Eligibility & Authorization

This system is the exclusive property of Fortune Foods UK LTD and is intended solely for use by authorized employees of the company. Access to this system is granted on a need-to-know basis and is subject to the following conditions:

• You must be a current, active employee of Fortune Foods UK LTD
• You must have been granted explicit written or electronic authorization to access this system
• Your access must be necessary for the performance of your job duties
• You must comply with all company policies, including but not limited to IT security policies, data protection policies, and acceptable use policies
• Your authorization may be revoked at any time at the discretion of Fortune Foods UK LTD

Prohibited Activities

The following activities are strictly prohibited and constitute a violation of these terms:

• Sharing, disclosing, or transferring your login credentials to any other person, including colleagues, family members, or third parties
• Attempting to access data, systems, or functions beyond your authorized scope or permission level
• Using the system for any purpose other than legitimate business activities of Fortune Foods UK LTD
• Attempting to circumvent security measures, authentication mechanisms, or access controls
• Introducing malicious software, viruses, or other harmful code into the system
• Modifying, deleting, or tampering with system logs, audit trails, or security records
• Unauthorized copying, downloading, or distribution of data or information from the system
• Using automated tools, scripts, or bots to access the system without explicit authorization
• Reverse engineering, decompiling, or attempting to discover the underlying code or architecture

Consequences of Unauthorized Access

Unauthorized access to this system is strictly prohibited and may result in:

• Immediate Termination: Your access to the system will be immediately terminated without notice
• Employment Consequences: Violations may result in disciplinary action, up to and including termination of employment
• Legal Action: Fortune Foods UK LTD reserves the right to pursue legal action under applicable laws, including but not limited to:
  • The Computer Misuse Act 1990 (UK)
  • The Data Protection Act 2018
  • The General Data Protection Regulation (GDPR)
  • Other applicable UK and international laws
• Civil and Criminal Penalties: Unauthorized access may result in both civil liability and criminal prosecution
• Law Enforcement Reporting: All unauthorized access attempts will be reported to relevant law enforcement authorities, including but not limited to the National Cyber Security Centre (NCSC) and local police
• Financial Liability: You may be held financially responsible for any damages, losses, or costs resulting from unauthorized access

1. Rate Limiting & Security Monitoring

To protect against unauthorized access, brute-force attacks, and ensure system security and availability, we implement comprehensive rate limiting and security monitoring. This system automatically collects and stores the following information for each login attempt:

• IP Address: Your Internet Protocol (IP) address is recorded for each login attempt. This includes both IPv4 and IPv6 addresses. IP addresses are used to:
  • Identify and prevent abuse, brute-force attacks, and unauthorized access attempts
  • Geolocate access attempts for security analysis
  • Enforce IP-based access controls and whitelisting
  • Track patterns of suspicious activity
• Login Attempt Frequency: The number and frequency of login attempts from your IP address are continuously monitored and analyzed
• Timestamp: The precise date and time (including timezone) of each login attempt is recorded with millisecond precision
• User Agent String: Information about your browser, operating system, and device (e.g., browser type, version, device type) is collected for:
  • Security analysis and anomaly detection
  • Identifying automated tools and bots
  • Compatibility and troubleshooting purposes
• Request Headers: Additional HTTP headers may be logged for security analysis, including referrer information and proxy headers

Legal Basis & Purpose: This data collection is necessary for our legitimate interests in:

• Preventing automated attacks, brute-force login attempts, and distributed denial-of-service (DDoS) attacks
• Identifying and blocking suspicious activity patterns and potential security threats
• Enforcing rate limits to protect system availability and prevent system abuse
• Investigating security incidents and potential breaches
• Complying with legal obligations and regulatory requirements
• Protecting the rights and security of all authorized users

2. Comprehensive Audit Logging

All authentication attempts, system access events, and user activities are comprehensively logged in our secure audit system. This includes both successful and failed attempts. The following detailed information is collected and retained:

For All Login Attempts:

• Username/Account Identifier: The username or account identifier used in the login attempt (stored in encrypted format)
• IP Address: The complete IP address from which the login attempt originated (including source port information where available)
• Precise Timestamp: The exact date and time of the login attempt, including timezone information and millisecond precision
• Authentication Result: Whether the login attempt was successful, failed, or blocked
• Failure Classification: For failed attempts, detailed reason codes including:
  • Incorrect password
  • Account locked due to excessive failed attempts
  • IP address not whitelisted
  • Account disabled or suspended
  • Session expired or invalid
  • Rate limit exceeded
  • Other security-related blocks

For Successful Logins:

• Session Identifier: Unique session tokens and identifiers for tracking active sessions
• Session Duration: Login time, last activity timestamp, and session expiration time
• Access Level: User role, permissions, and access scope granted
• Initial Access Point: The specific page or function first accessed after login

For Failed Login Attempts:

• Failure Reason Code: Detailed classification of why the login failed
• Account Status: Whether the account exists, is active, locked, or disabled
• Consecutive Failure Count: Number of consecutive failed attempts from the same IP/username combination
• Lockout Status: Whether the account or IP was locked as a result of the failed attempt

Legal Basis & Purpose of Audit Logging:

• Security & Threat Detection: Continuous security monitoring, threat detection, and early warning of potential security incidents
• Incident Investigation: Comprehensive forensic analysis of security incidents, unauthorized access attempts, and system breaches
• Regulatory Compliance: Compliance with data protection regulations (UK GDPR, Data Protection Act 2018), industry standards (ISO 27001, SOC 2), and sector-specific requirements
• Account Activity Tracking: Monitoring and tracking of authorized user activities for security, compliance, and operational purposes
• Forensic Analysis: Detailed investigation capabilities in the event of security breaches, data leaks, or unauthorized access
• Legal Obligations: Fulfillment of legal obligations to maintain security records and assist law enforcement when required
• Risk Management: Identification and mitigation of security risks and vulnerabilities

3. Data Retention & Storage

Audit log data and security monitoring information are retained in accordance with legal requirements, regulatory obligations, and company data retention policies. Retention periods are determined based on:

• Legal Requirements: Minimum retention periods mandated by UK law, including but not limited to:
  • Data Protection Act 2018 requirements
  • Financial services regulations (if applicable)
  • Employment law requirements
  • Other sector-specific regulations
• Regulatory Compliance: Industry standards and regulatory frameworks such as ISO 27001, GDPR, and sector-specific requirements
• Ongoing Investigations: Extended retention for data related to active security investigations or legal proceedings
• Company Policy: Internal data retention policies designed to balance security needs with privacy considerations
• Operational Requirements: Retention necessary for system operations, troubleshooting, and historical analysis

Typical Retention Periods: While retention periods may vary, typical retention periods include:

• Active security monitoring data: 90 days to 1 year
• Audit logs: 2 to 7 years (depending on the nature of the data and legal requirements)
• Data related to security incidents: Extended retention until investigation and legal proceedings are concluded
• Data subject to legal hold: Retained until the legal hold is released

4. Data Security & Protection Measures

Fortune Foods UK LTD employs industry-standard security measures to protect all collected data:

• Encryption: All sensitive data, including IP addresses and usernames, is encrypted at rest using AES-256 encryption and in transit using TLS 1.3
• Access Controls: Strict access controls ensure that audit logs and security monitoring data are accessible only to:
  • Authorized IT Security personnel
  • System administrators with appropriate clearance
  • Compliance and audit teams
  • Law enforcement when legally required
• Network Security: Data is stored on secure, isolated networks with multiple layers of firewall protection
• Physical Security: Servers and storage systems are housed in secure, access-controlled facilities
• Regular Security Audits: Regular security assessments, penetration testing, and vulnerability scanning
• Incident Response: Comprehensive incident response procedures in the event of a security breach
• Data Backup & Recovery: Regular, encrypted backups with tested recovery procedures

5. Your Data Protection Rights

Under UK GDPR and the Data Protection Act 2018, you have certain rights regarding your personal data. However, please note that:

• Right of Access: You have the right to request access to your personal data. However, access to certain security-related data may be restricted to prevent compromising ongoing security investigations or revealing security measures
• Right to Rectification: You may request correction of inaccurate personal data, subject to verification and security considerations
• Right to Erasure: You may request deletion of your personal data, but this right may be limited when:
  • Data retention is required by law or regulatory obligations
  • Data is necessary for ongoing security investigations
  • Data is required for the establishment, exercise, or defense of legal claims
• Right to Restrict Processing: You may request restriction of processing in certain circumstances
• Right to Data Portability: Where applicable, you may request transfer of your data
• Right to Object: You may object to processing based on legitimate interests, though this may be limited for security purposes

Exercising Your Rights: To exercise any of these rights, please contact:

Email: info@fortunefoods.co.uk