Operational Security Processes and Policies in BPO Services

Data security at Felcorp is enforced through the management workflows that govern how services are delivered day to day. Security tasks are built directly into the operational cycle so that protecting client data is a natural part of every process deliverable rather than a separate compliance exercise.

This means data security is present at every stage of the workflow: from how procedures are defined, through how staff are trained, how tasks are completed, how work is reviewed and how deliverables are approved.

Procedures

Every service engagement operates under defined procedures that specify how data is collected, stored, handled and eventually disposed of. These procedures are configured to match the data sensitivity, regulatory context and workflow requirements of each engagement.

Procedures govern what channels staff may use to receive client data, where that data is stored, who may access it and how it must be handled during day-to-day operations. Confidential data must remain secured on screens when unattended, kept within approved storage systems and only printed with express client permission.

For detail on how data is protected at the platform level, refer to Technology and Endpoint Security.

Training

All staff complete security and data protection training as part of onboarding before any client work begins. This covers Felcorp's confidentiality obligations, data handling procedures, acceptable use policies and the consequences of non-compliance.

Staff are required to complete 40 hours of continuing professional development annually, which includes ongoing reinforcement of data security practices. Division Managers monitor competency development and identify where additional guidance is needed.

Task Completion

Security obligations are embedded into how tasks are performed at every step. Staff follow approved workflows for all data-related activities, including how information is received, where it is recorded and how it moves between systems.

All task activity is tracked through Felcorp's internal management platform, creating a record of who handled what data and when. Communication with clients and third parties is restricted to approved channels, and access to client data is scoped to the individual engagement only.

This prevents staff working on one client's tasks from seeing information belonging to another. For detail on how this separation is enforced, refer to Client and Engagement-Level Separation.

Review

Division Managers provide direct oversight of all work performed within their teams. This includes checking task output for quality and compliance, monitoring adherence to data handling procedures and identifying where processes may need to be tightened.

Performance is assessed through mid-year and annual reviews, with daily timesheet submissions providing a baseline of accountability. Where a review identifies a gap in data handling practices, it is addressed through additional training, procedural adjustment or escalation.

Management retains visibility over credential access, endpoint activity and system usage through centralised audit controls described under Monitoring and Reporting.

Approval

Certain operational actions require explicit approval before they can proceed:

• Temporary staff substitutions require the client's written approval and a signed confidentiality agreement before access is provisioned
• Changes to data handling procedures or access permissions are escalated through the management chain
• Data disposal on engagement termination follows a defined process with management oversight

On termination, all stored data is securely transferred back to the client through encrypted channels and permanently removed from Felcorp's systems within the agreed timeframe. Approval requirements ensure that security-sensitive decisions carry documented authorisation.

How This Fits the Security Framework

Operational processes and policies sit within the Security By Operation layer of Felcorp's three-layer security framework. The Design layer builds secure infrastructure and the Engagement layer protects individual clients. This layer ensures the people and processes running across that infrastructure enforce security through every workflow step.

For detail on how access is governed across these workflows, refer to Identity and Access Management.