Climate springboard logo
Sign up
find your data 1

Cyber security policy

1. Purpose

Climate Springboard is a partnership between The University of Edinburgh and the Edinburgh Climate Change Institute. Climate Springboard delivers training and business support to businesses across Scotland. This policy outlines measures to ensure the security, confidentiality, integrity and availability of Climate Springboard’s digital assets in alignment with the University’s Acceptable Use and Information Security Policies. These policies, such as the following selection, ensure that all Climate Springboard staff must: 

  • Comply with the provisions of all current applicable UK or Scots law; 
  • Take all reasonable care to maintain the security of computing facilities – for Climate Springboard this involves maintaining the security of our University issued devices.  
  • Ensure the confidentiality, integrity and security of all personally identifying data held or processed by the University to which they have been given approved access;
  • Complete the Information Security Awareness Training.
2. Scope

This policy applies to all employees and third-party service providers with access to our information systems when working with Climate Springboard. 

Climate Springboard staff are employed by the University of Edinburgh and are responsible for following all relevant data and security policies.  

Third party service providers are contracted by Climate Springboard to deliver specific, time-bound projects. For more information about the third-party providers we are currently working with, email climatespringboard@ed.ac.uk.  

Programme fundersare private and public sector organisations that provide core funding to the Climate Springboard programme. View a current list of our consortium of funders here.

 3. User access
  • Climate Springboard staff must use University-issued, encrypted devices for a specified duration based on contract length. User accounts are revoked immediately upon termination of access.
  • Third party service providers working with Climate Springboard will only be able to access specific information relevant to the project that is being hosted on secure servers (read Section 4). They are not allowed to download any data onto personal devices. Their access will be revoked immediately upon competition of contracted project. 
  • All Climate Springboard staff must use the University of Edinburgh’s Virtual Private Network (VPN) when working remotely. 
  • Climate Springboard participants only receive access to public facing resources; all personal data is only stored on OneDrive, where access is administered and restricted by the Data Controller.  
4. Use of Microsoft software

Climate Springboard utilises the latest Microsoft software to enhance productivity and collaboration and is continuously and automatically updated when working on University of Edinburgh owned devices.

This section outlines how we secure Microsoft applications to protect our digital assets. Microsoft Teams, SharePoint, and OneDrive are secure, and the data is encrypted (both at rest and in transit); they are GDPR compliant, and their servers are located in the UK/EU, as such have been chosen as the most optimal and secure software to use for operations:

  • Microsoft OneDrive and SharePoint are used for secure file storage and sharing.
  • File access permissions to shared resources are audited on a bi-annual basis.
  • Ensure multi-factor authentication is enabled for all accounts accessing Microsoft services.  
  • Ensure all Microsoft applications and operating systems are regularly updated with the latest security patches. 
  • Data is regularly backed up on OneDrive and encrypted backups are stored securely on cloud storage for up to one year.
5. Data breach or incident

In the event of a data breach, we will investigate the incident to understand its nature and impact, notify the affected parties, and escalate the matter to the Data Protection Officer to ensure it is properly managed and remedied. 

If an individual suspects that their personal data may have been compromised, they should promptly notify us at climatespringboard@ed.ac.uk. The matter will be investigated and managed according to the University of Edinburgh’s Incident Management Standard. 

6. Policy Review and Updates

This policy will be reviewed annually or as needed and updated to address new risks and regulatory changes. 


Policy last reviewed: August 2025 

Version number: 1.0 

Next review date: August 2026