No shared mailboxes with uncontrolled access. *Test: access list + auth review.* - **SP-6 [REQUIRED] — Retention + deletion.** Enquiry data is deleted at the end of the retention period in WD-0001 D-3 (**[12 months]** from last contact for non-engaged enquiries), by a routine, not by memory. *Test: deletion routine demonstrated in staging.* - **SP-7 [REQUIRED] — Sensitive-content handling.** The form carries the "do not send sensitive case material" notice (WD-0001 D-3). If special-category or third-party data arrives unprompted, there must be a step to **restrict access and delete where not needed** (do not propagate it into analytics, logs or downstream tools). *Test: process documented; field values scrubbed from any error/diagnostic logging.* - **SP-8 [REQUIRED] — No silent third-party calls.** The form page must not load analytics, ad or social trackers (consistent with WD-0001 D-4 / the no-cookie position). *Test: network capture on the form page → only first-party + the chosen form/email endpoint.* ## What Engineering must report back (for the Go-Live Gate) 1. Chosen **form/email provider** and **hosting provider**, with data-residency attestation and signed Art 28 terms. 2. Confirmation TLS + at-rest encryption are in place. 3. The retention/deletion routine and who has access. 4. Confirmation the privacy notice is live before capture is enabled. These feed the IN-0001 Go-Live Gate (form-backend REQUIRED items) and the WD-0001 D-3 processor names. --- *Themis Legal · 12 June 2026 · SP-0001 · A1-C01 · SEC3 · Privileged & confidential.*