Policys & Legals

COOKIE POLICY

Scope of this policy

Shoorah Ltd (weor us or our) uses cookies when you visit our website, https://shoorah.io, (the Website) to help customise the Website and improve your experience using the Website.
This policy applies between you, the user of this Website, and us,Shoorah Ltd, the owner and provider of this Website.
Users of the Website must be 18 years of age or older and so our cookies and this policy are not applicable to children.
When you visit the Website, and before your Website places cookies on your computer, you will be presented with a message bar requesting your consent to set those cookies. By giving your consent to the placing of cookies, you are enabling us to provide a better experience and service. You may, if you wish, deny consent to the placing of these cookies; however, certain features of the Website may not function fully or as intended.
This cookie policy should be read alongside, and in addition to, our Privacy Policy, which can be found at: Please see legals page for all documents relating to Shoorah legals.

What are cookies?

A cookie is a small text file placed on your computer by this Website when you visit certain parts of the Website and/or when you use certain features of the Website.
This Website may place and access certain cookies on your computer. We use these cookies to improve your experience of using the Website.
Cookies do not usually contain any information that personally identifies you, the Website user. However, personal information that we store about you may be linked to the information obtained from and stored in cookies.For more information on how such personal information is handled and stored, refer to our Privacy Policy which is available online at: Please see legals page for all documents relating to Shoorah legals.

Types of cookies

This Website uses the following cookies:

Type of Cookie	Purpose
Strictly necessary cookies	These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
Analytical/performance cookies	They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that usersour website works, for example, by ensuring that users are finding what they are looking for easily.
Functionality cookies	These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region). By using the Website, you agree to our placement of functionality cookie.
Targeting cookies	These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

You can find a list of the cookies that we use in the attached Cookie Schedule.
We have carefully chosen these cookies and have taken steps to ensure that your privacy is protected and respected at all times.

How to control your cookies

You can choose to enable or disable cookies in your internet browser. By default, most internet browsers accept cookies but this can be changed. For further details, please see the help menu in your internet browser.
You can switch off cookies at any time, however, you may lose information that enables you to access the Website more quickly and efficiently.
It is recommended that you ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your internet browser if you are unsure about adjusting your privacy settings.
For more information generally on cookies, including how to disable them, please refer to aboutcookies.org. You will also find details on how to delete cookies from your computer.

Changes to this policy

Shoorah Ltd reserves the right to change this cookie policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website and you are deemed to have accepted the terms of the cookie policy on your first use of the Website following the alterations.

Contact details

The Website is owned byShoorah Ltd incorporated in England and Wales with registered number 14174217 whose registered office is at Spectrum House 2b, Suttons Lane, Hornchurch,, Essex, RM12 6RJ, England.
You may contact us:
1. by postusing the address above.
2. by email at info@shoorah.io.
3. using the contact form on the Website.

INFORMATION SECURITY POLICY

Statement of policy

Shoorah Ltd(the Employer, we or our) is committed to the highest standards of information security and treats data security and confidentiality extremely seriously.
This policy and the rules contained in it apply to all staff of the Employer, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, temporary and agency workers, trainees, casual and fixed-term staff, apprentices, interns and any volunteers (Staffor you).
All Staff must familiarise themselves with this policy and comply with its terms.

Purpose of policy

In relation to personal data, under the UK General Data Protection Regulation (the UK GDPR), the Employer must:
1. ensure the security of personal data, including protection against any unlawful or unauthorised data processing and accidental loss, damage or destruction, by utilising appropriate technical or organisational measures;
2. demonstrate the consideration and integration of data compliance measures into the Employer’s data processing activities, by implementing appropriate technical or organisational measures; and
3. be able to demonstrate the use and implementation of such appropriate technical or organisational measures.
The purpose of this policy is to:
1. protect against any potential breaches of confidentiality;
2. protect the Employer’s informational assets and IT systems and facilities against any loss, damage or misuse;
3. ensurethat Staff are aware of and comply with UK laws and the Employer’s policies and procedures on the processing of personal data; and
4. raise awareness of and clarify the responsibilities and duties of Staff in respect of information security, data security and confidentiality.
This is a statement of policy only and does not form part of your contract of employment. The Employer may amend this policy at any time, in our absolute discretion, and we will do so in accordance with our data protection and other obligations. A new copy of the policy will be circulated whenever it is changed.
For the purposes of this policy:
1. Business Informationmeans any of the Employer’s business-related information other than personal data about customers, clients, suppliers and other business contacts;
2. Confidential Informationmeans any trade secrets or other confidential information (belonging to the Employer or third parties) processed by the Employer;
3. Personal Datameans any information that relates to an individual who can be identified from that information, either directly or indirectly; and
4. Sensitive Personal Datameans information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), health, sex life, sexual orientation, genetic information or biometric information (where this is used to identify an individual).

Roles and responsibilities

All Staff have a responsibility for information security. TheEmployer’s Data Protection Officer (DPO) has overall responsibility for this policy. Specifically, they must:
1. implement and maintain this policy;
2. monitor potential and actual security breaches;
3. ensure Staff are aware of their responsibilities in relation to information security and confidentiality; and
4. ensure compliance with the UK GDPR and all other relevant legislation and guidance.

Scope of this policy

This policy covers all written, verbal and digital information held, used or transmitted by or on behalf of the Employer, irrespective of media. This includes, but is not limited to:
1. paper records;
2. hand-held devices;
3. telephones;
4. information stored on computer systems; and
5. information passed on verbally.
The information covered by this policy may include:
1. Personal Data relating to Staff, customers, clients or suppliers;
2. other Business Information; and
3. Confidential Information.
This policy supplements the Employer’s policies relating todata protection, internet, email and communications, and document retention, including the Employer’s:

The content of these policies must be considered and taken into account alongside this policy.

General principles

All information must be:
1. treated as commercially valuable; and
2. protected from loss, theft, misuse or inappropriate access or disclosure.
Through the use of appropriate technical and organisational measures all Personal Data, including Sensitive Personal Data, must be protected against:
1. unauthorised and/or unlawful processing; and
2. accidental loss, destruction or damage.
Staff and line managers should discuss what security measures (including technical and organisational measures) are appropriate and which exist to protect any information accessed by Staff in the course of employment.
Any information, apart from Personal Data, is owned by the Employer and not by an individual or team.
Any information must only be used in connection with work being undertaken for the Employer. It must not be used for any other personal or commercial purposes.
Any Personal Data must only be processed for the specified, explicit and legitimate purpose for which it is collected.

Information management

Any Personal Data must be processed in accordance with:
1. the data protection principles;
2. the Employer’s policies on data protection generally; and
3. the Employer’s other relevant policies.
All Personal Data collected, used and stored must be:
1. adequate, relevant and limited to what is necessary for the relevant purposes; and
2. kept accurate and up to date.
The Employer will take appropriate technical and organisational measures to ensure that Personal Data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage. These measures include:
1. The encryption of Personal Data.
2. Dual-factor authentication.
3. The use of strong passwords.
4. Password protection on any documents containing Sensitive Personal Data.
5. Restricted access and staff access levels in place, notifications of deleted and exported data. login logs and security prompts. no one outside the shoorah domain can access internal files, file system can not be shared to anyone outside the shoorah,io domain..
Any Personal Data and Confidential Information must not be kept any longer than is necessary and will be stored and destroyed in accordance with ourpolicies on data retention.

Human resources (HR) information

Due to the internal confidentiality of personnel files, access to these files and any information contained therein is limited to the HR Department. Non-HR Staff are not authorised to access HR information, except as provided for in any individual roles.
Personnel information must also be kept strictly confidential by any Staff involved in:
1. the recruitment process;
2. a management role; or
3. a supervisory role.
Under the UK GDPR and other relevant legislation, Staff may ask to see their personnel files and obtain access to any other Personal Data about them.

Access to offices and information

All office doors, office keys and access codes must, at all times, be kept secure. Office keys and access codes must at no time be given to or communicated to any third parties.
All documents containing and any equipment displaying Confidential Information should be placed and positioned so that anyone passing by cannot see them (e.g. through office windows or glass doors).
Any visitors must:
1. sign it at reception;
2. be accompanied by Staff at all times; and
3. not be left alone in areas or situations where they may have access to Confidential Information.
Meetings with visitors must, where possible, take place in meeting rooms. If a visitor meeting takes place outside a meeting room, in an office or other room containing Employer information, steps must be taken to ensure no Confidential Information is visible and accessible to the visitors.
All paper documents, backup systems and devices containing Confidential Information must be securely locked away:
1. whenever desks are unoccupied; and
2. at the end of the working day.

Computers and IT

Where available on our systems, password protection and encryption must be used to maintain confidentiality.
All computers and other electronic devices must be password protected. Such passwords must be changed regularly and must not be recorded anywhere (e.g. written down) or made available to others.
To minimise the risk of accidental loss or disclosure, all computers and other electronic devices must be locked when not in use, including when left unattended at a desk.
All data held electronically must be securely backed up as soon as possible in accordance with the Employer’s internal backup procedure.
Confidential Information must not be copied onto removable hard drives, CDs or DVDs, floppy disks or memory sticks, without the express permission of theIT Department. Any Personal Data held on such devices must, as soon as possible, be transferred to the Employer’s computer network to be backed up and then deleted from the device.
Staff must:
1. ensure that they do not introduce viruses, malware or malicious codes onto the Employer’s systems.
2. not install or download from the internet any software without it first being checked for viruses.

Staff should speak to the IT Department for more information and guidance on appropriate steps to be taken to ensure compliance.

Communications and transfer of information

When speaking in public places (e.g. when speaking on a mobile phone), Staff must take care in maintaining confidentiality.
Confidential Information must be marked ‘strictly private and confidential’ and circulated only to those who need to know the information in the course of their work
Confidential Information must not be removed from the Employer’s offices (and systems) unless required for authorised business purposes, and then only in accordance with the subsequent paragraph.
If the removal of Confidential Information from the Employer’s offices is permitted, all reasonable steps must be taken to maintain the confidentiality and integrity of the information. This includes, but is not limited to, Staff ensuring that Confidential Information is:
1. stored with strong password protection, with devices and files is kept locked when not in use;
2. not transported in see-through or other unsecured bags or cases, when in paper copy;
3. not read in public places when working remotely (e.g. in waiting rooms or on trains); and
4. not left unattended or in any place where it is at risk (e.g. in airports or conference centres).
Care must be taken to verify all postal and email addresses before any information is sent to them. Particular care must be taken when checking and verifying email addresses where auto-complete features may have inserted incorrect email addresses.
Before being sent by email or recorded delivery, all sensitive or particularly confidential information should be encrypted.

Personal email and cloud storage accounts

Personal email accounts (e.g. Google, Hotmail and Yahoo) and cloud storage services (e.g. Google Drive, iCloud and OneDrive) are vulnerable to hacking and do not provide the same level of security as the services provided by the Employer’s IT systems.
Staff must not use personal email accounts or cloud storage accounts for work purposes.
If large amounts of data need to be transferred, Staff should speak to theIT Department.

Working from home

Unless required for authorised business purposes, and then only in accordance with the subsequent paragraph, Staff must not take information home with them.
Where information is permitted to be taken home, Staff must ensure that appropriate technical and practical measures are in place within the home to maintain the continued security and confidentiality of that information. In particular, all Confidential Information and Personal Data must be:
1. kept in a secure and locked location, where it cannot be accessed by others (including family members and guests); and
2. retained and disposed of in accordance with paragraph 21 above.
Staff must not store any Confidential Information on their home computers or other devices (e.g. laptops, PCs or tablets).

Transfers to third parties

Third party service providers should only be engaged to process information where appropriate written agreements are in place to ensure that they offer appropriate data protection, confidentiality and information security protections and undertakings. Care must be taken to consider whether any such third party service providers will be considered data processors for the purpose of the UK GDPR.
Staff involved in the process of setting up new arrangements or altering existing arrangements with third parties should speak to and consult with theDPO for more information and guidance.

International data transfers

There are restrictions on (onward) transfers of Personal Data to international organisations outside of the UK.Staff may only transfer Personal Data outside the UK (including to international organisations outside the UK) if there are sufficient and adequate protections in place. Before making any transfers, Staff should speak to, and seek written authorisation from, the DPO.
For more information, please contact theDPO or Legal Department.

Training

The Employer will provide training on the concepts and measures contained in this policy to all Staff as part of the induction process and at regular intervals thereafter or whenever there is a substantial change in the law or our policies and procedures.
Training is providedonline. The completion of such training is compulsory. The Employer will continually monitor training needs but if you feel that you need further training on any aspect of the relevant law or this policy, please contact the DPO.

Reporting data breaches

All Staff are under an obligation to report actual or potential data protection compliance breaches to enable the Employer to:
1. investigate the breach and take any necessary remedial actions;
2. maintain a register of compliance breaches; and
3. make any applicable notifications (e.g. to the Information Commissioner’s Office).
For more information on the Employer’s reporting procedure, contact theDPO.

Consequences of non-compliance

The Employer takes compliance with this policy very seriously and failure to comply with this policy puts Staff and the Employer alike at significant risk.
Due to the importance of this policy, failure to comply with any of its procedures and requirements may result in disciplinary action and dismissal.
If you have any questions or concerns about anything in this policy, please contact theDPO at info@shoorah.io.

PRIVACY POLICY

This privacy policy applies between you, the User of this Website, and Shoorah Ltd, the owner and provider of this Website. Shoorah Ltd takes the privacy of your information very seriously. This privacy policy applies to our use of any and all Data collected by us or provided by you in relation to your use of the Website.

This privacy policy should be read alongside, and in addition to, our Terms and Conditions, which can be found at: Please see the legals page on the Shoorah.io website .

Please read this privacy policy carefully.

Definitions and interpretation

In this privacy policy, the following definitions are used:

Data	collectively all information that you submit to Shoorah Ltd via the Website. This definition incorporates, where applicable, the definitions provided in the Data Protection Laws;
Cookies	a small text file placed on your computer by this Website when you visit certain parts of the Website and/or when you use certain features of the Website. Details of the cookies used by this Website are set out in the clause below (Cookies);
Data Protection Laws	any applicable law relating to the processing of personal Data, including but not limited to the GDPR, and any national implementing and supplementary laws, regulations and secondary legislation;
GDPR	the UK General Data Protection Regulation;
Shoorah Ltd, we or us	Shoorah Ltd, a company incorporated in England and Wales with registered number 14174217 whose registered office is at Spectrum House 2b, , Suttons Lane, Hornchurch,, Essex,, RM12 6RJ;
UK and EU Cookie Law	the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 & the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2018;
User or you	any third party that accesses the Website and is not either (i) employed by Shoorah Ltd and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Shoorah Ltd and accessing the Website in connection with the provision of such services; and
Website	the website that you are currently using, https://shoorah.io, and any sub-domains of this site unless expressly excluded by their own terms and conditions.

In this privacy policy, unless the context requires a different interpretation:
1. the singular includes the plural and vice versa;
2. references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this privacy policy;
3. a reference to a person includes firms, companies, government entities, trusts and partnerships;
4. “including” is understood to mean “including without limitation”;
5. reference to any statutory provision includes any modification or amendment of it;
6. the headings and sub-headings do not form part of this privacy policy.

Scope of this privacy policy

This privacy policy applies only to the actions of Shoorah Ltdand Users with respect to this Website. It does not extend to any websites that can be accessed from this Website including, but not limited to, any links we may provide to social media websites.
For purposes of the applicable Data Protection Laws, Shoorah Ltdis the “data controller”. This means that Shoorah Ltd determines the purposes for which, and the manner in which, your Data is processed.

Data collected

We may collect the following Data, which includes personal Data, from you:
1. name;
2. date of birth;
3. gender;
4. job title;
5. profession;
6. contact Information such as email addresses and telephone numbers;
7. demographic information such as postcode, preferences and interests;
8. financial information such as credit / debit card numbers;
9. IP address (automatically collected);
10. web browser type and version (automatically collected);
11. operating system (automatically collected);
12. a list of URLs starting with a referring site, your activity on this Website, and the site you exit to (automatically collected);
13. In App tracking data such as, user behaviour and counts of inputs in features such as journal and moods. This data is used to improve the IOS & Android platforms and for shoorah to tailor better content to its users.;

in each case, in accordance with this privacy policy.

How we collect Data

We collect Data in the following ways:
1. data is given to us by you;
2. data is received from other sources; and
3. data is collected automatically.

Data that is given to us by you

Shoorah Ltdwill collect your Data in a number of ways, for example:
1. when you contact us through the Website, by telephone, post, e-mail or through any other means;
2. when you register with us and set up an account to receive our products/services;
3. when you complete surveys that we use for research purposes (although you are not obliged to respond to them);
4. when you enter a competition or promotion through a social media channel;
5. when you make payments to us, through this Website or otherwise;
6. when you elect to receive marketing communications from us;
7. when you use our services;
8. Online data and 3rd party partner resources;

in each case, in accordance with this privacy policy.

Data that is received from third parties

Shoorah Ltdwill receive Data about you from the following third parties:
1. Ai and big data companies who provide platform and/or software as a service. When receiving such Data we will comply with our standard terms and conditions at all time.

Data that is received from publicly available third parties sources

We will receive Data about you from the following publicly available third party sources:
1. Shoorah time to time may use platforms such as Google, Meta, LinkedIn and other publicly ready platforms to collect data or/and pull data .

Data that is collected automatically

To the extent that you access the Website, we will collect your Data automatically, for example:
1. we automatically collect some information about your visit to the Website. This information helps us to make improvements to Website content and navigation, and includes your IP address, the date, times and frequency with which you access the Website and the way you use and interact with its content.
2. we will collect your Data automatically via cookies, in line with the cookie settings on your browser. For more information about cookies, and how we use them on the Website, see the section below, headed “Cookies”.

Our use of Data

Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Website. Specifically, Data may be used by us for the following reasons:
1. internal record keeping;
2. improvement of our products / services;
3. transmission by email of marketing materials that may be of interest to you;
4. contact for market research purposes which may be done using email, telephone, fax or mail. Such information may be used to customise or update the Website;

in each case, in accordance with this privacy policy to allow us to provide support and provide recommendations as part of our service in accordance with our standard terms and conditions.

We may use your Data for the above purposes if we deem it necessary to do so for our legitimate interests. If you are not satisfied with this, you have the right to object in certain circumstances (see the section headed “Your rights” below).
For the delivery of direct marketing to you via e-mail, we’ll need your consent, whether via an opt-in or soft-opt-in:
1. soft opt-in consent is a specific type of consent which applies when you have previously engaged with us (for example, you contact us to ask us for more details about a particular product/service, and we are marketing similar products/services). Under “soft opt-in” consent, we will take your consent as given unless you opt-out.
2. for other types of e-marketing, we are required to obtain your explicit consent; that is, you need to take positive and affirmative action when consenting by, for example, checking a tick box that we’ll provide.
3. if you are not satisfied with our approach to marketing, you have the right to withdraw consent at any time. To find out how to withdraw your consent, see the section headed “Your rights” below.
When you register with us and set up an account to receive our services, the legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
We may use your Data to show you Shoorah Ltdadverts and other content on other websites. If you do not want us to use your data to show you Shoorah Ltd adverts and other content on other websites, please turn off the relevant cookies (please refer to the section headed “Cookies” below).

Who we share Data with

We may share your Data with the following groups of people for the following reasons:
1. any of our group companies or affiliates – to ensure the proper administration of your website and business;
2. our employees, agents and/or professional advisors – to obtain advice from professional advisers;
3. third party service providers who provide services to us which require the processing of personal data – to help third party service providers in receipt of any shared data to perform functions on our behalf to help ensure the website runs smoothly;
4. third party payment providers who process payments made over the Website – to enable third party payment providers to process user payments and refunds. 3rd parties such as Apple & Google pay.;
5. relevant authorities – to facilitate the detection of crime or the collection of taxes or duties;

in each case, in accordance with this privacy policy.

Keeping Data secure

We will use technical and organisational measures to safeguard your Data, for example:
1. access to your account is controlled by a password and a user name that is unique to you.
2. we store your Data on secure servers.
3. payment details are encrypted using SSL technology (typically you will see a lock icon or green address bar (or both) in your browser when we use this technology.
We are certified to ICO, Microsoft security, AWS security software. This family of standards helps us manage your Data and keep it secure.
Technical and organisational measures include measures to deal with any suspected data breach. If you suspect any misuse or loss or unauthorised access to your Data, please let us know immediately by contacting us via this e-mail address: info@shoorah.io.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

Data retention

Unless a longer retention period is required or permitted by law, we will only hold your Data on our systems for the period necessary to fulfil the purposes outlined in this privacy policy or until you request that the Data be deleted.
Even if we delete your Data, it may persist on backup or archival media for legal, tax or regulatory purposes.

Your rights

You have the following rights in relation to your Data:
1. Right to access– the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is “manifestly unfounded or excessive.” Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the reasons why.
2. Right to correct– the right to have your Data rectified if it is inaccurate or incomplete.
3. Right to erase– the right to request that we delete or remove your Data from our systems.
4. Right to restrict our use of your Data– the right to “block” us from using your Data or limit the way in which we can use it.
5. Right to data portability– the right to request that we move, copy or transfer your Data.
6. Right to object– the right to object to our use of your Data including where we use it for our legitimate interests.
To make enquiries, exercise any of your rights set out above, or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via this e-mail address: info@shoorah.io.
If you are not satisfied with the way a complaint you make in relation to your Data is handled by us, you may be able to refer your complaint to the relevant data protection authority. For the UK, this is the Information Commissioner’s Office (ICO). The ICO’s contact details can be found on their website at https://ico.org.uk/.
It is important that the Data we hold about you is accurate and current. Please keep us informed if your Data changes during the period for which we hold it.

Links to other websites

This Website may, from time to time, provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are advised to read the privacy policy or statement of other websites prior to using them.

Changes of business ownership and control

Shoorah Ltdmay, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of Shoorah Ltd. Data provided by Users will, where it is relevant to any part of our business so transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use the Data for the purposes for which it was originally supplied to us.
We may also disclose Data to a prospective purchaser of our business or any part of it.
In the above instances, we will take steps with the aim of ensuring your privacy is protected.

Cookies

This Website may place and access certain Cookies on your computer. Shoorah Ltd uses Cookies to improve your experience of using the Website. Shoorah Ltd has carefully chosen these Cookies and has taken steps to ensure that your privacy is protected and respected at all times.
All Cookies used by this Website are used in accordance with current UK and EU Cookie Law.
Before the Website places Cookies on your computer, you will be presented with a message bar requesting your consent to set those Cookies. By giving your consent to the placing of Cookies, you are enabling Shoorah Ltd to provide a better experience and service to you. You may, if you wish, deny consent to the placing of Cookies; however certain features of the Website may not function fully or as intended.
This Website may place the following Cookies:

Type of Cookie	Purpose
Strictly necessary cookies	These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
Analytical/performance cookies	They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
Functionality cookies	These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region). By using the Website, you agree to our placement of functionality cookie.
Targeting cookies	These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

You can find a list of Cookies that we use in the Cookies Schedule.
You can choose to enable or disable Cookies in your internet browser. By default, most internet browsers accept Cookies but this can be changed. For further details, please see the help menu in your internet browser. You can switch off Cookies at any time, however, you may lose any information that enables you to access the Website more quickly and efficiently.
You can choose to delete Cookies at any time; however, you may lose any information that enables you to access the Website more quickly and efficiently including, but not limited to, personalisation settings.
It is recommended that you ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your internet browser if you are unsure about adjusting your privacy settings.
For more information generally on cookies, including how to disable them, please refer to aboutcookies.org. You will also find details on how to delete cookies from your computer.

General

You may not transfer any of your rights under this privacy policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.
If any court or competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy policy will not be affected.
Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
This Agreement will be governed by and interpreted according to the law of England and Wales. All disputes arising under the Agreement will be subject to the exclusive jurisdiction of the English and Welsh courts.

Changes to this privacy policy

Shoorah Ltdreserves the right to change this privacy policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website and you are deemed to have accepted the terms of the privacy policy on your first use of the Website following the alterations.
You may contact Shoorah Ltd by email at info@shoorah.io.

Cookies

Below is a list of the cookies that we use. We have tried to ensure this is complete and up to date, but if you think that we have missed a cookie or there is any discrepancy, please let us know.

Strictly necessary
We use the following strictly necessary cookies:

Description	Purpose
We use this session cookie to remember you and maintain your session whilst you are using our website	Retarget users, show case correct content to correct user in GEO location, IP Tracking and user behaviour

Functionality
We use the following functionality cookies:

Description	Purpose
Functionality cookies	We We use this cookie to identify your computer and analyse traffic patterns on our website.

Analytical/performance
We use the following analytical/performance cookies:

Description	Purpose
Analytical or performance cookies	We use this cookie to help us analyse how users use the website

Targeting
We use the following targeting cookies:

Description	Purpose
Targeting cookies	We use this cookie to enable us to show you adverts while you are browsing our website and other websites on the internet.

DISCLAIMER

Shuru is a chatbot based on OpenAI and designed through the use of large data programs built by independent well-being experts. The information provided by Shuru is supplied by a natural person and Shuru cannot express human emotions. Shuru’s intended use is to provide evidence and research based tools and techniques to assist with managing natural emotions and encouraging mental well-being in a positive self-help context. Shuru is not intended for providing diagnosis, treatments, or cures for any health conditions whatsoever. Shuru does not offer medical, legal or financial advice nor does it hold itself out to be qualified to provide the same. Shuru will only ever provide guidance or support and shall never be held responsible for the actions or decisions of its users.

Shuru is not designed to assist with crises such as abuse, trauma or mental health conditions that may cause feelings of suicide, harm to self or any other medical emergencies. In any of these cases users should immediately seek the appropriate professional help or speak with their GP.

User data is not shared and is used for analytics purposes only and to continually improve the Shuru tool. Communications between users and Shuru are completely anonymous.

TERMS AND CONDITIONS

Please read all these terms and conditions.
As we can accept your order and make a legally enforceable agreement without further reference to you, you must read these terms and conditions to make sure that they contain all that you want and nothing that you are not happy with.

Application

These Terms and Conditions will apply to the purchase of the services by you (the Customeror you). We are Shoorah Ltd a company registered in England and Wales under number 14174217 whose registered office is at Spectrum House 2b, Suttons Lane, Hornchurch,, Essex,, RM12 6RJ with email address info@shoorah.io; (the Supplier or us or we).
These are the terms on which we sell all Services to you. By ordering any of the Services, you agree to be bound by these Terms and Conditions. You can only purchase the Services rom the Website if you are eligible to enter into a Contract and are at least 18 years old.

Interpretation

Consumermeans an individual acting for purposes which are wholly or mainly outside their trade, business, craft or profession;
Contractmeans the legally-binding agreement between you and us for the supply of the Services;
Delivery Locationmeans the Supplier’s premises or other location where the Services are to be supplied, as set out in the Order;
Durable Mediummeans paper or email, or any other medium that allows information to be addressed personally to the recipient, enables the recipient to store the information in a way accessible for future reference for a period that is long enough for the purposes of the information, and allows the unchanged reproduction of the information stored;
Ordermeans the Customer’s order for the Services from the Supplier as submitted following the step by step process set out on the Website;
Privacy Policymeans the terms which set out how we will deal with confidential and personal information received from you via the Website;
Servicesmeans the services advertised on the Website,;
Websitemeans our website https://shoorah.io on which the Services are advertised.

Services

The description of the Services is as set out, provided for and advertised on the Website.
In the case of Services made to your special requirements, it is your responsibility to ensure that any information or specification you provide is accurate.
All Services which appear on the Website are subject to availability which shall be confirmed by us.
We can make changes to the Services which are necessary to comply with any applicable law or safety requirement. We will notify you of these changes.

Customer responsibilities

You must co-operate with us in all matters relating to the Services, provide us and our authorised employees and representatives with access to any premises under your control as required, provide us with all information required to perform the Services and obtain any necessary licences and consents (unless otherwise agreed).
Failure to comply with the above is a Customer default which entitles us to suspend performance of the Services until you remedy it or if you fail to remedy it following our request, we can terminate the Contract with immediate effect on written notice to you.

Personal information

We retain and use all information strictly under the Privacy Policy.
We may contact you by using e-mail or other electronic communication methods or by pre-paid post and you expressly agree to this.

Basis of Sale

The description of the Services in our website does not constitute a contractual offer to sell the Services. When an Order has been submitted on the Website, we can reject it for any reason, although we will try to tell you the reason without delay.
The Order process is set out on the Website. Each step allows you to check and amend any errors before submitting the Order. It is your responsibility to check that you have used the ordering process correctly.
A Contract will be formed for the Services ordered only when you receive an email from us confirming the Order (Order Confirmation). You must ensure that the Order Confirmation is complete and accurate and inform us immediately of any errors. We are not responsible for any inaccuracies in the Order placed by you. By placing an Order you agree to us giving you confirmation of the Contract by means of an email with all information in it (ie the Order Confirmation). You will receive the Order Confirmation within a reasonable time after making the Contract, but in any event before performance begins of any of the Services.
Any quotation or estimate of Fees (as defined below) is valid for a maximum period of _________________ days from its date, unless we expressly withdraw it at an earlier time.
No variation of the Contract, whether about description of the Services, Fees or otherwise, can be made after it has been entered into unless the variation is agreed by the Customer and the Supplier in writing.
We intend that these Terms and Conditions apply only to a Contract entered into by you as a Consumer. If this is not the case, you must tell us, so that we can provide you with a different contract with terms which are more appropriate for you and which might, in some respects, be better for you, eg by giving you rights as a business.

Fees and Payment

The fees (Fees) for the Services (if not included in the Fees) and any additional delivery or other charges is that set out on the Website at the date we accept the Order or such other price as we may agree in writing. Prices for Services may be calculated on a fixed price or on a standard daily rate basis.
Fees and charges include VAT at the rate applicable at the time of the Order.
You must pay by submitting your credit or debit card details with your Order and we can take payment immediately or otherwise before delivery of the Services.

Delivery of the Services

We will deliver the Services within the agreed period or, failing any agreement within a reasonable time.
In any case, regardless of events beyond our control, if we do not deliver the Services on time, you can require us to reduce the Fees or charges by an appropriate amount (including the right to receive a refund for anything already paid above the reduced amount). The amount of the reduction can, where appropriate, be up to the full amount of the Fees or charges.
If you treat the Contract at an end, we will (in addition to other remedies) promptly return all payments made under the Contract.

Withdrawal and cancellation

You can withdraw the Order by telling us before the Contract is made, if you simply wish to change your mind and without giving us a reason, and without incurring any liability.

Right to cancel

Subject as stated in these Terms and Conditions, you can cancel this contract within 14 days without giving any reason.
The cancellation period will expire after 14 days from the day the Contract was entered into
To exercise the right to cancel, you must inform us of your decision to cancel this Contract by a clear statement setting out your decision (eg a letter sent by post or email). You can use the attached model cancellation form, but it is not obligatory. In any event, you must be able to show clear evidence of when the cancellation was made, so you may decide to use the model cancellation form.
You can also electronically fill in and submit the model cancellation form or any other clear statement of the Customer’s decision to cancel the Contract on our website https://shoorah.io. If you use this option, we will communicate to you an acknowledgement of receipt of such a cancellation in a Durable Medium (eg by email) without delay.
To meet the cancellation deadline, it is sufficient for you to send your communication concerning your exercise of the right to cancel before the cancellation period has expired.

Commencement of Services in the cancellation period

We must not begin the supply of a service (being part of the Services) before the end of the cancellation period unless you have made an express request for the service.

Effects of cancellation in the cancellation period

Except as set out below, if you cancel this Contract, we will reimburse to you all payments received from you, including the costs of delivery (except for the supplementary costs arising if you chose a type of delivery other than the least expensive type of standard delivery offered by us).

Payment for Services commenced during the cancellation period

Where a service is supplied (being part of the Service) before the end of the cancellation period in response to your express request to do so, you must pay an amount for the supply of the service for the period for which it is supplied, ending with the time when we are informed of your decision to cancel the Contract. This amount is in proportion to what has been supplied in comparison with the full coverage of the Contract. This amount is to be calculated on the basis of the total price agreed in the Contract or, if the total price were to be excessive, on the basis of the market value of the service that has been supplied, calculated by comparing prices for equivalent services supplied by other traders. You will bear no cost for supply of that service, in full or in part, in this cancellation period if that service is not supplied in response to such a request.

Conformity

We will supply the Services with reasonable skill and care.
In relation to the Services, anything we say or write to you, or anything someone else says or writes to you on our behalf, about us or about the Services, is a term of the Contract (which we must comply with) if you take it into account when deciding to enter this Contract, or when making any decision about the Services after entering into this Contract. Anything you take into account is subject to anything that qualified it and was said or written to you by us or on behalf of us on the same occasion, and any change to it that has been expressly agreed between us (before entering this Contract or later).

Duration, termination and suspension

The Contract shall continue for as long as it takes us to perform the Services.
Either you or we may terminate the Contract or suspend the Services at any time by a written notice of termination or suspension to the other if that other:
1. commits a serious breach, or series of breaches resulting in a serious breach, of the Contract and the breach either cannot be fixed or is not fixed within 30 days of the written notice; or
2. is subject to any step towards its bankruptcy or liquidation.
On termination of the Contract for any reason, any of our respective remaining rights and liabilities will not be affected.

Successors and our sub-contractors

Either party can transfer the benefit of this Contract to someone else, and will remain liable to the other for its obligations under the Contract. The Supplier will be liable for the acts of any sub-contractors who it chooses to help perform its duties.

Circumstances beyond the control of either party

In the event of any failure by a party because of something beyond its reasonable control:
1. the party will advise the other party as soon as reasonably practicable; and
2. the party’s obligations will be suspended so far as is reasonable, provided that that party will act reasonably, and the party will not be liable for any failure which it could not reasonably avoid, but this will not affect the Customer’s above rights relating to delivery (and the right to cancel below).

Privacy

Your privacy is critical to us. We respect your privacy and comply with the General Data Protection Regulation with regard to your personal information.
These Terms and Conditions should be read alongside, and are in addition to our policies, including our privacy policy (Please see the legal; page for Shoorah on shoorah.io website) and cookies policy (Please see the legal; page for Shoorah on shoorah.io website).
For the purposes of these Terms and Conditions:
1. ‘Data Protection Laws’ means any applicable law relating to the processing of Personal Data, including, but not limited to the GDPR.
2. ‘GDPR’ means the UK General Data Protection Regulation.
3. ‘Data Controller’, ‘Personal Data’ and ‘Processing’ shall have the same meaning as in the GDPR.
We are a Data Controller of the Personal Data we Process in providing the Services to you.
Where you supply Personal Data to us so we can provide Services to you, and we Process that Personal Data in the course of providing the Services to you, we will comply with our obligations imposed by the Data Protection Laws:
1. before or at the time of collecting Personal Data, we will identify the purposes for which information is being collected;
2. we will only Process Personal Data for the purposes identified;
3. we will respect your rights in relation to your Personal Data; and
4. we will implement technical and organisational measures to ensure your Personal Data is secure.
For any enquiries or complaints regarding data privacy, you can e-mail: info@shoorah.io.

Excluding liability

The Supplier does not exclude liability for: (i) any fraudulent act or omission; or (ii) death or personal injury caused by negligence or breach of the Supplier’s other legal obligations. Subject to this, we are not liable for (i) loss which was not reasonably foreseeable to both parties at the time when the Contract was made, or (ii) loss (eg loss of profit) to your business, trade, craft or profession which would not be suffered by a Consumer.

Governing law, jurisdiction and complaints

55. The Contract (including any non-contractual matters) is governed by the law of England and Wales.
56. Disputes can be submitted to the jurisdiction of the courts of England and Wales or, where the Customer lives in Scotland or Northern Ireland, in the courts of respectively Scotland or Northern Ireland.
57. We try to avoid any dispute, so we deal with complaints as follows: in app support or/and by sending a email to the email address provided: info@shoorah.io.

Model cancellation Form
To Shoorah Ltd Spectrum House 2b, Suttons Lane, Hornchurch, Essex, RM12 6RJ Email address: info@shoorah.io

I/We[*] hereby give notice that I/We [*] cancel my/our [*] contract of sale [for the supply of the following service [*], Ordered on [*]/received on [*]______________________(date received) Name of consumer(s): Address of consumer(s):

Signature of consumer(s) (only if this form is notified on paper)

Date
[*] Delete as appropriate.

TERMS AND CONDITIONS OF USE

Introduction

These terms and conditions apply between you, the User of this Website (including any sub-domains, unless expressly excluded by their own terms and conditions), and Shoorah Ltd, the owner and operator of this Website. Please read these terms and conditions carefully, as they affect your legal rights. Your agreement to comply with and be bound by these terms and conditions is deemed to occur upon your first use of the Website. If you do not agree to be bound by these terms and conditions, you should stop using the Website immediately.

In these terms and conditions, User or Users means any third party that accesses the Website and is not either (i) employed by Shoorah Ltd and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Shoorah Ltd and accessing the Website in connection with the provision of such services.

You must be at least 18 years of age to use this Website. By using the Website and agreeing to these terms and conditions, you represent and warrant that you are at least 18 years of age.

Intellectual property and acceptable use

All Content included on the Website, unless uploaded by Users, is the property of Shoorah Ltd, our affiliates or other relevant third parties. In these terms and conditions, Content means any text, graphics, images, audio, video, software, data compilations, page layout, underlying code and software and any other form of information capable of being stored in a computer that appears on or forms part of this Website, including any such content uploaded by Users. By continuing to use the Website you acknowledge that such Content is protected by copyright, trademarks, database rights and other intellectual property rights. Nothing on this site shall be construed as granting, by implication, estoppel, or otherwise, any license or right to use any trademark, logo or service mark displayed on the site without the owner’s prior written permission
You may, for your own personal, non-commercial use only, do the following:
1. retrieve, display and view the Content on a device
2. download and store the Content in electronic form on a disk (but not on any server or other storage device connected to a network)
3. print one copy of the Content
You must not otherwise reproduce, modify, copy, distribute or use for commercial purposes any Content without the written permission of Shoorah Ltd.

Prohibited use

You may not use the Website for any of the following purposes:
1. in any way which causes, or may cause, damage to the Website or interferes with any other person’s use or enjoyment of the Website;
2. in any way which is harmful, unlawful, illegal, abusive, harassing, threatening or otherwise objectionable or in breach of any applicable law, regulation, governmental order;
3. making, transmitting or storing electronic copies of Content protected by copyright without the permission of the owner.

Registration

You must ensure that the details provided by you on registration or at any time are correct and complete.
You must inform us immediately of any changes to the information that you provide when registering by updating your personal details to ensure we can communicate with you effectively.
We may suspend or cancel your registration with immediate effect for any reasonable purposes or if you breach these terms and conditions.
You may cancel your registration at any time by informing us in writing to the address at the end of these terms and conditions. If you do so, you must immediately stop using the Website. Cancellation or suspension of your registration does not affect any statutory rights.

Links to other websites

This Website may contain links to other sites. Unless expressly stated, these sites are not under the control of Shoorah Ltd or that of our affiliates.
We assume no responsibility for the content of such Websites and disclaim liability for any and all forms of loss or damage arising out of the use of them.
The inclusion of a link to another site on this Website does not imply any endorsement of the sites themselves or of those in control of them.

Privacy Policy and Cookies Policy

Use of the Website is also governed by our Privacy Policy and Cookies Policy, which are incorporated into these terms and conditions by this reference. To view the Privacy Policy and Cookies Policy, please click on the following: Please refer to our legals page on the shoorah.io websiteand Please refer to our legals page on the shoorah.io website.

Availability of the Website and disclaimers

Any online facilities, tools, services or information that Shoorah Ltd makes available through the Website (the Service) is provided “as is” and on an “as available” basis. We give no warranty that the Service will be free of defects and/or faults. To the maximum extent permitted by the law, we provide no warranties (express or implied) of fitness for a particular purpose, accuracy of information, compatibility and satisfactory quality. Shoorah Ltd is under no obligation to update information on the Website.
Whilst Shoorah Ltd uses reasonable endeavours to ensure that the Website is secure and free of errors, viruses and other malware, we give no warranty or guaranty in that regard and all Users take responsibility for their own security, that of their personal details and their computers.
Shoorah Ltd accepts no liability for any disruption or non-availability of the Website.
Shoorah Ltd reserves the right to alter, suspend or discontinue any part (or the whole) of the Website including, but not limited to, any products and/or services available. These terms and conditions shall continue to apply to any modified version of the Website unless it is expressly stated otherwise.

Limitation of liability

Nothing in these terms and conditions will: (a) limit or exclude our or your liability for death or personal injury resulting from our or your negligence, as applicable; (b) limit or exclude our or your liability for fraud or fraudulent misrepresentation; or (c) limit or exclude any of our or your liabilities in any way that is not permitted under applicable law.
We will not be liable to you in respect of any losses arising out of events beyond our reasonable control.
To the maximum extent permitted by law, Shoorah Ltd accepts no liability for any of the following:
1. any business losses, such as loss of profits, income, revenue, anticipated savings, business, contracts, goodwill or commercial opportunities;
2. loss or corruption of any data, database or software;
3. any special, indirect or consequential loss or damage.

General

You may not transfer any of your rights under these terms and conditions to any other person. We may transfer our rights under these terms and conditions where we reasonably believe your rights will not be affected.
These terms and conditions may be varied by us from time to time. Such revised terms will apply to the Website from the date of publication. Users should check the terms and conditions regularly to ensure familiarity with the then current version.
These terms and conditions together with the Privacy Policy and Cookies Policy contain the whole agreement between the parties relating to its subject matter and supersede all prior discussions, arrangements or agreements that might have taken place in relation to the terms and conditions.
The Contracts (Rights of Third Parties) Act 1999shall not apply to these terms and conditions and no third party will have any right to enforce or rely on any provision of these terms and conditions.
If any court or competent authority finds that any provision of these terms and conditions (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of these terms and conditions will not be affected.
Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
This Agreement shall be governed by and interpreted according to the law of England and Walesand all disputes arising under the Agreement (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the English and Welsh

Shoorah Ltd details

Shoorah Ltd is a company incorporated in England and Wales with registered number 14174217 whose registered address is Spectrum House 2b, Suttons Lane, Hornchurch, Essex,, RM12 6RJ and it operates the Website io. The registered VAT number is 430744023.

You can contact Shoorah Ltd by email on info@shoorah.io.

BREATHWORK DISCLAMIER

You should NOT use this feature if you are heavily pregnant, taking prescribed medication, have been diagnosed with any kind of breathing condition, or facing any health difficulties.

Personal Liability Statement & Health Certificate

Shoorah’s Breathwork is a platform that offers breathwork practices from certified experts with specialist qualifications, we aim to ensure that any breathwork techniques and method activities are carried out safely and correctly. Although we consider our products and features to be safe for generally healthy participants, we cannot assess the health risks particular to individual participants. Participants are notified about the health risks in advance via this written statement. Participants are responsible for and advised to consult their physician, doctor, or a professional who can offer specific professional advice and asses their health before using this platform. Should a participant experience any symptoms such as short breath, dizziness, fatigue, or the general feeling of unwellness, they should stop immediately and seek their own medical advice. By agree to this disclaimer and using the Shoorah platform including engaging in the use of the Breathwork feature you acknowledge this warning notice and fully understand by using the Breathwork practices it is ultimately the participant’s responsibility to determine whether they are fit to take part.

PERSONAL LIABILITY STATEMENT

“I hereby declare that I participate in this activity voluntarily and entirely at my own risk. I shall not hold Shoorah Ltd or any of its experts or their representatives liable for any damages and/or injury resulting from participation in the activities when using the Shoorah platform and its features”.

HEALTH DECLARATION

“I hereby declare that I have been adequately informed by the statement above about the particulars of the Breathwork activity and that before starting this program I confirm that I am in good physical and mental condition. I shall not hold Shoorah Ltd, its experts or their representatives responsible or liable in any way for any damages and/or injury resulting from participation in the Breathwork feature. I confirm that participation is entirely at my own risk”.

Legal Acceptance

By accepting this legal disclaimer and by using this feature, you agree to Shoorah T&CS and the usage rights of this feature Breathwork by Shoorah, you fully understand the risks and consequences of participating in the use of this feature. You hereby accept full responsibility for your participation and waiver any legal rights you may have when agreeing to this disclaimer. Shoorah is not responsible for participant’s health and beyond this statement shall not provide any further advice or warnings, including the need to ask any medical questions or carry out any medical assessments or examination on participants before the use of this feature or any of its products or features.
Please sign below to confirm you have read and understood the above.

……………………………………………
Participant name:
Date:

Shoorah Marketplace User Disclaimer

Welcome to the Shoorah Marketplace – a curated space where our users can explore exclusive wellbeing offers from a range of third-party brands and businesses.

Before continuing, please read and accept the following terms:
• The Shoorah Marketplace features third-party products and services listed by independent brands.
• Shoorah Ltd does not own, operate, or directly supply the goods or services featured in the Marketplace.
• All transactions, purchases, and fulfilment are made directly between you and the listed brand.
• Each brand sets its own terms, conditions, refund policies, and delivery expectations. We strongly recommend you review these before making a purchase.
• Shoorah Ltd shall not be held liable for any issues related to orders, fulfilment, product quality, delivery, or customer service relating to third-party brands.
• Any disputes or requests should be directed to the partner brand from whom the product or service was purchased.

Consent Box:
☐ I confirm that I understand Shoorah is not responsible for the goods or services offered by brands in the Marketplace. I accept the above terms and agree to engage directly with listed brands for all transactions and post-purchase matters.

PEAP SESSION TERMS AND CONDITIONS

These PEAP Session terms and conditions apply to your access or use of the PEAP services, platforms and applications (collectively “PEAP”) and the payment system and features made available and operated by Shoorah Ltd (“we”).
By accessing or using PEAP or by clicking “accept” you acknowledge that you have read, understood and agree to be bound by these terms and conditions.

GENERAL

We reserve the right to add, modify, delete or otherwise change any of these terms and conditions at our sole discretion without notice.
It is your responsibility to check these terms and conditions for updates or changes and familiarize yourself of the same.
PEAP may be interrupted for short periods of time during routine maintenance or unexpected failures. All information and services are provided as-is and without warranties of any kind.

PEAP CREDITS

PEAP Sessions are not included in your monthly subscription and shall be booked using WELLPOINTS, cash credits or other payments made on PEAP (“PEAP Credits”). Sessions may be purchased in bulk or individually using your PEAP Credits.
PEAP Credits shall have no cash value and shall only be used to book PEAP Sessions via PEAP.
Any fraudulent activity or willful misconduct will result in the termination of your PEAP subscription and loss of any PEAP Credits.
Any end-users redeeming PEAP Credits must be over the age of 18.
Once issued, PEAP Credits must be used within 12 months or by the end of your membership subscription package end-date (whichever date is sooner).
PEAP Credits are not transferable between PEAP accounts but can be used by different employees of the same PEAP member. An end-user employee may be required to present their ID to confirm that they are an employee of the PEAP member. We reserve the right to cancel PEAP Sessions if we believe you are not a PEAP member employee.
If an end-user schedules a PEAP Session but fails to attend or cancels within 48-hours of the PEAP Session, the PEAP Credits used to book this session will be lost and cancelled.
If you provide a request more than 48-hours in advance to cancel or reschedule your PEAP Session your PEAP Credits shall be returned to the PEAP member or used for your next session.
We reserve the right to cancel, void or discontinue your PEAP Credits if you are in breach of any of our terms and condition or policies available on our website from time to time.

IMPORTANT INFORMATION: PLEASE READ

Our self-assessment tests have been developed by Shoorah consultants who are professionals and experts in their respective industries. Although best efforts are taken to analyse your responses based on the questions from our self-assessments, your results are NOT a diagnosis. Our analysis is not intended to be specific medical advice and should ONLY be considered for information purposes as a guide or tool to indicate whether you may choose to seek personal medical advice from your GP or other qualified health care provider.
We (Shoorah and our consultants) therefore give no guarantees, assurances, or warranties, nor do we accept any liability whatsoever, in connection with the results from your self-assessment tests (or any action you may choose to take after receiving your results). If you have any concerns about your results from our self-assessment tests, please speak with your GP or other qualified health care provider as soon as possible. If you have any questions about how our self-assessment works, or anything else related to our self-assessment test please reach out to us at info@shoorah.io.
By clicking “accept” below you are confirming that you have read, understood, and agreed to the above statement and our privacy policy. You are also agreeing to irrevocably waive any claims you may have against Shoorah or our consultants, in connection with our self-assessment tests, to the fullest extent permittable by any applicable law. Any personal information you share with us via your self-assessment test or otherwise shall remain subject to our privacy policy available to view here.

I accept I do not accept

You may only proceed with our self-assessment test by confirming that you “accept”. It is therefore very important that you read the above statement before proceeding.

WELLPOINT DISCLAIMER

Please carefully review the following terms and conditions related to Shoorah Wellpoints:

Refund Policy: Shoorah Wellpoints purchases are eligible for a refund within 72 hours of the purchase date. After this period, all Wellpoints purchases are non-refundable.
Non-Transferability: Shoorah WellPoints are strictly non-transferable and can only be used by the account holder who earned or purchased them.
Final Transactions: All purchases, conversions, and transactions involving Shoorah WellPoints are final unless otherwise explicitly stated.
Misuse and Abuse: Shoorah reserves the right to confiscate, remove, or discard any Wellpoints if an account is found to be misusing or abusing the Shoorah Wellpoints earning model or any Shoorah incentive offerings.
Expiration: Shoorah Wellpoints have a rolling expiration date of 12 months from the first date of issue. However, exceptions to this expiration policy may be granted at the sole discretion of Shoorah management or through Shoorah B2B supplier contracts.
Earnings: Shoorah WellPoints can be earned through various in-app activities, such as gameplay and unlocking feature usage badges. The conversion and allocation of these points are subject to the rules and limitations set forth within the Shoorah app.

By engaging with Shoorah Wellpoints, you acknowledge and agree to adhere to these terms and conditions. Any violation of these terms may result in the suspension or termination of your Shoorah account. For further information, please refer to our detailed terms and conditions or contact our support team for assistance

SPEAK UP DISCLAIMER

IMPORTANT INFORMATION: PLEASE READ

Shoorah Ltd (“Shoorah” “we” or “our”) provides the “SPEAK UP” feature as a confidential and secure digital reporting platform to facilitate communication between individuals and designated recipients such as employers, HR representatives, and relevant industry regulators.

We act solely as an independent and neutral intermediary providing a secure reporting mechanism. We do not investigate, verify, or take responsibility for the content of any report or information submitted via the “SPEAK UP” feature.

Reports submitted through “SPEAK UP” are securely transmitted to the selected recipient(s) chosen by the reporting individual. Shoorah does not offer advice (legal or otherwise), professional counselling, dispute resolution services, or make any decisions regarding follow-up actions on your report(s). Responsibility for investigating, addressing, or responding to any reports rests entirely with the selected recipient(s), such as the employer, HR department, or regulatory body.

While Shoorah takes reasonable steps to maintain the confidentiality and security of submissions, we cannot guarantee absolute security in digital communications. Users are encouraged to avoid including sensitive personal data unless necessary.

Use of “SPEAK UP” does not establish any client, employment, or advisory relationship between us and the reporting individual. If you require any legal advice or professional guidance, you should consult a qualified professional or appropriate authority directly. We accept no liability for any action you choose to take, even if you have received professional advice.

By submitting a report, you confirm that the information provided is, to the best of your knowledge, accurate, free of error, and submitted in good faith.

For more information about Shoorah please refer to our terms and conditions. By clicking on the link below you are confirming that you have read and understood this disclaimer.

https://shoorah.io/terms-conditions/ to confirm that you have read and understood this disclaimer.

For information on how we handle personal data please refer to our Privacy Policy. You must click and confirm that you have read and understood our Privacy Policy before using “SPEAK UP”.

https://shoorah.io/privacy-policy/ to confirm that you have read and understood our Privacy Policy, including that you give your consent in relation to the use of your personal data.

Shoorah App T&Cs

Please Read These Terms Carefully

BY CLICKING ON THE “ACCEPT” BUTTON BELOW YOU AGREE TO THESE TERMS WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THESE TERMS, CLICK ON THE “REJECT” BUTTON BELOW.

Who we are and what this agreement does. We, Shoorah Ltd of Spectrum House 2b, Suttons Lane, Hornchurch, England, RM12 6RJ license you to use:

The ‘Shoorah’ mobile application software, the data supplied within the software, (App) and any updates or supplements to it.
The related online or electronic documentation (Documentation).
The service you connect to via the App and the features and content we provide to you through it (Service), as permitted in these terms.

Your privacy. Under data protection legislation, we are required to provide you with certain information including who we are, how we process your personal data and for what purposes and your rights in relation to your personal data and how to exercise them. This information is provided in our Privacy Policy available here: https://shoorah.io/privacy-policy/ and it is important that you read this information.

Additional terms for specific Services. The Services set out below will be governed by our standard website terms and conditions. You must be 18 or over to accept these terms and use the App.

Google Play’s terms also apply. The ways in which you can use the App and Documentation may also be controlled by the Google Play’s rules and policies. We accept no liability for any loss or damage caused as a result of an act or omission by Google Play or their representatives.

Support for the App

Support. If you want to learn more about the App or the Service or have any problems using them please take a look at our support resources at www.shoorah.io.

Contacting us. If you think the App or the Services are faulty or misdescribed or wish to contact us for any other reason please email us at: info@shoorah.io.

How we will communicate with you. If we have to contact you we will do using the contact details you have provided to us.

How you may use the App. In return for your agreeing to comply with these terms you may:

download a copy of the App onto your and view, use and display the App and the Service on such devices for your personal purposes only.
use any Documentation to support your permitted use of the App and the
receive and use any free supplementary software code or update of the App incorporating “patches” and corrections of errors as we may provide to you.

You may not transfer the App to someone else. We are giving you personally the right to use the App and the Service as set out above. You shall not transfer the App or the Service to someone else, whether for money, for anything else or for free. If you sell any device on which the App is installed, you must remove the App from it.

Changes to these terms. We may need to change these terms to reflect changes in law or best practice or to deal with additional features which we introduce.

Update to the App and changes to the Service. From time to time we may automatically update the App and change the Service to improve performance, enhance functionality, reflect changes to the operating system or address security issues. Alternatively we may ask you to update the App for these reasons. If you choose not to install such updates or if you opt out of automatic updates you may not be able to continue using the App and the Services.

If someone else owns the device you are using. If you download or stream the App onto any phone or other device not owned by you, you must have the owner’s permission to do so. You will be responsible for complying with these terms, whether or not you own the phone or other device.

We are not responsible for other websites you link to. The App or any Service may contain links to other independent websites which are not provided by us. Such independent sites are not under our control, and we are not responsible for and have not checked and approved their content or their privacy policies (if any). You will need to make your own independent judgement about whether to use any such independent sites, including whether to buy any products or services offered by them.

Licence restrictions. You agree that you will:

not rent, lease, sub-license, loan, provide, or otherwise make available, the App or the Services in any form, in whole or in part to any person without prior written consent from us;
not copy the App, Documentation or Services, except as part of the normal use of the App or where it is necessary for the purpose of back-up or operational security;
not translate, merge, adapt, vary, alter or modify, the whole or any part of the App, Documentation or Services nor permit the App or the Services or any part of them to be combined with, or become incorporated in, any other programs, except as necessary to use the App and the Services on devices as permitted in these terms;
not disassemble, de-compile, reverse engineer or create derivative works based on the whole or any part of the App or the Services nor attempt to do any such things, except to the extent that (by virtue of sections 50B and 296A of the Copyright, Designs and Patents

Act 1988) such actions cannot be prohibited because they are necessary to decompile the App to obtain the information necessary to create an independent program that can be operated with the App or with another program (Permitted Objective), and provided that the information obtained by you during such activities:

is not disclosed or communicated without the Licensor’s prior written consent to any third party to whom it is not necessary to disclose or communicate it in order to achieve the Permitted Objective; and
is not used to create any software that is substantially similar in its expression to the App;
is kept secure; and
is used only for the Permitted Objective;

comply with all applicable technology control or export laws and regulations that apply to the technology used or supported by the App or any Service.

Acceptable use restrictions. You must:

not use the App or any Service in any unlawful manner, for any unlawful purpose, or in any manner inconsistent with these terms, or act fraudulently or maliciously, for example, by hacking into or inserting malicious code, such as viruses, or harmful data, into the App, any Service or any operating system;
not infringe our intellectual property rights or those of any third party in relation to your use of the App or any Service[, including by the submission of any material] (to the extent that such use is not licensed by these terms);
not transmit any material that is defamatory, offensive or otherwise objectionable in relation to your use of the App or any Service;
not use the App or any Service in a way that could damage, disable, overburden, impair or compromise our systems or security or interfere with other users; and
not collect or harvest any information or data from any Service or our systems or attempt to decipher any transmissions to or from the servers running any Service.

Intellectual property rights. All intellectual property rights in the App, the Documentation and the Services throughout the world belong to us (or our licensors) and the rights in the App and the Services are licensed (not sold) to you. You have no intellectual property rights in, or to, the App, the Documentation or the Services other than the right to use them in accordance with these terms.

Our Responsibility

We are responsible to you for foreseeable loss and damage caused by us. If we fail to comply with these terms, we are responsible for loss or damage you suffer that is a foreseeable result of

our breaking these terms or our failing to use reasonable care and skill, but we are not responsible for any loss or damage that is not foreseeable.

We do not exclude or limit in any way our liability to you where it would be unlawful to do so. This includes liability for death or personal injury caused by our negligence or the negligence of our employees, agents or subcontractors or for fraud or fraudulent misrepresentation.

Limitations to the App and the Services. The App and the Services are provided for general information and welfare support purposes only. We do not directly offer advice on which you should rely and are not responsible for any advice you obtain from independent experts or professionals via the App. You must obtain professional medical advice before taking, or refraining from, any action based on information obtained from the App or the Service. Although we make reasonable efforts to update the information provided by the App and the Service, we make no representations, warranties or guarantees, whether express or implied, that such information is accurate, and you should use your own judgement when accessing such information.

Our content and features. We provide various content and features on the App and the Services which you may have access to. We are responsible for the content we provide only and where our features (including but not limited to ‘PEAP’) connect you with an independent expert or professional we are not responsible for nor shall have any liability relating to the services, content or information they provide to you directly. Whilst we make every effort to connect you with the most appropriate independent expert or professional, we accept no liability in doing so and you shall always use your own judgment to select your independent expert or professional based on your personal needs or circumstances at such time.

Requests for your information. If your selected independent expert or professional requests information from you (whether personal or otherwise) it shall always be your responsibility to provide this and we will not be liable for any reason in the event you do not provide this or for any delays in you providing this. If you are requested to provide any personal information to a third- party outside of the App or the Service, you should check with us if this request is genuine and if so, how this data will be used, processed or stored. If have concerns about how any of your data will be used, processed or stored then you should not provide this. Please note, the independent experts or professionals which you connect with via the App or the Services are all bound by a duty of confidentiality. For further information about how we use your personal data please refer to our Privacy Policy.

We are not responsible for events outside our control. If our provision of the Services or support for the App or the Services is delayed by an event outside our control then we will contact you as soon as possible to let you know and we will take steps to minimise the effect of the delay. Provided we do this we will not be liable for delays caused by the event but if there is a risk of substantial delay you may contact us to end your contract with us and receive a refund for any Services you have paid for but not received.

We may end your rights to use the App and the Services. We may end your rights to use the App and Services at any time by contacting you if you have broken these terms in a serious way.

If what you have done can be put right we will give you a reasonable opportunity to do so. If we end your rights to use the App and Services:

You must stop all activities authorised by these terms, including your use of the App and any Services.
You must delete or remove the App from all devices in your possession and immediately destroy all copies of the App which you have and confirm to us that you have done this.
We may remotely access your devices and remove the App from them and cease providing you with access to the Services.

We may transfer this agreement to someone else. We may transfer our rights and obligations under these terms to another organisation. We will always tell you in writing if this happens and we will ensure that the transfer will not affect your rights under the contract.

You need our consent to transfer your rights to someone else. You may only transfer your rights or your obligations under these terms to another person if we agree in writing.

No rights for third parties. This agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement.

If a court finds part of this contract illegal, the rest will continue in force. Each of the paragraphs of these terms operates separately. If any court or relevant authority decides that any of them are unlawful, the remaining paragraphs will remain in full force and effect.

Even if we delay in enforcing this contract, we can still enforce it later. If we do not insist immediately that you do anything you are required to do under these terms, or if we delay in taking steps against you in respect of your breaking this agreement, that will not mean that you do not have to do those things and it will not prevent us taking steps against you at a later date.

Which laws apply to this agreement and where you may bring legal proceedings. These terms are governed by English law and you shall bring any legal proceedings in respect of the products in the English courts.

Alternative dispute resolution. Alternative dispute resolution is a process where an independent body considers the facts of a dispute and seeks to resolve it, without you having to go to court. If you are not happy with how we have handled any complaint, we will endeavour to resolve your dispute use alternative dispute resolution prior to formal court proceedings.

Breastfeeding Policy in the Workplace

Our workplace breastfeeding policy refer to our provisions for breastfeeding employees. We recognise that breastfeeding has many benefits for new mothers and their children and we want to support our employees whenever they need it on this wonderful journey.

Why do we have a workplace breastfeeding policy?
Our breastfeeding policy is part of our program for supporting mothers in completing their motherhood journey in the best way for them.

Scope

This policy applies to all new mothers in our company regardless of rank, status and position.

Policy elements

New mothers can pump/express milk or breastfeed their babies in the workplace. They can take reasonable breaks whenever they are need.

For this purpose, we have also planned for a lactation room. This room will be:

Separate from bathrooms and meeting rooms
Shielded from view by the public and coworkers
Equipped with comfortable chairs, electric plugs, a table and a sink
Cleaned and sanitized regularly

The room will lock from the inside. We can also install a fridge where employees can store their milk if you need it, just talk to us.

We will always be ready to make your journey better for you – If you have anything you feel would improve your journey, please tell us and we will always do what we can.

General rules

Employees can use this policy’s provisions for how long they require it.
Breastfeeding employees should not be disturbed with work issues when using the lactation room.
Employees should inform their supervisors when they want to use the lactation room to avoid confusion.
Supervisors aren’t allowed to prohibit employees to us break time for breastfeeding and pumping/expressing milk. Doing so could result in disciplinary action.
Supervisors and the HR department are obliged to communicate this policy to employees.
All employees should support new mothers. We will not tolerate comments, disturbance or victimization of our employees.

Procedure
We are lucky enough to employee lots of new mums, so to avoid confusion and tension between employees who need to breastfeed, we will set up a system where employees can book the lactation room. Employees can use the room for the time they book – we understand this isn’t a mathematical equation! So if you need more time, just let us know. Multiple employees can use the room simultaneously only after mutual consent.

Employees who have complaints about the process, the room or their coworkers’ behavior can use our grievance procedure to let us know. All legitimate complaints will be investigated and resolved.

BEREAVEMENT LEAVE POLICY

Statement and purpose of policy

Shoorah Ltd (we or us or our) acknowledges the personal nature of bereavement and is committed to supporting employees in practical and reasonable ways.
Bereavement or compassionate leave is leave that allows an employee time off to deal with their personal distress and related practical arrangements, primarily, but not limited to, when a member of their family passes away.
This policy shows the minimum leave employees are entitled to in different
We further acknowledge that:
1. not all employees may take the full leave allowance; and
2. some employees may need additional time, depending on their relationship with the person who has died and the circumstances of the death.
We will take each situation on a case-by-case basis and will discuss any particular circumstances with employees
We may amend this policy at any time, at our absolute

Paid leave

In the event of the passing of an immediate relative, employees will be entitled to 10 working days’ paid An immediate relative includes a:
1. spouse, civil partner or partner (partners include anyone the employee is cohabiting with but not married to and include same-sex partners);
2. child (including any children the employee has adopted, is the legal guardian or carer of);
3. parent or step-parent;
4. sibling; or
5. person with whom the employee is in a relationship of domestic
Employees will be entitled to 1 working days’ paid leave in the event of the passing of a:
1. grandparent;
2. grandchild;
3. aunt or uncle;
4. mother- or father-in-law; or
5. daughter- or son-in-
In certain circumstances, employees may be granted up to 0 paid working days’ leave in the event of the passing of someone outside of their These circumstances include, but are not limited to situations where the employee:
1. is responsible for making funeral arrangements; or
2. has to travel abroad to attend the
If employees need to take bereavement leave, they should speak to their line manager or HR department as soon as possible or, at the latest, on the first day of absence.
In exceptional circumstances, employees may apply for paid leave after the first day of absence and line managers and the HR department can exercise discretion in such exceptional circumstances.
Paid compassionate leave days do not have to be taken

Annual leave

In the event of bereavement, employees may take unpaid leave or annual leave at short notice, to supplement their paid bereavement leave.
Employees should speak to their line manager or HR department about taking such supplementary annual
In the event of a family bereavement while on annual leave, employees can change their annual leave into bereavement leave and take their annual leave at a later date.

Unpaid leave

In the event of bereavement, employees may take up to 5 working days of unpaid
Employees should speak to their line manager or HR department before taking unpaid bereavement

Returning to work after a bereavement

We acknowledge that, in certain circumstances following the passing of a relative, a full return to work may not be immediately possible (e.g. because the employee’s grief may impact their ability to perform their duties or new childcare arrangements need to be made). In such circumstances, employees can, where practicable, have a phased return to work, including:
1. Returning to work on a part-time
2. Returning to work on a reduced hours
3. Undertaking alternative
4. Working
Any arrangements for a phased return to work will need to be agreed in advance with the employee’s line manager or HR department and will be subject to an agreed maximum number of days.

Support for employees

If an employee has any concerns about how their grieving process is impacting on their work performance, they should speak to their line manager or HR department. This will help ensure that any necessary reasonable adjustments can be discussed and put in place so that the employee is supported in their return to work.

Health and safety

Our workplace health and safety assessment considers the impact of bereavement on employees, their duties and responsibilities and the context in which they work (e.g. if they operate heavy machinery or equipment).
Employees who are concerned about their ability to safely carry out all their duties after a bereavement should speak to their line manager.
We reserve the right to request that an employee meet with their GP before fully returning to work and resuming their previous duties.

Culture and diversity

We acknowledge and recognise that different cultures respond differently to death. Line managers or the HR department will check if an employee observes any particular religious or cultural practices and will make special arrangements if employees require time off work in such cases.
Employees should make their line manager or HR department aware of any religious or cultural practices that may require special arrangements as soon as possible.
If line managers or the HR department are unsure how to respond to a bereaved employee from a different cultural background, they should ask the employee or someone from their cultural group about what is appropriate.

Attribution

This bereavement leave policy was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).

ANNUAL LEAVE POLICY

Purpose of the annual leave policy

Shoorah Ltd (‘we’ or ‘our’) recognise the right of our staff (‘you’ or ‘your’) to take paid annual leave each year. We believe that it is important for you to rest and we strongly encourage you to make use of your annual leave
The purpose of this policy is to ensure that both staff and managers are clear on the entitlements, rules and processes surrounding your annual leave If you have questions about the contents of this policy, please contact your line manager.
This policy applies to all employees, irrespective of seniority, tenure and working hours, including all directors and officers, casual or agency staff, trainees, interns, fixed-term staff and workers (our ‘staff’). It does not apply to self- employed contractors.
Some of the entitlements and rules in this policy summarise statutory If any statutory rights change and become inconsistent with this policy, we will amend the policy to reflect these changes.
This policy is not part of your contract of employment and we may amend this policy at any time, at our absolute

Annual leave entitlement

Our annual leave year runs from 1 January to 30
You are entitled to 28 days of annual leave per year pro rata inclusive of UK bank holidays (your ‘annual leave entitlement’).
Your annual leave entitlement is the paid time off that you are entitled You may request additional unpaid time off, which may be granted entirely at the discretion of your line manager.
Your annual leave entitlement will continue to accrue while you are on any family leave (ie parental or adoption leave) or sick leave.

Requesting annual leave

Annual leave is recorded Bright Requests for annual leave should be made ‘Requests for annual leave should be made via the Shoorah |HR system “Bright HR”.
You should ensure that your annual leave requests are approved before booking a We are not liable for any loss incurred by you if you incur costs and make commitments prior to receiving approval.
If you take annual leave without approval we may take disciplinary action against
You should provide notice of 21 days when requesting annual
Please note that your line manager has the right to refuse your annual leave request, taking into consideration business needs, the high volume of annual leave requests received at certain times of year (eg school holidays), and the notice
We will not allow annual leave to be taken within 6 weeks of your employment commencing, unless this leave was pre-arranged and discussed with us during the recruitment process.

Holiday pay

You will be paid your regular pay during any annual leave time that you take. If you work a shift pattern or irregular hours (ie a different number of hours each week), your holiday pay will be worked out based on the average number of hours per week worked during the preceding 52 weeks.
If you are regularly paid a commission, bonuses, or overtime, an average of the amount you receive from these payments will be added to 4 weeks of your standard holiday pay.

Illness and bereavement during annual leave

If you become ill during your annual leave, you may reallocate your leave as sick leave by following our usual policy and procedures for Any time reallocated as sick leave will be added back onto your annual leave entitlement. To use this time, you should request new annual leave following the ordinary procedures outlined in this document.
If you reallocate your annual leave as sick leave, you will be paid according to our usual sickness
A copy of our sickness policy is available from your line
If you experience a bereavement during your annual leave, you may reallocate your leave as bereavement leave if you are entitled to such under our usual bereavement leave Any time reallocated as bereavement leave will be added back onto your annual leave entitlement. To use this time, you should request new annual leave following the ordinary procedures outlined in this document.
If you reallocate your annual leave as bereavement leave, you will be paid according to our bereavement leave pay
A copy of our bereavement leave policy is available from your line

Requiring staff to take annual leave

We may require you to take annual leave at a certain time, for example, if we decide to close the business for a In such situations, we will give you at least twice as many days’ notice as the amount of annual leave days that we require you to take (eg 10 days’ notice for 5 days’ annual leave).

When annual leave can be taken

Annual leave may be taken at any time during the annual leave year, subject to the discretion of your line
Annual leave may, at the discretion of your line manager, be taken immediately before or after family (ie parental or adoption leave) is taken (ie it may be added onto your family leave).
If you intend to take annual leave immediately before or after family leave, you should discuss this with your line manager when you arrange your family leave.

Bank holidays

Time off for bank holidays is not provided on top of your ordinary annual leave You may choose to take annual leave on these days using your existing entitlement.

Carrying over annual leave entitlement

Wherever possible, you should use your full annual leave entitlement for each annual leave year within that year. If you do not, 5 days (pro rata) of your entitlement can be carried over into the next annual leave year The remainder will be lost (subject to the exceptions below).
Any carried over annual leave must be used within the next annual leave
You may carry over 4 weeks of unused annual leave entitlement if you are unable to use your full entitlement within the annual leave year due to being on long-term sick leave, or because you have taken family (ie parental or adoption) leave at a time which prevents Any annual leave carried over for these reasons must be used within 18 months of the date that it is carried over.
If you are unable to use your full annual leave entitlement within an annual leave year due to being sick with Covid- 19, or because you were required to keep working due to Covid-19, you may carry over up to 4 weeks of your entitlement for use within the following two annual leave years.

Holidays arranged before employment commences

If you have a holiday arranged before your employment commences, and the required time off is discussed during your recruitment process, we will approve this annual leave.

Ending employment

When you end your employment, you will receive pay for any remaining annual leave entitlement in your final However, we may require you to use any remaining entitlement during your notice period.
If, when you end your employment, the amount of annual leave you have taken exceeds the entitlement that you have accrued to that date, we may subtract the amount in excess from your final pay.

Attribution

This annual leave policy was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).

ANTI-BRIBERY AND CORRUPTION POLICY

Statement and purpose of policy

As involvement in bribery and corruption exposes Shoorah Ltd (the Business) and its employees and representatives to a criminal offence; damages the Business’ reputation; and damages the confidence of any clients or customers, suppliers and business partners; the Business is committed to conducting its business in an honest and ethical
Bribery and corruption are criminal offences in most countries where the Business conducts its business and operations. As a UK-registered company, the Business is subject to the Bribery Act 2010 (the Act).
The Business has a zero-tolerance approach towards bribery and corruption anywhere in its business and is committed to:
1. acting in a professional and fair manner;
2. acting with integrity in all its business dealings and relationships; and
3. implementing and enforcing effective systems to counter bribery and

What does this policy cover?

This policy covers bribery and corruption taking place anywhere in the Business (within the UK or abroad).
This policy sets out the steps everyone in the Business must take to prevent bribery and corruption within the Business, in accordance with the relevant legislation and the Business’ requirements.
This policy does not form part of any employment contract and the Business retains the right to amend it at any time, at its absolute discretion.

What are bribery and corruption?

A ‘bribe’ is any inducement or reward that is offered, promised, requested or provided in order to gain a commercial, contractual, regulatory or personal advantage. In most cases, a bribe will be a financial or other advantage given to a person in order for them to perform a relevant function or activity improperly, or to reward them for doing so.
1. Bribes, in the form of financial or other advantages, may include:
  1. money (whether in the form of cash or cash equivalent);
  2. gifts;
  3. hospitality and entertainment;
  4. loans;
  5. services;
  6. preferential treatment;
  7. discounts; and
  8. promises to provide financial or other advantages in the
2. For something to be considered a bribe and be subject to this policy:
  1. the timing of the bribe is irrelevant and any payments made, or advantages given, after a relevant event are considered bribes;
  2. the timing of the bribe is irrelevant and any payments made, or advantages given, after a relevant event are considered bribes;
  3. it is also not necessary for the bribed party to actually receive a benefit as a result of the
3. ‘Bribery’ includes:
  1. giving, offering or promising a bribe;
  2. requesting, receiving or agreeing to receive a bribe; or
  3. bribing a foreign public official (as defined in the Act).
4. ‘Corruption’ is the misuse of power or office for private
5. This means that no one should:
  1. offer or provide a bribe (e.g. any payment, gift, hospitality or other benefit) to reward the business advantage received, or in the expectation that a business advantage will be received.
  2. accept a third party’s offer that they know or suspect to be made with the expectation that it will provide a business advantage (to the third party or anyone else).
  3. offer or provide a payment to a government official in any country (in the UK or abroad) to facilitate or speed up a necessary or routine procedure.
  4. fail to prevent bribery and corruption from
6. No one must intimidate, threaten or retaliate against another person who has refused to accept or offer a bribe or who has raised concerns under this policy.
7. For the purposes of this policy, it does not matter whether:
  1. bribery and corruption occur in the UK or Any act of bribery or corruption committed outside of the UK may be prosecuted in the UK and/or in the US, which has similar bribery and corruption legislation in place; or
  2. the act of bribery and corruption is committed directly or indirectly

Who can be involved in bribery and corruption?

Bribery and corruption can be committed by:
1. any worker of the Business, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, temporary and agency workers, trainees, casual and fixed-term staff, apprentices, interns and any volunteers (Staff);
2. anyone otherwise authorised to act on the behalf of Staff;
3. the Business’ representatives and any other third parties who act on the Business’ behalf;
4. the Business’ suppliers; and
5. the Business’ clients or customers (e.g. a customer may attempt to induce someone working for the Business to give that customer more favourable treatment).
This policy and the rules contained within it apply to those listed in paragraph 13

In what circumstances can bribery and corruption occur?

Bribery and corruption can take place in the public and private
Typically, the person receiving the bribe can influence the progress of or be aware of relevant business due to their position. The person receiving the bribe will often, but not always, be a government or public official.

Who is responsible for this policy?

The Board of Directors has overall responsibility for this
The CEO has been appointed as the person with primary and day-to-day operational responsibility for implementing this policy. They will also monitor the policy’s use and effectiveness and ensure that it is adhered to.
Management personnel at all levels are responsible for ensuring those reporting to them are made aware of and understand this policy and are given adequate and regular training on it.

Gifts and hospitality

All Staff are forbidden from soliciting any gifts or hospitality in the course of their work for the
All Staff are forbidden from offering or receiving gifts or hospitality which are unduly lavish, extravagant or otherwise inappropriate from any person or organisation which has had, has or may have influence over the Business’ business. The following is a non-exhaustive list of gifts and hospitality the Business deems inappropriate:
1. Hospitality valued at more than £200.
2. Gifts, be they personal or corporate, with a value greater than £100.
3. Any gifts that include cash or cash equivalents (including, but not limited to, vouchers).
4. Any hospitality or gifts given or received in
5. Any hospitality or gifts received in the name of an individual rather than the Business’

If you have any questions about gifts and hospitality, contact the CEO at lorrihaines@shoorah.io.

Keeping records

As transparency is crucial and false or misleading records could be damaging to the Business, it is essential that the Business keeps a full and accurate record of all financial Under relevant money laundering regulations, the Business’ accountants and lawyers are required to report anything that seems irregular.
As a result, Staff must declare and properly record in writing all hospitality and gifts received or In relation to any hospitality, gifts or payments to third parties (including suppliers and customers), Staff must:
1. submit expense claims in accordance with the Business’ Expense Policy available from the HR Department; and
2. record in writing the reason for the
All accounts, invoices, purchase orders, credit notes and other records relating to third parties must be accurately and fully prepared in accordance with the Business’ procedures, practices and requirements.

Reporting issues related to bribery and corruption

All Staff have a responsibility to comply with this policy and prevent bribery and corruption. Staff who:
1. witness or otherwise discover anything corrupt or otherwise improper taking place;
2. are offered a bribe;
3. are asked to offer a bribe; or
4. suspect or discover that any bribery or corruption has taken place or may take place;

must report this in accordance with the Business’ Whistleblowing Policy, available from the HR Department, as soon as possible. Staff can do this anonymously. As Staff must report issues related to bribery and corruption as soon as possible, any delays will need to be explained.

Consequences of non-compliance

The Business takes compliance with this policy very seriously and failure to comply with this policy puts both Staff and the Business at significant risk.
Staff who fail to comply with this policy may commit a criminal offence and the criminal law relating to bribery and corruption carries several penalties.
Due to the importance of this policy, failure to comply with any of its procedures and requirements may result in disciplinary action and/or dismissal for gross misconduct. Any non-Staff who breach this policy may have their contract terminated with immediate effect.
If you have any questions or concerns about anything in this policy, please contact the CEO at lorrihaines@shoorah.io.

Attribution

This Anti-Bribery and Corruption Policy was created using a document from Rocket Lawyer (https://www. com/gb/en).

ANTI-HARASSMENT AND BULLYING POLICY

Statement and purpose of policy

Shoorah Ltd (the Employer, we or us) is committed to providing a work environment free from harassment and bullying and ensuring that all staff are treated, and treat others, with dignity and respect.
This policy does not form part of any employment contract and the Employer retains the right to amend it at any time, in its absolute discretion.

What does this policy cover?

This policy covers harassment, victimisation and bullying which takes place within and outside of the workplace, including on business trips, work-related social functions or events.
This policy applies to all staff, irrespective of seniority, tenure and working hours, including all directors and officers, casual or agency staff, trainees, interns, fixed-term staff, volunteers, consultants and contractors. It also covers harassment and bullying by third parties, such as customers, suppliers or visitors to the business premises.

What is harassment?

Harassment is defined as unwanted conduct related to a relevant protected characteristic (within the Equality Act 2010) which has the effect of violating an individual’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for that individual.
Unlawful harassment may involve conduct of a sexual nature or it may be related to age, race, colour or nationality, ethnic or national origins, sex, gender reassignment, sexual orientation, disability, religion or belief, pregnancy or
Harassment can arise in some cases even though the person complaining does not actually possess a protected characteristic but is perceived to have it (for example, when a person is harassed because they are (wrongly) believed to be homosexual) or associates with other people who possess a protected characteristic (for example, because they have a spouse who is Muslim).
A person may also be subject to harassment even if they were not the intended target. For example, a person may be harassed by a sexist joke about a different gender if it created an offensive environment for them to work in.
Examples of harassment include, but are not limited to:
1. use of insults or slurs based on a protected characteristic or of a sexual nature or other verbal abuse or derogatory, offensive or stereotyping jokes or remarks;
2. physical or verbal abuse, threatening or intimidating behaviour because of a protected characteristic or behaviour of a sexual nature;
3. unwelcome physical contact including touching, hugging, kissing, pinching or patting, brushing past, invading personal space, pushing grabbing or other assaults;
4. mocking, mimicking or belittling a person’s disability, appearance, accent or other personal characteristics;
5. offensive or intimidating gestures or comments (regardless of if they were made in person, over emails, text messages or in social media content);
6. unwelcome requests for sexual acts or favours, verbal sexual advances, vulgar, sexual, suggestive or explicit comments or behaviour;
7. repeated requests, either explicitly or implicitly, for dates;
8. repeated requests for social contact or after it has been made clear that requests are unwelcome;
9. comments about body parts or sexual preference;
10. displaying or distributing offensive or explicit pictures, items or materials relating to a protected characteristic or of a sexual nature;
11. shunning or ostracising someone, for example, by deliberately excluding them from conversations or activities;
12. ‘outing’ or threatening to ‘out’ someone’s sexual orientation (ie to make it known);
13. explicit or implicit suggestions that employment status or progression is related to toleration of, or acquiescence to sexual advances, or other behaviour amounting to harassment;
14. racists, sexist, homophobic or ageist jokes, and stereotypical remarks about a particular ethnic or religious group or gender;
15. posters, graffiti, obscene gestures, flags and emblems; and
16. isolation from normal work or study places, conversations or social

Other important points to note about harassment:
1. a single incident can amount to harassment;
2. behaviour that has continued for a long period without complaint can amount to harassment;
3. it is not necessary for an individual to intend to harass someone for their behaviour to amount to harassment;
4. it is not necessary for an individual to communicate that behaviour is unwelcome before it amounts to harassment; and
5. the burden is on each individual to be certain that their behaviour and conduct is appropriate and is not unwanted and, in the case of doubt, you must refrain from such conduct.

What is victimisation?

Victimisation occurs where a member of staff is subjected to detrimental treatment because they have, in good faith, made an allegation of harassment, or has indicated an intention to make such an allegation, or has assisted or supported another person in bringing forward such an allegation, or participated in an investigation of a complaint, or participated in any disciplinary hearing arising from an investigation.
We seek to protect all staff from victimisation arising as a result of bringing a complaint or assisting in an investigation where they act in good Victimisation is a form of misconduct which may itself result in a disciplinary process.

What is bullying?

Bullying is any behaviour, be it physical, verbal or non-verbal, that is offensive, intimidating, malicious or insulting and that involves a misuse of power (e.g. a position of authority or physical strength), which can result in a person feeling vulnerable, upset, humiliated, undermined or threatened.
Examples of bullying include, but are not limited to:
1. unfair treatment;
2. inappropriate and/or derogatory remarks about a person’s performance;
3. physical or psychological threats;
4. overbearing and intimidating levels of supervision;
5. abuse of authority or power by those in positions of seniority;
6. constantly changing targets in order to cause someone to fail;
7. making false allegations; and
8. deliberately excluding someone from meetings or communications without good
On their own, any reasonable, legitimate and constructive criticism or comments of a person’s performance or behaviour, or reasonable instructions given in the courts of employment, will not amount to bullying.

What if you are being bullied or harassed?

If you are being bullied or harassed, consider if you feel able to raise the problem informally with the person responsible. Clearly explain to them that their behaviour is unwanted and makes you feel uncomfortable. If you cannot speak to the responsible person (for example, because it is too difficult or embarrassing), speak to your line manager or the Employer’s HR Department, who can provide confidential advice and assistance in resolving the issue formally or
If you are uncertain whether an incident or series of incidents amounts to bullying or harassment, contact your line manager or HR Department for confidential advice.
If your request is ignored, the bullying or harassment continues and/or you would prefer to take formal action, you should raise the matter formally under the formal complaint procedure set out below.
A formal complaint about bullying or harassment should be made in writing and sent to the HR Department, identifying:
1. who has been bullying or harassing you;
2. the nature of the bullying or harassment;
3. the specific acts relied upon as constituting bullying or harassment;
4. when the alleged acts of bullying or harassment took place, including the dates and times where possible;
5. the names of any witnesses to any of the alleged acts of bullying or harassment; and
6. any action that has already been taken to attempt to stop the bullying or harassment from occurring (e.g. informally reporting it to your line manager).
You will be invited to attend a meeting with the HR Department to discuss your complaint. You must make every effort to attend any scheduled meeting under this policy.
You have the right to be accompanied by a companion to any meeting under this Your choice of companion will be agreed to if they are either a colleague, a trade union official or a trade union representative (which, if not an employed official, must be certified by their union as competent to accompany a worker) and under the circumstances, you have made a reasonable request to be accompanied.
Your complaint will be investigated in a confidential and timely manner, by someone with appropriate experience and no prior involvement in the complaint, where possible. Details of the investigation, including the names of the person accused of bullying or harassment and the person making the complaint, will be disclosed on a “need to know” basis. We will also consider if any steps are necessary to manage the ongoing relationship and the person accused of bullying or harassment.
When the investigation is completed, you will be informed of the Employer’s decision. If we consider that you have been bullied or harassed by a staff member, we will deal with the matter under the Employer’s Disciplinary Procedure as a case of possible misconduct or gross misconduct. If we consider that you have been bullied or harassed by a third party, such as a customer or visitor, we will consider what actions will be appropriate to deal with the problem. If you are unhappy with the decision, you can raise an appeal under the formal appeal procedure set out in the section entitled ‘Appeal’ below.
Regardless of whether your complaint is upheld, we will consider how best to manage any ongoing working relationship between you and the person concerned.

Appeal

If you are unhappy with the decision and you wish to appeal, you should contact the HR Department within 10 working days of the date of the decision, saying that you disagree with the decision and giving your reason(s) why and, where relevant, providing any new evidence you seek to rely on.
You will then be invited to an appeal hearing, normally within five working days of us receiving your letter of
Your appeal will be heard by an impartial manager or if necessary an independent HR advisor who has not been part of the process up until the appeal stage. Your appeal will either be a review of your complaint or a complete rehearing, at the Employer’s discretion.
After the meeting, you will be given a decision, normally within 24 hours. The Employer’s decision is final and there is no further right to appeal.

Supporting and protecting those involved

Staff who make complaints or who participate in good faith in any investigation under this policy must not suffer any form of victimisation or retaliation as a result. If you believe to have suffered such treatment, speak to your line manager or HR Department. If the matter is not resolved or remedied, raise it formally under this policy, where
Anyone found to have victimised or retaliated against someone will be subject to disciplinary action under the Employer’s Disciplinary Procedure.
If an investigation under this policy concludes that a malicious or false claim of bullying or harassment has been made, the complainant may be subject to disciplinary action under the Employer’s Disciplinary Procedure.

Keeping records

Information regarding any complaints made by or about a member of staff may be recorded on their personnel file, along with a record of the outcome and of any notes or other documents compiled during the process. Such data will be processed in accordance with the Employer’s Data Protection and Data Security Policy available from your line manager or the HR department and online at https://shoorah.io/privacy-policy/.

Attribution

This anti-harassment and bullying policy was created using a document from Rocket Lawyer (https://www. com/gb/en).

DISCIPLINARY POLICY AND PROCEDURE

Purpose and scope

This policy and procedure for Shoorah Ltd is non-contractual and sets out how any issues with employee standards of conduct, attendance and job performance will be dealt with. The aim of this policy and procedure is to ensure consistent and fair treatment for all If an employee has any queries in respect of this procedure, they should contact CEO.

Primary principles

Employees are expected to know the standard of conduct or work expected of
Depending on the severity of the employee’s alleged misconduct, the employer may at its discretion start the procedure at any of the below stages.
A final decision on a disciplinary sanction will not be taken against an employee without the employer carrying out what it reasonably believes in the circumstances to be an appropriate level of investigation.
A formal disciplinary sanction will not be taken against an employee without the employee being advised of the nature of the The employee will also have the opportunity to state their case at a formal disciplinary meeting before a final decision is taken.
Except where an employee has been found to have committed a gross misconduct offence, or is still serving their probationary period, no employee will be dismissed for a first breach of discipline.
An employee can appeal against any disciplinary action taken by the
Disciplinary matters will be dealt with confidentially, so far as is reasonably possible and employees should keep confidential any information they learn in relation to any disciplinary matter (unless they are the subject of the investigation and disclosure is required to prepare for a meeting under this procedure).
The employer may suspend an employee on full pay and benefits, including:
1. Access or use of the following benefits: work laptop
  1. work mobile phone gym
  2. canteen
  3. company car
  4. All software and communication platforms
2. Performance based pay or benefits such as:
  1. bonus
  2. commission
  3. discretionary shares or options
  4. rights under any incentive plan

at any stage of the disciplinary process, whilst an investigation is completed into an employee’s conduct.

The employee agrees that if the employer requests, they will not contact clients, employees, suppliers or other business contacts of the employer whilst suspended from work. The period of suspension will be as short as is reasonably practicable in the circumstances and is not a disciplinary penalty, or an indication as to the decision that will be made once the investigations have been completed by the employer.
Shoorah Ltd processes personal data collected during the investigation stage and any subsequent stages of disciplinary action in accordance with its data protection policy. In particular, data collected as part of the investigation stage and any subsequent stages of disciplinary action is held securely and accessed by, and disclosed to, individuals only for the purposes of completing the disciplinary procedure. Inappropriate access or disclosure of employee data constitutes a data breach and should be reported in accordance with Shoorah Ltd’s data protection policy immediately. It may also constitute a disciplinary offence, which will be dealt with under this disciplinary procedure.

Informal discussions

Where possible and appropriate the employer will initially deal with disciplinary matters informally. This will take the form of the employee’s line manager speaking with them in confidence about the disciplinary issue(s), making a confidential note for the employee’s personal file and monitoring them informally to see if there is an improvement. Only if this does not resolve the issue(s) or the matter cannot be dealt with adequately informally, will the employer start the formal procedure.

Formal procedure

1. Stage 1 – Formal Meeting

An employee will usually be invited to a formal meeting in writing and given at least two (2) working days’ If required, there may be an investigatory interview before this meeting. At the meeting, the person chairing will explain the complaint against the employee and go through the evidence, giving the employee the opportunity to ask questions, present their case and respond to allegations including responding to witness statements (although an employee will not usually question witnesses directly). If the employee wishes to call a witness they should notify the employer at least 24 hours before the meeting.
The employee will be advised that they are able to bring a companion to the meeting with The employee’s choice of companion will be agreed to if they are either a colleague, a trade union official or a trade union representative (which if not an employed official, must be certified by their union as competent to accompany a worker) and under the circumstances, the employee has made a reasonable request to be accompanied. The employee should advise the employer of the identity of the companion (or any change in their choice of companion) and whether they will require any special adjustments to be made for their or their companion’s attendance, at least 24 hours before the start of the formal meeting.
The employer encourages employees to bring their choice of colleague, trade union representative or trade union official to formal meetings under this procedure, but the employee should bear in mind how practical it is for their choice of companion to attend and consider if there is a suitable and available individual who is geographically close to where the meeting is to be held, rather than first considering an individual geographically based further
If an employee or their companion is unable to attend the meeting at the time, date and place specified by the employer, they must notify the chair of the meeting as soon as possible in writing. Except in the case of an emergency, this should be at least 24 hours before the start of the meeting and the employee should advise of a time when they and their choice of companion will be available within five (5) working days of the original proposed meeting and provided this is reasonable, the new meeting time will be agreed.
The role of the companion in a formal meeting is to make notes, confer with the employee and if the employee requests it, to address the hearing to state the employee’s case and respond to any views expressed at the The companion does not have the right to answer questions or address the hearing if the employee does not request this and must not prevent the employer from explaining its case.
Employees must make every effort to attend any scheduled meeting under this procedure, failure to co-operate under this procedure could be treated as a disciplinary offence in itself and a decision could be made in an employee’s absence if they are unable to attend more than two consecutive scheduled meetings.
If the employer will be referring to any documentation during the formal meeting, unless this is a document an employee will have already seen (such as an email sent by the employee) this should be sent to the employee at least 24 hours before the start of the meeting, so that they have a reasonable chance to prepare. Likewise, if the employee wishes to refer to any documentation, this should be sent to the person chairing the meeting at least 24 hours before the start of the meeting.
If the employer finds as a result of the first formal meeting that a disciplinary offence was committed by the employee, the sanction will normally be either:
an improvement note setting out the performance problem, the improvement required, the timescale in which the employee must make the improvement, any support or training the employee will receive to help with the improvement and the right to appeal the improvement note. The employee will be advised that this constitutes the first stage of the formal procedure. A record of the improvement note will be kept on the employee’s file for six months, but will then be disregarded for the purpose of continuing with this procedure, subject to achieving and sustaining satisfactory performance; or
a first written warning for misconduct if conduct does not meet acceptable standards. The warning will be in writing and set out the nature of the misconduct, the change in behaviour required and state that there is a right of appeal against the first written warning. The warning will also inform the employee that a final written warning may be considered if there is no sustained satisfactory improvement or change. A record of the warning will be kept, but it will be disregarded for disciplinary purposes after six months.

2. Stage 2 – Second Formal Meeting

If there is sufficiently serious misconduct, further misconduct or a failure to improve performance during the currency of a prior warning, the employee will be invited to a second formal meeting in writing by the employer, with at least two (2) working days’ As in the case of the first formal meeting, (b)-(e) under Stage 1 above will apply.
If the employee is found to have committed a disciplinary offence as a result of a Stage 2 meeting, the sanction will usually be a final written A final written warning will give details of the complaint, the improvement required and the timescale. It will also warn that failure to improve may lead to dismissal (or some other action short of dismissal) and will refer to the right of appeal. A copy of this written warning will be kept on the employee’s file but will be disregarded for disciplinary purposes after six months, subject to achieving and sustaining satisfactory conduct or performance.

3. Stage 3 – Final Formal Meeting

If there is sufficiently serious misconduct or still further misconduct or failure to improve performance, the employee will be invited to a third and final meeting in writing by a director of the employer, with at least two (2) working days’ notice. Again, at this stage of the disciplinary procedure, (b)-(e) under Stage 1 above will apply.
If the employee has been found to have committed a disciplinary offence as a result of a Stage 3 meeting, the sanction may be dismissal or some other action short of dismissal, such as demotion, disciplinary suspension or transfer to another role if permitted by the employee’s contract of employment with the employer.
Decisions taken under Stage 3 of this disciplinary procedure can only be taken by the Managing Directors of the employer. If Managing Directors takes the decision to dismiss as a result of a Stage 3 meeting, they will advise the employee in writing of the reasons for dismissal, the date on which the employment will terminate, practical arrangements on termination and the employee’s right of appeal.
If the Managing Directors takes the decision after a Stage 3 meeting to impose some sanction short of dismissal, the employee will receive details of the complaint, will be warned that dismissal could result if there is no satisfactory improvement, and will be advised of the employee’s right of appeal. A copy of the written warning will be kept on the employee’s file, but will be disregarded for disciplinary purposes after six months subject to achievement and sustainment of satisfactory conduct or performance.

Gross misconduct

If an employee is accused of an act of gross misconduct, they may be suspended from work on full pay, normally for no more than five (5) working days, while the alleged offence is investigated by the employer.
If, on completion of the investigation and a formal meeting, the employer is satisfied that gross misconduct has occurred, the result will normally be summary dismissal without notice or payment in lieu of notice.
The following is a non-exhaustive list of the type of offences which are normally regarded as gross misconduct, together with any other behaviours which in the reasonable opinion of the employer constitute gross misconduct:
1. any form of dishonesty, including theft or fraud;
2. physical violence or assault;
3. deliberate damage to employer property;
4. breaking any law, even outside of work, which could bring the employer into disrepute;
5. incapacity under the Mental Health Act 1983;
6. repeated or serious failure to follow reasonable instructions given by the employer or repeated or serious failure to comply with the terms of your contract of employment or the employer’s policies and procedures;
7. discrimination, harassment, victimisation or bullying of staff, customers, suppliers or other third parties;
8. committing an act of arson;
9. misusing confidential information acquired during and as a result of your employment;
10. failing to devote all working time and effort to the employer or being disloyal to the employer whilst employed by it;
11. a serious or repeated breach of the employer’s Health and Safety Policy;
12. accepting bribes; and/or
13. being under the influence of drink or drugs at work, so as not to be able to perform contractual

Appeals

An employee will be advised about their right of appeal whenever a decision is made under this procedure. An employee who wishes to appeal against a disciplinary decision must do so in writing as directed by the employer when they are informed by the employer of the disciplinary decision, within five (5) working days.
A manager who has not been involved with the process until this stage will invite the employee to an appeal hearing, where (b)-(e) under Stage 1 above will again apply. At the appeal hearing, any disciplinary penalty imposed will be reviewed or the case reheard, at the employer’s discretion.
The employee will be informed in writing of the result of their appeal, usually within five (5) working days and the director’s decision on the appeal is final.
If the employee appeals a dismissal, their employment will not continue whilst the appeal process is taking place. However, if the appeal is successful the employee will be reinstated with no loss of continuity of employment or

Attribution

This Disciplinary Procedure was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).

DATA PROTECTION AND DATA SECURITY POLICY

Statement and purpose of policy

Shoorah Ltd (the Employer) is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.
We confirm for the purposes of the data protection laws, that the Employer is a data controller of the personal data in connection with your employment. This means that we determine the purposes for which, and the manner in which, your personal data is processed.
The purpose of this policy is to help us achieve our data protection and data security aims by:
1. notifying our staff of the types of personal information that we may hold about them, our customers, suppliers and other third parties and what we do with that information;
2. setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules and the legal standards; and
3. clarifying the responsibilities and duties of staff in respect of data protection and data
This is a statement of policy only and does not form part of your contract of We may amend this policy at any time, in our absolute discretion.
For the purposes of this policy:
1. Criminal records data means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
2. Data protection laws means all applicable laws relating to the processing of personal data, including, for the period during which it is in force, the UK General Data Protection Regulation.
3. Data subject means the individual to whom the personal data
4. Personal data means any information that relates to an individual who can be identified from that
5. Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying
6. Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

Data protection principles

Staff whose work involves using personal data relating to Staff or others must comply with this policy and with the following data protection principles which require that personal information is:
1. processed lawfully, fairly and in a transparent manner. We must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
2. collected only for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for If we want to change the way we use personal data, we must first tell the data subject.
3. processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  We will only collect personal data to the extent required for the specific purpose notified to the data subject.
4. accurate and the Employer takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information.
5. kept only for the period necessary for processing. Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it. For guidance on how long particular information should be kept, contact the Data Protection Officer.
6. secure, and appropriate measures are adopted by the Employer to ensure as such.

Who is responsible for data protection and data security?

Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained in it apply to all staff of the Employer, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (Staff).
Questions about this policy, or requests for further information, should be directed to the Data Protection
All Staff have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data Managers have special responsibility for leading by example and monitoring and enforcing compliance. The Data Protection Officer must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
Any breach of this policy will be taken seriously and may result in disciplinary action up to and including Significant or deliberate breaches, such as accessing Staff or customer personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

What personal data and activities are covered by this policy?

This policy covers personal data:
1. which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
2. is stored electronically or on paper in a filing system;
3. in the form of statements of opinion as well as facts;
4. which relates to Staff (present, past or future) or to any other individual whose personal data we handle or control;
5. which we obtain, is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
This personal data is subject to the legal safeguards set out in the data protection laws.

What personal data do we process about Staff?

We collect personal data about you which:
1. you provide or we gather before or during your employment or engagement with us;
2. is provided by third parties, such as references or information from suppliers or another party that we do business with; or
3. is in the public domain.
The types of personal data that we may collect, store and use about you include records relating to your:
1. home address, contact details and contact details for your next of kin;
2. recruitment (including your application form or curriculum vitae, references received and details of your qualifications);
3. pay records, national insurance number and details of taxes and any employment benefits such as pension and health insurance (including details of any claims made);
4. telephone, email, internet, fax or instant messenger use;
5. Identification Documents;
6. CV;
7. Previous work files;
8. Permit to work;
9. Any HMRC documents;
10. performance and any disciplinary matters, grievances, complaints or concerns in which you are involved.

Sensitive personal data

We will tell you the reasons for processing your personal data, how we use such information and the legal basis for processing in our Privacy Notice. We will not process Staff personal information for any other reason.
In general, we will use information to carry out our business, to administer your employment or engagement and to deal with any problems or concerns you may have, including, but not limited to:
1. Staff address lists: to compile and circulate lists of home addresses and contact details, to contact you outside working hours.
2. Sickness records: to maintain a record of your sickness absence and copies of any doctor’s notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness, as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform reviewers for appraisal purposes of your sickness absence level, to publish internally aggregated, anonymous details of sickness absence levels.
3. Monitoring IT systems: to monitor your use of e-mails, internet, telephone and fax, computer or other communications or IT resources.
4. Disciplinary, grievance or legal matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve you.
5. Performance reviews: to carry out performance reviews.
6. Equal opportunities monitoring: to conduct monitoring for equal opportunities purposes and to publish anonymised, aggregated information about the breakdown of the Employer’s workforce.
7. We may also use your personal data to Duedilligence and legal .

Accuracy and relevance

We will:
1. ensure that any personal data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.
2. not process personal data obtained for one purpose for any other purpose, unless you agree to this or reasonably expect this.
If you consider that any information held about you is inaccurate or out of date, then you should tell the Data Protection Officer. If they agree that the information is inaccurate or out of date, then they will correct it promptly. If they do not agree with the correction, then they will note your comments.

Storage and retention

Personal data (and sensitive personal information) will be kept securely in accordance with our Information Security Policy.
The periods for which we hold personal data are contained in our Privacy Notices.

Individual rights

You have the following rights in relation to your personal data.
Subject access requests:
1. You have the right to make a subject access request. If you make a subject access request, we will tell you:
  1. whether or not your personal data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you;
  2. to whom your personal data is or may be disclosed, including to recipients outside of the UK or European Economic Area (EEA) and the safeguards that apply to such transfers;
  3. for how long your personal data is stored (or how that period is decided);
  4. your rights of rectification or erasure of data, or to restrict or object to processing;
  5. your right to right to complain to the Information Commissioner if you think we have failed to comply with your data protection rights; and
  6. whether or not we carry out automated decision-making and the logic involved in any such decision making.
2. We will provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.
3. To make a subject access request, contact us at lorrihaines@shoorah.io.
4. We may need to ask for proof of identification before your request can be processed. We will let you know if we need to verify your identity and the documents we require.
5. We will normally respond to your request within 28 days from the date your request is received. In some cases, eg where there is a large amount of personal data being processed, we may respond within 3 months of the date your request is received. We will write to you within 28 days of receiving your original request if this is the case.
6. If your request is manifestly unfounded or excessive, we are not obliged to comply with it.
Other rights:
1. You have a number of other rights in relation to your personal data. You can require us to:
  1. rectify inaccurate data;
  2. stop processing or erase data that is no longer necessary for the purposes of processing;
  3. stop processing or erase data if your interests override our legitimate grounds for processing the data (where we rely on our legitimate interests as a reason for processing data);
  4. stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override the Employer’s legitimate grounds for processing the data.
2. To request that we take any of these steps, please send the request to lorrihaines@shoorah.io.

Data security

We will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Maintaining data security means making sure that:
1. only people who are authorised to use the information can access it;
2. where possible, personal data is pseudonymised or encrypted;
3. information is accurate and suitable for the purpose for which it is processed; and
4. authorised persons can access information if they need it for authorised purposes.
By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.
Personal information must not be transferred to any person to process (eg while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.
Security procedures include:
1. Any desk or cupboard containing confidential information must be kept locked.
2. Computers should be locked with a strong password that is changed regularly or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
3. Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used.
4. The Data Protection Officer must approve of any cloud used to store data.
5. Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
6. All servers containing sensitive personal data must be approved and protected by security software.
7. Servers containing personal data must be kept in a secure location, away from general office space.
8. Data should be regularly backed up in line with the Employer’s back-up procedure.
Telephone precautions. Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:
1. the identity of any telephone caller must be verified before any personal information is disclosed;
2. if the caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing;
3. do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the Data Protection Officer.
Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.
Additional measures to ensure data security include:
1. Password security, protected equipment, un authorised access to staff electronics, email mistakes, insurances.

Data impact assessments

Some of the processing that the Employer carries out may result in risks to privacy.
Where processing would result in a high risk to Staff rights and freedoms, the Employer will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Data breaches

If we discover that there has been a breach of Staff personal data that poses a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner within 72 hours of discovery.
We will record all data breaches regardless of their effect in accordance with our Breach Response Policy.
If the breach is likely to result in a high risk to your rights and freedoms, we will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures it has taken.

International data transfers

In the course of carrying out our business, we may need to transfer your personal information to a country outside the UK or European Economic Area (EEA) including to any group company or to another person with whom we have a business relationship.
Your personal data will only be transferred to a country outside of the UK or EEA if there are adequate protections in place. To ensure that your personal data receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your personal data with, to ensure your personal data is treated by those third parties in a way that is consistent with and which respects the law on data protection.
If you wish to know more about international transfers of your personal data, you may contact the Data Protection Officer.

Individual responsibilities

Staff are responsible for helping the Employer keep their personal data up to date.
Staff should let the Employer know if personal data provided to the Employer changes, eg if you move house or change your bank details.
You may have access to the personal data of other Staff members and of our customers in the course of your employment. Where this is the case, the Employer relies on Staff members to help meet its data protection obligations to Staff and to customers.
Individuals who have access to personal data are required:
1. to access only personal data that they have authority to access and only for authorised purposes;
2. not to disclose personal data except to individuals (whether inside or outside of the Employer) who have appropriate authorisation;
3. to keep personal data secure (eg by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
4. not to remove personal data, or devices containing or that can be used to access personal data, from the Employer’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
5. not to store personal data on local drives or on personal devices that are used for work purposes.

Training

We will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy will receive additional training to help them understand their duties and how to comply with them.

Attribution

This data protection and data security was created using a document from Rocket Lawyer (https://www.rocketlawyer. com/gb/en).

Protection Policy

Objective

Shoorah Ltd is committed to protecting the privacy of personal information and to compliance with data protection laws. The purpose of this policy is for all Shoorah Ltd staff members to understand their responsibilities toward protecting the privacy of personal and sensitive information that we collect and process as part of our operations.

Scope

This document is applicable to all processes and operations in Shoorah Ltd within the scope of the ISMS.

Policy Statement

“Personal Data” refers to any data that relates to an identified or identifiable individual or person. In practice, personal data includes all that can be assigned to an individual in any way. For example, personal data includes a telephone number, credit card number or identification number, account data, number plate, appearance, customer number, or address. This policy lays down guidelines to secure the processing of personal data collected by Shoorah Ltd, directly or indirectly from the customers and users of Shoorah Ltd’s services.

Principles for Processing Personal Data

At Shoorah Ltd, we incorporate the following principles of data protection in the way we collect and store personal data. We ensure that the data we collect is:

Processed lawfully, fairly, and in a transparent manner.
Collected for specific, explicit, legitimate, and limited purposes.
Adequate, relevant, and limited to what is necessary.
Accurate and, where necessary, kept up to date.
Kept in an identifiable form for no longer than is necessary.
Processed in a manner that ensures appropriate security.

Security of Personal Data

We use appropriate technical and organizational measures to protect the personal data we collect and process. The measures we use are detailed in the Information security policy and are generally designed to provide a level of security appropriate to the risk of personal data that we process.
Depending on requirements arising from business commitments or regulations, the following advanced technical solutions may be considered to provide an additional layer of protection:
- Data Leak Prevention (DLP) tools: To monitor and restrict data flow from potential endpoints to unauthorized systems.
- Data Masking: To restrict the ability to read sensitive data within the organization as well as to ensure protection from external parties.

Data Subject Rights

To adequately protect the personal data collected and processed by Shoorah Ltd, you must understand the rights to which data subjects are entitled. Listed below are the data subject rights that we adhere to:

Right to be informed: The right to know how personal data is used in clear and transparent language.
Right of access: The right to know and have access to the personal data held about an individual.
Right to data portability: The right to receive and transfer data in a common and machine-readable electronic format.
Right to be forgotten: The right to have personal data erased.
Right to rectification: The right to have data corrected where it is inaccurate or incomplete.
Right to object: The right to complain and to object to processing.
Right to restriction of processing: The right to limit the extent of the processing of personal data according to an individual’s wishes.
Rights related to automated decision-making and profiling: The right not to be subject to decisions without human involvement.
Right to non-discrimination: The right to not be discriminated against for an individual exercising their rights.

Staff Training

Shoorah Ltd ensures that its employees receive and attend the required data protection training, including the content and handling of this Policy, if they have constant or frequent access to personal data, are involved in the collection of data, or in the development of tools used to process personal data. The requirements of data protection and compliance must be observed. All Shoorah Ltd staff members need to annually acknowledge that they have attended the Data-Protection training and understand the Data Protection Policy.

Data Protection Officer

The Data Protection Officer leads all the data protection efforts of the company. The responsibilities of the Information Security Officer are detailed in the Information Security Policy.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Compliance with this policy shall be verified through various methods, including but not limited to automated reporting, audits, and feedback to the policy owner. Any staff member found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment or contractual agreement. The disciplinary action shall depend on the extent, intent, and repercussions of the specific violation.

Responsibilities

The Information Security Officer is responsible for approving and reviewing policy and related procedures. Supporting functions, departments, and staff members shall be responsible for implementing the relevant sections of the policy in their area of operation.

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

Recruitment Policy for Shoorah Ltd

Purpose

The purpose of this recruitment policy is to ensure that Shoorah Ltd attracts, selects, and retains high-quality candidates who align with our company values and goals. This policy promotes a fair and transparent recruitment process that encourages diversity and inclusion.

Scope

This policy applies to all recruitment activities undertaken by Shoorah Ltd, including internal promotions and external hiring.

Policy Statement

Shoorah Ltd is committed to hiring the best talent available, promoting equal employment opportunities, and maintaining a diverse workforce. We aim to create a welcoming environment where all candidates feel valued and respected throughout the recruitment process.

Recruitment Process

Job Analysis and Approval
1. Conduct a job analysis to determine the necessary skills and qualifications for the role.
2. Obtain necessary approvals from relevant department heads before initiating the recruitment process.
Job Description Creation
1. Develop clear and concise job descriptions outlining key responsibilities, qualifications, and expectations.
2. Ensure job descriptions are free from biased language and reflect our commitment to diversity.
Advertising the Position
1. Utilize multiple channels for job postings, including the company website, job boards, social media, and industry networks.
2. Encourage referrals from current employees to leverage their networks.
Application Process
1. Provide a straightforward application process that is accessible to all candidates.
2. Collect resumes and cover letters, ensuring candidates can submit their applications in a format that suits them.
Selection Process
1. Screen applications to identify candidates who meet the minimum qualifications.
2. Conduct interviews using a standardised set of questions to ensure fairness.
3. Include relevant team members in the interview process to gain diverse perspectives.
Assessment
1. Implement appropriate assessments or tests as needed to evaluate candidates’ skills and compatibility with the role.
Reference Checks
1. Conduct reference checks to validate experience and qualifications.
Job Offer
1. Extend offers to selected candidates in a timely manner, outlining salary, benefits, and other relevant employment terms.
2. Ensure all offers comply with applicable laws and regulations.
Onboarding
1. Develop a structured onboarding process to integrate new employees into the company effectively.

Equal Opportunity Employment

Shoorah Ltd is an equal opportunity employer. We do not discriminate based on race, colour, religion, gender, sexual orientation, national origin, age, disability, or any other characteristic protected by law. We actively seek to create a diverse workforce and will not tolerate any behaviour that contradicts this.

Confidentiality

All recruitment records and candidate information are confidential and should be handled with discretion.

Review and Amendment

This policy will be reviewed annually and amended as necessary to ensure compliance with legal standards and alignment with best practices.

Approval

This policy has been approved by the management team of Shoorah Ltd.

Effective Date : October 2024

This recruitment policy serves as a guideline for ensuring that Shoorah Ltd attracts and retains talented individuals while fostering a culture of inclusivity and fairness.

STAFF HANDBOOK

Introduction

This Staff Handbook has been designed to ensure that all staff understand the policies and procedures at Shoorah Ltd. Although this does not override your employment obligations set out in your employment contract, it is an important part of the employment relationship, please ensure that you familiarise yourself with the full contents of this Staff Handbook.

Shoorah Ltd reserves the right to change our Staff Handbook and policies from time to time, if any of the contents of this handbook are unclear, please contact Human Resources (HR) or your line manager.

This Staff Handbook was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).

WORKPLACE MANAGEMENT POLICIES

Health and Safety Policy

Purpose of policy

Shoorah Ltd (the Employer, we, our or us) takes health and safety issues seriously and is committed to protecting the health and safety of its staff and all those affected by its business activities and attending its premises. This policy is intended to help the Employer achieve this by clarifying who is responsible for health and safety matters and what their responsibilities are.
This is a statement of policy only and does not form part of your contract of employment. This policy may be amended at any time by the Employer at its absolute discretion. The Employer will review this policy at regular intervals to ensure that it is achieving its aims effectively.

Who is responsible for workplace health and safety?

Achieving a healthy and safe workplace is a collective task shared between the Employer and staff. This policy and the rules contained in it apply to all staff of the Employer, irrespective of seniority, tenure, and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers, fixed- term staff and any volunteers. Specific responsibilities of staff are set out in the section headed “Responsibilities of all staff” below.

Employer responsibilities

The Employer is responsible for:
1. Taking reasonable steps to safeguard the health and safety of staff, people affected by the Employer’s business activities, and people visiting its premises.
2. Identifying health and safety risks and finding ways to manage or overcome them.
3. Providing a safe and healthy place of work and safe entry and exit arrangements, including during an emergency situation.
4. Providing and maintaining safe working areas, equipment and systems and, where necessary, appropriate protective clothing.
5. Providing safe arrangements for the use, handling, storage and transport of articles and substances.
6. Providing adequate information, instruction, training and supervision to enable all staff to do their work safely, to avoid hazards and to contribute positively to their own health and safety at work. The Employer will give you the opportunity to ask questions and advise who best to contact in respect if you are unsure about how to safely carry out your work.
7. Ensuring any health and safety representatives receive appropriate training to carry out their functions effectively.
8. Providing a health and safety induction and appropriate safety training to your role, including:
  1. General health and safety with the use of cables, bags, use of deodrants and anything that may cause others hard.
9. Promoting effective communication and consultation between the Employer and staff concerning health and safety matters.
10. If an epidemic or pandemic alert is issued, providing instructions, arrangements and advice to staff as to the organisation of business operations and steps to be taken to minimise the risk of infection.
11. Regularly monitoring and reviewing the management of health and safety at work, making any necessary changes, and bringing those to the attention of all staff.
Overall responsibility for health and safety lies with the Board of Directors of the Employer. They have appointed Lorri Haines as the Health and Safety Officer with day-to-day responsibility for health and safety matters.
Any concerns about health and safety matters should be communicated to the Health and Safety Officer.

Responsibilities of all staff

General staff responsibilities

All staff must:

Take reasonable care for their own health and safety and that of others who may be affected by their acts or omissions.
Co-operate with the Health and Safety Officer and the Employer generally to enable compliance with health and safety duties and requirements.
Comply with any health and safety instructions and rules, including instructions on the safe use of equipment.
Keep health and safety issues in the front of their minds and take personal responsibility for the health and safety implications of their own acts and omissions.
Keep the workplace tidy and hazard-free.
Report all health and safety concerns to the Health and Safety Officer promptly, including any potential risks, hazards or malfunctioning of equipment, however minor or trivial they may seem.
Co-operate in the Employer’s investigation of any incident or accident which either has led to injury or which, in the Employer’s opinion, could have led to injury.

Staff responsibilities relating to equipment

All staff must:

Use equipment as directed, following any instructions given by representatives of management or contained in any written operating manual or instructions for use, and adhering to any relevant training.
Report any fault with, damage to, or concern about any equipment (including health and safety equipment) or its use to the Health and Safety Officer, who is responsible for maintenance and safety of equipment.
Ensure that health and safety equipment is not interfered with.
Not attempt to repair equipment unless suitably trained and authorised.

Staff responsibilities relating to accidents and first aid

All staff must:

Promptly report any accident at work involving personal injury, however trivial, to the Health and Safety Officer so that details can be recorded in the Accident Book. They must also cooperate with any associated investigation.
Familiarise themselves with the details of first aid facilities and trained first aiders, which are available from the Health and Safety Officer.
If an accident occurs, dial 999 and ask for the duty first aider, giving name, location and brief details of the problem.
The Health and Safety Officer is responsible for investigating any injuries or work-related illnesses, preparing and keeping accident records, and for submitting reports under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR), where required.

Staff responsibilities relating to national health alerts, including the Coronavirus (COVID-19) pandemic

If an epidemic or pandemic alert is issued, all staff must comply and co-operate with all instructions, arrangements and advice issued by the Employer as to the organisation of business operations and steps to be taken by staff to minimise the risk of infection. Any questions should be referred to the Health and Safety Officer.
Given the outbreak of Coronavirus (COVID-19), it is important that all staff members follow the guidelines set out in this policy to ensure maximum safety and to minimise the risk of infection. We will review these guidelines regularly to ensure they are kept up-to-date with Government guidance.

Staff responsibilities relating to emergency evacuation and fire

All staff must:

Familiarise themselves with the instructions about what to do if there is a fire which are available from the Health and Safety Officer.
Ensure they are aware of the location of fire extinguishers, fire exits and alternative ways of leaving the building in an emergency.
Comply with the instructions of firewardens if there is a fire, suspected fire or fire alarm (or a practice drill for any of these scenarios).
Co-operate in fire drills and take them seriously (ensuring that any visitors to the building do the same). Fire drills will be held at least once every 12 months.
Ensure that fire exits or fire notices or emergency exit signs are not obstructed or hidden at any time.
Notify the Health and Safety Officer immediately of any circumstances (for example, impaired mobility) which might hinder or delay evacuation in a fire. This will allow the Health and Safety Officer to discuss a personal evacuation plan for you, which will be shared with the fire wardens and colleagues working near to you.

On discovering a fire, all staff must:

Immediately trigger the nearest fire alarm and, if time permits, call reception and notify the location of the fire.
Attempt to tackle the fire ONLY if they have been trained or otherwise feel competent to do so. Nominated members of staff will be trained in the use of fire extinguishers.

On hearing the fire alarm, all staff must:

Remain calm and immediately evacuate the building, walking quickly without running, and following any instructions of the fire wardens.
Leave without stopping to collect personal belongings.
Stay out of any lifts.
Remain out of the building until notified by a fire warden that it is safe to re-enter.

The Health and Safety Officer is responsible for ensuring that fire risk assessments take place, that changes are made where required, and for making sure there are regular checks of fire extinguishers, fire alarms, escape routes, signage and emergency lighting.

Risk assessments and manual handling

Risk assessments are essentially a careful examination of what in the workplace could cause harm to people. The Employer will assess any risks and consider measures to best minimise any risk. The Employer will carry out general workplace risk assessments when required or as reasonably requested by staff. Managers must ensure that any necessary risk assessments take place and the resulting recommendations are implemented. The Health and Safety Officer is responsible for workplace risk assessments and any measures to control risks.
Personal Protective Equipment (PPE) is provided where risks cannot be otherwise effectively controlled.
Guidance on manual handling (for example, lifting and carrying heavy objects) can be obtained from the Health and Safety Officer and where necessary training will be provided by the Employer, but the Employer will try to minimise or avoid the need for manual handling where there is a risk of injury.

Display screen equipment (DSE)

The Employer is obliged to ensure that:
1. Risks to health and safety from DSE use (such as musculoskeletal disorders, visual fatigue and mental stress) are controlled.
2. Staff are aware of the potential risks to their health and safety from DSE use and the actions they can take to reduce these risks.
Further guidance on the use of display screen equipment can be obtained from the Health and Safety Officer.

Employer responsibilities

The Employer will:
1. Ensure DSE Assessments are carried out on each workstation and include the display screen equipment, furniture and working environment.
2. Where health and safety issues have been highlighted in the DSE Assessment, ensure that appropriate remedial action is taken to reduce any identified risks.
3. Maintain records of all DSE Assessments and risk assessments.
4. Encourage the early reporting by staff of any symptoms which may be related to visual display screen work.
5. In circumstances where an injury or ill health associated with DSE is identified, ensure that an incident or accident report is completed.
6. Plan the activities of users of DSE so that short, frequent breaks are taken to prevent intensive periods of on-screen activity.

Staff responsibilities

Staff will:
1. Cooperate with the completion of the workstation DSE assessment and all measures/training given to promote safe working practice.
2. Use equipment in the intended manner.
3. Adopt any advice given by the Employer to prevent intensive periods of on-screen activity.
4. Use any corrective glasses prescribed specifically for working with DSE.
5. Inform their line manager immediately if they experience any problems or ill-health which could affect their ability to work with DSE.

Workstation assessments

Workstation assessments must be carried out on each workstation. Responsibility for ensuring workstation assessments are carried out lies with the HR department.
As a first step, staff must complete a DSE self-assessment.
DSE self-assessments should be carried out on:
1. New staff at induction.
2. Laptop users.
3. Homeworkers.
Staff should review their self-assessment annually, or when there are significant changes to their workstation.

Breaks

Staff are encouraged and will be expected to take opportunities for breaks in their work routine to prevent the onset of fatigue. See guidancefor more information, or speak with the HR department.

Eye tests

Staff are entitled to eye tests by a registered practitioner (Optician or Doctor) on the following occasions:
1. When they first become a user of DSE.
2. When requested by staff themselves.
3. At regular intervals thereafter on the recommendation of the practitioner (usually every 2 years).
4. When staff experience visual difficulties attributed to display screen use.
A voucher scheme is in operation. Vouchers entitle staff to a full eye test, as well as a pair of standard corrective glasses.
Please note that glasses are solely and specifically for DSE use, and cannot be combined with lenses for other uses, eg driving.
For more information, please contact the HR department.

Eye testing procedure

To request access to the voucher scheme, you must complete the relevant form, which can be requested from the HR Department or your line manager. The form must be signed by your line manager and sent to the HR Department or person in charge of HR. Your first voucher will then be issued, for you to redeem against a full eyesight test.
You are responsible for arranging your own appointment with the practitioner.
The practitioner will complete a Visual Display Unit (VDU) Certificate of Recommendation, which you should send to your line manager or the HR Department or person in charge of HR. You will then be issued a second voucher to be redeemed against the cost of a pair of standard corrective glasses.

Provision of information and training

Staff will be provided with adequate information and training on the following areas:
Risks from DSE and workstations.
Risk assessments and measures to reduce the risks.
Breaks and activity changes.
Initial training.
Training when the workstation is modified, including in situations where the staff member is hot-desking.

Non-compliance with health and safety rules

Any breach of health and safety rules or failure to comply with this policy will be taken very seriously and is likely to result in disciplinary action against the offender, in accordance with the Employer’s disciplinary policy, up to and including immediate dismissal.

Equal Opportunities Policy

Statement of policy and purpose of policy

Shoorah Ltd (the Employer, we, our or us) is committed to equal opportunities for all staff and applicants.
It is our policy that all employment decisions are based on merit and the legitimate business needs of the organisation. We do not discriminate on the basis of race, colour or nationality, ethnic or national origins, sex, gender reassignment, sexual orientation, marital or civil partner status, pregnancy or maternity, disability, religion or belief, age or any other ground on which it is or becomes unlawful to discriminate under the laws of England, Wales and Scotland (referred to as Protected Characteristics).
Our intention is to enable all our staff to work in an environment which allows them to fulfil their potential without fear of discrimination, harassment or victimisation. Our commitment to equal opportunities extends to all aspects of the working relationship including:
1. recruitment and selection procedures;
2. terms of employment, including pay, conditions and benefits;
3. training, appraisals, career development and promotion;
4. work practices, conduct issues, allocation of tasks, discipline and grievances;
5. work-related social events; and
6. termination of employment and matters after termination, including references.
This policy is intended to help us achieve our diversity and anti-discrimination aims by clarifying the responsibilities and duties of all staff in respect of equal opportunities and discrimination. We will promote effective communication and consultation between us and staff concerning equal opportunities by means it considers appropriate.
The principles of non-discrimination and equal opportunities also apply to the way in which staff treat visitors, clients, customers, suppliers and former staff members.
This is a statement of policy only and does not form part of your contract of employment. This policy may be amended at any time by us, at our absolute discretion.

Who is responsible for equal opportunities?

Achieving an equal opportunities workplace is a collective task shared between us and all our staff. This policy and the rules contained in it, therefore, apply to all staff irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed- term staff and any volunteers or interns (referred to as Staff).
The Board of Directors of the Employer has overall responsibility for this policy and for equal opportunities and discrimination law compliance in the workplace and the CEO has been appointed as the person with day-to-day operational responsibility for these matters.
All Staff have personal responsibility to ensure compliance with this policy, to treat colleagues with dignity at all times and not to discriminate against or harass other members of Staff, visitors, clients, customers, suppliers and former staff members. In addition, Staff who take part in management, recruitment, selection, promotion, training and other aspects of career development (referred to as Managers) have special responsibility for leading by example and ensuring compliance.
Managers will receive appropriate training in equal opportunities and must take all necessary steps to:
1. promote the objective of equal opportunities and the values set out in this policy;
2. ensure that their own behaviour and those of the Staff they manage complies in full with this policy; and
3. ensure that any complaints of discrimination, victimisation or harassment (including against themselves) are dealt with appropriately and are not suppressed or disregarded.

What is discrimination?

Discrimination occurs in different ways, some more obvious than others. Discrimination on the grounds of any of the Protected Characteristics is prohibited by law, even if unintentional, unless a particular exception applies.

Direct discrimination

Direct discrimination is less favourable treatment because of one of the Protected Characteristics. Examples would include refusing a woman a job as a chauffeur because you believe that women are not good drivers or restricting recruitment to persons under 40 because you perceive that a younger workforce to be more energetic or dynamic.
Direct discrimination can arise in some cases even though the person complaining does not actually possess the Protected Characteristic but is perceived to have it or associates with other people who do. For example, when a person is less favourably treated because they are (wrongly) believed to be homosexual or because they have a spouse who is Muslim.

Indirect discrimination

Indirect discrimination arises when an employer applies an apparently neutral provision, criterion or practice which in fact puts individuals with a particular Protected Characteristic at a disadvantage, statistically and this is unjustified. To show discrimination the individual complaining also has to be personally disadvantaged. An example would be a requirement for job candidates to have 10 years’ experience in a particular role, since this will be harder for young people to satisfy. This kind of discrimination is unlawful unless it is a proportionate means of achieving a legitimate aim.

Victimisation

Victimisation means treating a person less favourably because they have made a complaint of discrimination or have provided information in connection with a complaint or because they might do one of these things.

Harassment

Harassment is defined as unwanted conduct related to a relevant Protected Characteristic (within the Equality Act 2010) which has the effect of violating an individual’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for that individual.
Unlawful harassment may involve conduct of a sexual nature or it may be related to age, race, colour or nationality, ethnic or national origins, sex, gender reassignment, sexual orientation, disability, religion or belief, pregnancy or maternity.
Harassment can arise in some cases even though the person complaining does not actually possess a Protected Characteristic but is perceived to have it (for example, when a person is harassed because they are (wrongly) believed to be homosexual) or associates with other people who possess a Protected Characteristic (for example, because they have a spouse who is Muslim).
A person may also be subject to harassment even if they were not the intended target. For example, a person may be harassed by a sexist joke about a different gender if it created an offensive environment for them to work in.
Harassment may include:
1. use of insults or slurs based on a Protected Characteristic or of a sexual nature or other verbal abuse or derogatory, offensive or stereotyping jokes or remarks;
2. physical or verbal abuse, threatening or intimidating behaviour because of a Protected Characteristic or behaviour of a sexual nature;
3. unwelcome physical contact including touching, hugging, kissing, pinching or patting, brushing past, invading personal space, pushing grabbing or other assaults;
4. mocking, mimicking or belittling a person’s disability, appearance, accent or other personal characteristics;
5. unwelcome requests for sexual acts or favours; verbal sexual advances, vulgar, sexual, suggestive or explicit comments or behaviour;
6. repeated requests, either explicitly or implicitly, for dates;
7. repeated requests for social contact or after it has been made clear that requests are unwelcome;
8. comments about body parts or sexual preference;
9. displaying or distributing offensive or explicit pictures, items or materials relating to a Protected Characteristic or of a sexual nature;
10. shunning or ostracising someone, for example, by deliberately excluding them from conversations or activities;
11. ‘outing’ or threatening to ‘out’ someone’s sexual orientation (i.e. to make it known);
12. explicit or implicit suggestions that employment status or progression is related to toleration of, or acquiescence to sexual advances, or other behaviour amounting to harassment;
13. racists, sexist, homophobic or ageist jokes, and stereotypical remarks about a particular ethnic or religious group or gender;
14. posters, graffiti, obscene gestures, flags and emblems; and
15. isolation from normal work or study places, conversations or social events.
Other important points to note about harassment:
1. a single incident can amount to harassment;
2. behaviour that has continued for a long period without complaint can amount to harassment;
3. it is not necessary for an individual to intend to harass someone for their behaviour to amount to harassment;
4. it is not necessary for an individual to communicate that behaviour is unwelcome before it amounts to harassment; and
5. the onus is on each individual to be certain that their behaviour and conduct is appropriate and is not unwanted and in the case of doubt, you must refrain from such conduct.

Disability discrimination

This could be direct or indirect discrimination, and is any unjustified less favourable treatment because of the effects of a disability, and failure to make reasonable adjustments to alleviate disadvantages caused by a disability.

Disabled persons

Any Staff member who considers that they may have a disability is strongly encouraged to speak with the CEO particularly if they experience difficulties at work because of their disability so that any reasonable adjustments to help overcome or minimise difficulties can be discussed. For these purposes, disability includes any physical or mental impairment which substantially affects your ability to perform day-to-day activities and has lasted (or is likely to last) more than 12 months. Disclosure of this information will be treated in confidence, if you wish it to be, so far as is reasonably practicable and we will do our best to handle matters sensitively and to ensure that you are treated with dignity and with respect for your privacy.
We will consult with you about whether adjustments are needed to avoid you being disadvantaged and may ask you to see a doctor appointed by us, to advise on this. We will seek to accommodate your needs within reason. If we consider a particular adjustment unreasonable we will explain why and try to find an alternative solution.
Managers with responsibility for managing a member of Staff who they know or think to be disabled should speak to the CEO to ensure that all relevant duties are complied with.

Making employment decisions fairly

As noted above, the Employer will recruit employees and make other employment decisions concerning promotion, training, dismissal and related issues. on the basis of objective criteria.
Managers should only stipulate criteria or conditions for employment decisions (including job selection, promotion and redundancy) which are based on a legitimate business need and which do not go further than is needed to satisfy that need. If you are in any doubt about whether particular criteria or conditions are indirectly discriminatory or justifiable, then please speak to the CEO.

Recruitment

Managers involved in recruitment must:
1. specify only recruitment criteria that are relevant to the job, reflect genuine business needs and are proportionate. More than one person should be involved in shortlisting of applicants wherever practicable;
2. ensure that vacancies are advertised to a diverse audience and try to avoid informal recruitment methods that exclude fair competition. In very rare cases, it may be legitimate and necessary to restrict recruitment to a particular role to certain groups, but it is essential that this is discussed with the CEO so that appropriate steps can be taken to ensure legality;
3. review job advertisements carefully to ensure that stereotyping is avoided and that particular groups are not unjustifiably discouraged from applying;
4. not ask applicants about health or disability before a job offer is made (other than in exceptional circumstances and after having been approved by the CEO). If necessary a job offer can be expressed to be conditional upon satisfactorily passing a medical check;
5. not ask candidates about any Protected Characteristic if the question may demonstrate an intention to discriminate. For example, candidates should not be asked about current or future pregnancy, childcare or related matters;
6. not make assumptions about immigration status based on appearance, accent or apparent nationality; and
7. so far as reasonably practicable, keep a written record of their reasons for relevant decisions.
The Employer is legally required to verify that all employees have the right to work in the UK. Prior to starting employment, all employees must produce original documents to the Employer’s satisfaction, irrespective of nationality. Information about the documents required is available from the HR Bright.
The Employer monitors applicants’:
1. sex;
2. sexual orientation;
3. ethnic group;
4. disability;
5. religion;
6. age;

as part of our recruitment process. We do this to assess the effectiveness of our measures to promote equal opportunities and to help us identify and take appropriate steps to avoid discrimination, under-representation and potential disadvantage and improve diversity. Provision of this information is voluntary and the information is kept in an anonymised format solely for the purposes stated here. The information will not be used as part of any decision- making process relating to the recruitment or employment of the person providing the information. Our recruitment policies must be reviewed at regular intervals to ensure people are being treated fairly and according to ability and merit.

Staff training, career development and promotion

Training needs may be identified during the normal appraisal process. Appropriate training to facilitate progression will be accessible to all staff.
All promotion decisions will be made on the basis of merit and according to proportionate criteria determined by legitimate business need.
Staff diversity at different levels of the organisation will be kept under review to ensure equality of opportunity. Where unjustified barriers to progression are identified, these will be removed.

Conditions of service

Access to benefits and facilities and terms of employment will be kept under review to ensure that they are appropriately structured and that no unlawful barriers to qualification or access exist.

Discipline and termination of employment

Any redundancy selection criteria and procedures that are used, or other decisions taken to terminate employment, will be fair and not directly or indirectly discriminatory.
Disciplinary procedures and penalties will be applied without discrimination, whether they result in disciplinary warnings, dismissal or other disciplinary action.

Discipline and termination of employment

Part-time and fixed-term staff will be treated the same as full-time or permanent staff of the same position and enjoy no less favourable terms and conditions (pro-rata, where appropriate), unless different treatment is justified.

What to do if you encounter discrimination

If you believe that you have been the victim of discrimination, you should follow the Employer’s Grievance Procedure contained within this Staff Handbook.
Every member of Staff has a responsibility to combat discrimination if they encounter it. Staff who observe or are aware of acts that they believe amount to discrimination directed at others are encouraged to report these to the CEO.
Any grievance or report raised about discrimination will be kept confidential so far as this is practicable. We may ask you if you wish your complaint(s) to be put to the alleged discriminator if disciplinary action appears to be appropriate. It sometimes may be necessary to disclose the complaint or take action even if this is not in line with your wishes, but we will seek to protect you from victimisation and, if you wish, we will seek to protect your identity. You should be aware that disciplinary action may be impossible without your co-operation or if you refuse to allow relevant information to be disclosed.
Staff who raise a complaint about or report discrimination in good faith will be protected from retaliation or victimisation. As long as you act in good faith, the fact that you have raised a complaint or report will not affect your position within the Employer, even if the complaint is not upheld. Making a false allegation deliberately and in bad faith is a misconduct offence and will be dealt with in accordance with our Disciplinary Procedure contained within this Staff Handbook. Any member of Staff who attempts acts of retaliation or victimisation may be subject to disciplinary action up to and including summary dismissal for gross misconduct.
If you make a complaint, it may be necessary to ask you to stay at home on paid leave while investigations are being conducted and the matter is being dealt with through the appropriate procedure. This may particularly be necessary in cases of alleged harassment.

Non-compliance with equal opportunities rules

Any breach of equal opportunities rules or failure to comply with this policy will be taken very seriously and is likely to result in disciplinary action against the offender, up to and including immediate dismissal.
Staff should also note that:
1. in some cases, they may be personally liable for their acts of discrimination and that legal action may be taken against them directly by the victim of any discrimination; and
2. it may be a criminal offence intentionally to harass another employee.

Review of this policy

The Board of Directors of the Employer will keep this policy under review.
The Employer encourages Staff to comment on this policy and suggest ways in which it might be improved or ask any questions if they are unsure about any part of this policy or how it is applied by contacting the CEO.

Anti-Harassment and Bullying Policy

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) is committed to providing a work environment free from harassment and bullying and ensuring that all staff are treated, and treat others, with dignity and respect.
This policy does not form part of any employment contract and the Employer retains the right to amend it at any time, at our absolute discretion.

What does this policy cover?

This policy covers harassment, victimisation and bullying which takes place within and outside of the workplace, including on business trips, work-related social functions or events.
This policy applies to all staff, irrespective of seniority, tenure and working hours, including all directors and officers, casual or agency staff, trainees, interns, fixed-term staff, volunteers, consultants and contractors. It also covers harassment and bullying by third parties, such as customers, suppliers or visitors to the business premises.

What are harassment and bullying?

Harassment is any behaviour as defined in the Section entitled ‘Harassment’ in the Employer’s Equal Opportunities Policy contained in this Staff Handbook.
Bullying is any behaviour, be it physical, verbal or non-verbal, that is offensive, intimidating, malicious or insulting and that involves a misuse of power (e.g. a position of authority or physical strength), which can result in a person feeling vulnerable, upset, humiliated, undermined or threatened.
Examples of bullying include, but are not limited to:
1. unfair treatment;
2. inappropriate and/or derogatory remarks about a person’s performance;
3. physical or psychological threats;
4. overbearing and intimidating levels of supervision;
5. abuse of authority or power by those in positions of seniority;
6. constantly changing targets in order to cause someone to fail;
7. making false allegations; and
8. deliberately excluding someone from meetings or communications without good reason.
On their own, any reasonable, legitimate and constructive criticism or comments of a person’s performance or behaviour, or reasonable instructions given in the courts of employment, will not amount to bullying.

What is victimisation?

Victimisation occurs where a member of staff is subjected to detrimental treatment because they have, in good faith, made an allegation of harassment, or has indicated an intention to make such an allegation, or has assisted or supported another person in bringing forward such an allegation, or participated in an investigation of a complaint, or participated in any disciplinary hearing arising from an investigation.
We seek to protect all staff from victimisation arising as a result of bringing a complaint or assisting in an investigation where they act in good faith. Victimisation is a form of misconduct which may itself result in a disciplinary process.

What if you are being bullied or harassed?

If you are being bullied or harassed, consider if you feel able to raise the problem informally with the person responsible. Clearly explain to them that their behaviour is unwanted and makes you feel uncomfortable. If you cannot

speak to the responsible person (for example, because it is too difficult or embarrassing), speak to your line manager or the HR Department, who can provide confidential advice and assistance in resolving the issue formally or informally.

If you are uncertain whether an incident or series of incidents amounts to bullying or harassment, contact your line manager or the HR Department for confidential advice.
If your request is ignored, the bullying or harassment continues and/or you would prefer to take formal action, you should raise the matter formally under the complaint procedure set out below.
A formal complaint about bullying or harassment should be made in writing and sent to the HR Department, identifying:
1. who has been bullying or harassing you;
2. the nature of the bullying or harassment;
3. the specific acts relied upon as constituting bullying or harassment;
4. when the alleged acts of bullying or harassment took place, including the dates and times where possible;
5. the names of any witnesses to any of the alleged acts of bullying or harassment; and
6. any action that has already been taken to attempt to stop the bullying or harassment from occurring (e.g. informally reporting it to your line manager).
You will be invited to attend a meeting with the HR Department to discuss your complaint. You must make every effort to attend any scheduled meeting under this policy.
You have the right to be accompanied by a companion to any meeting under this procedure. Your choice of companion will be agreed to if they are either a colleague, a trade union official or a trade union representative (which, if not an employed official, must be certified by their union as competent to accompany a worker) and under the circumstances, you have made a reasonable request to be accompanied.
Your complaint will be investigated in a confidential and timely manner, by someone with appropriate experience and no prior involvement in the complaint, where possible. Details of the investigation, including the names of the person accused of bullying or harassment and the person making the complaint, will be disclosed on a “need to know” basis. We will also consider if any steps are necessary to manage the ongoing relationship and the person accused of bullying or harassment.
When the investigation is completed, you will be informed of the Employer’s decision. If we consider that you have been bullied or harassed by a staff member, we will deal with the matter under the Employer’s Disciplinary Procedure contained in this Staff Handbook as a case of possible misconduct or gross misconduct. If we consider that you have been bullied or harassed by a third party, such as a customer or visitor, we will consider what actions will be appropriate to deal with the problem. If you are unhappy with the decision, you can raise an appeal under the formal appeal procedure set out in the section entitled ‘Appeal’ below.
Regardless of whether your complaint is upheld, we will consider how best to manage any ongoing working relationship between you and the person concerned.

Appeal

If you are unhappy with the decision and you wish to appeal, you should contact the HR Department within 10 working days of the date of the decision, saying that you disagree with the decision and giving your reason(s) why and, where relevant, providing any new evidence you seek to rely on.
You will then be invited to an appeal hearing, normally within 5 working days of us receiving your letter of appeal.
Your appeal will be heard by an impartial manager or if necessary an independent HR advisor who has not been part of the process up until the appeal stage. Your appeal will either be a review of your complaint or a complete rehearing, at the Employer’s discretion.
After the meeting, you will be given a decision, normally within 24 hours. The Employer’s decision is final and there is no further right to appeal.

Supporting and protecting those involved

Staff who make complaints or who participate in good faith in any investigation under this policy must not suffer any form of victimisation or retaliation as a result. If you believe to have suffered such treatment, speak to your line manager or the HR Department. If the matter is not resolved or remedied, raise it formally under this policy, where appropriate.
Anyone found to have victimised or retaliated against someone will be subject to disciplinary action in accordance with the Employer’s Disciplinary Procedure.
If an investigation under this policy concludes that a malicious or false claim of bullying or harassment has been made, the complainant may be subject to disciplinary action in accordance with the Employer’s Disciplinary Procedure.

Keeping records

Information regarding any complaints made by or about a member of staff may be recorded on their personnel file, along with a record of the outcome and of any notes or other documents compiled during the process. Such data will be processed in accordance with the Employer’s Data Protection and Data Security Policy which is contained in this Staff Handbook.
For more information on how we use personal data, refer to the Employer’s Employee Privacy Notice, which is contained in this Staff Handbook.

FAMILY POLICIES

Maternity Policy

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) recognises and respects the rights of expectant and recent mothers to take time away from work in connection with their maternity and childbirth. No one will be subjected to a detriment for exercising their right to take maternity leave in accordance with this policy or for seeking to do so.
The purpose of this policy is to ensure that staff and managers are clear about entitlements to maternity leave, the process that should be followed for arranging leave and the terms that apply during and after maternity leave.
This policy is intended to summarise your statutory rights. If there is a contradiction between this policy and the statutory maternity leave entitlements that apply at any time, this policy shall be deemed to be amended, as necessary, to comply with legislative requirements.
This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, at our absolute discretion.

Definitions

In this policy we will use the following definitions:
1. Expected Week of Childbirth: the week, starting on a Sunday, in which your doctor or midwife expects you to give birth.
2. Qualifying Week: the 15th week before the Expected Week of Childbirth.

What is maternity leave and who is eligible to take it?

Maternity leave is the right for qualifying employees to take up to 52 weeks of leave in connection with their pregnancy and/or birth of their child. Pregnant employees also have the right to time off work for antenatal appointments.
To be eligible for maternity leave you must:
1. be an employee (not a contractor or consultant);
2. be pregnant at the Qualifying Week; and
3. in general, comply with the notification requirements set out in this policy.
The right to take maternity leave is not dependent on your length of service, although to qualify for statutory maternity pay, you must have at least 26 weeks of service at the Qualifying Week.
You may be eligible to take shared parental leave instead of your full entitlement of maternity leave. For details about shared parental leave, see the Employer’s Shared Parental Leave Policy available from your line manager or the HR Department.

Giving notice of your pregnancy

In all cases, we request that you tell us as soon as possible that you are pregnant so that we can ensure we comply with any health and safety requirements.
You must tell us before the end of the Qualifying Week, or as soon as reasonably practical afterwards, that you are pregnant, the dates of your Expected Week of Childbirth and when you would like your maternity leave to start.
You must also confirm your Expected Week of Childbirth by providing us with a certificate from a doctor or midwife (this will usually be on a MAT B1 form).

Antenatal appointments

During pregnancy, you may take time off from work to attend antenatal classes. You will be paid as normal. Please give us as much notice as you can of your intention to take time off. If you haven’t already given us a certificate of your pregnancy from your midwife, doctor or health visitor then we will ask you to provide this and an appointment card for the class, except for the first appointment.

Health and safety during your pregnancy

As well as our normal health and safety duties to all our staff, we will assess workplace risks specific to pregnant women and those who have recently become mothers and/or are breastfeeding. When you tell us that you are pregnant, we will inform you of any relevant risks that we have identified along with the measures that you and we must take to help protect against those risks. In some cases, we may need to take steps to protect you and/or your child against health hazards that may include having to:
1. change your working arrangements;
2. offer you suitable alternative work, on terms and conditions that are the same or not substantially less favourable; or
3. suspend you from duties on full pay (or if you have unreasonably refused suitable alternative work, without pay).

Sickness

If you are absent from work because of pregnancy-related sickness then your entitlement to payment will be as for any other period of sickness absence and subject to the same limits and conditions, as set out in the Sickness Policy contained within this Staff Handbook. Payment in excess of the normal rules is at our discretion.
Pregnancy-related sickness absence will not be taken into account for the purpose of any employment decisions to which sickness absence is relevant.
During the 4 weeks immediately before your Expected Week of Childbirth, any sickness absence will normally automatically trigger the start of your maternity leave.

Starting maternity leave

As noted above, you must formally notify us of the date on which you want to start maternity leave before the end of the Qualifying Week.
Your maternity leave cannot start earlier than 11 weeks before the Expected Week of Childbirth (unless you give birth prematurely before then). Within 28 days of receiving your notice, we will confirm to you in writing the last date by which you must return from maternity leave.
You can change the start date for your maternity leave by giving us written notice. You must give the notice at least 28 days before the earlier of (i) the new start date or (ii) the original start date. If it is not possible to give that much notice then you must notify us as soon as reasonably practicable.
Your maternity leave will start on the date notified to us in accordance with this policy unless:
1. you give birth before then, in which case your leave will start on the day after the birth and you must give us written notice of the date of birth as soon as possible; or
2. you are absent from work for a pregnancy-related reason during the 4 weeks immediately before the Expected Week of Childbirth, in which case you must tell us as soon as possible in writing and leave will start on the day following the first day of that absence unless we agree otherwise.
You may not work during the 2 weeks immediately after giving birth, by law, so your maternity leave period must include these 2 weeks (or 4 weeks if you are a factory worker).
Near the time when your leave is due to start, we will discuss the arrangements for your maternity cover and the arrangements for keeping in touch with us during your leave, if you wish to do so. During your leave, you will continue to receive certain internal communications like job vacancies, social events, training and similar news unless you tell us that you would prefer not to receive these.

Maternity pay

During your maternity leave, qualifying employees will be entitled to receive statutory maternity pay (SMP) for up to 39 weeks. To qualify, you must:
1. still be employed and have at last 26 weeks of continuous employment at the end of the Qualifying Week; provide us with a doctor’s or midwife’s certificate (MAT B1 form) confirming the date of your Expected Week of Childbirth;
2. have average earnings during the 8 weeks ending with the Qualifying Week (the Relevant Period) of at least the lower earnings limit set by the Government; and
3. notify us of your intention to take maternity leave at least 28 days in advance or, if that is not possible, give us as much notice as you can.
During the first 6 weeks of your maternity leave, SMP is paid at 90% of your average weekly earnings calculated over the Relevant Period. After that, for up to a further 33 weeks, it is paid at a statutory rate set annually by the Government.
If you are due a pay rise during your maternity leave then this will be deemed to have applied during the Relevant Period, which will have the effect of retrospectively increasing your entitlement to SMP for the first 6 weeks of your maternity leave. If you have already received your SMP for that 6 weeks then we will pay you the difference in a lump sum. Otherwise, we will pay your SMP through normal payroll, less tax, National Insurance and any other lawful deductions.
SMP will stop being payable if you return to work (except where you are simply keeping in touch as described in the “During maternity leave” section below).
If you leave employment after the start of the Qualifying Week you will still be eligible for SMP from the later of (i) the week following your final week of employment or (ii) the 11th week before the Expected Week of Childbirth.

During maternity leave

While you are on maternity leave, your normal terms of employment will continue to apply except for your entitlement to pay. In particular, benefits in kind shall continue and you will continue to accrue holiday. The effect of your maternity leave on your pension arrangements depends on the type of scheme in which you are participating and the terms of your participation. For further information on this, speak to your line manager or the HR Department.
Although we will respect your absence during your maternity leave, we may need to make contact with you from time to time. In particular, we will make contact shortly before your maternity leave ends to arrange a discussion with you about your return to work including any training needs, proposed changes to your working arrangements or just to update you on developments in your absence. If you have any concerns regarding this, you should speak with your line manager or the HR Department.

Keeping in Touch Days

In addition to the circumstances described above, in respect of keeping in contact, employees may also attend work for training or other reasons during their maternity leave for up to 10 days by prior agreement with us, known as ‘Keeping- in-Touch Days’ or ‘KIT Days’. You are under no obligation to do this. Attending work on this basis will not end your maternity leave or your entitlement to maternity pay.
A day for the purpose of KIT Days does not necessarily mean a full or standard work shift of normal duration but can be any length of time (e.g. a half-day or a partial day).
You will be paid at your normal basic rate of pay for time spent working on a KIT Day and this will be inclusive of any maternity pay entitlement.
We affirm that we will not force any employee to use any KIT Days. An employee may freely and without penalty turn down any request we may make for them to attend the workplace for a KIT Day. Similarly, we may also freely reject any request that an employee makes to use a KIT Day.
If you would like to discuss this option further, you should speak with your line manager or the HR Department.

Expected return date

As noted above, we will confirm to you the date on which you are expected to return to work after maternity leave within 28 days of your notifying your pregnancy and leave start date to us. If your maternity leave start date changes for any reason then we will confirm the revised return to work date to you within 28 days of the start of your maternity leave.
If you plan to come back to work on the return date that we have notified to you then you are not obliged to do anything further, although we would be grateful if you would help us plan ahead by confirming during your leave that you will return as expected.
If you wish to return to work earlier than the date that we have notified to you then you will need to give us at least 8 weeks’ prior notice of the new date and we request that you do this in writing. If you don’t give us 8 weeks’ notice then we may postpone your return until the sooner of 8 weeks from the date of your notice or the date that you were originally expected to return.
If you wish to return later than the date we have notified to you then you should either:
1. request parental leave, in accordance with the Employer’s Parental Leave Policy available from your line manager or the HR Department; or
2. request to take holiday in accordance with your contract.
If sickness absence prevents you from returning on the planned date then the normal rules relating to sickness absence will apply.
In any other case, late return will be treated as unauthorised absence.
If you decide not to return to work at all then you must give notice of resignation in accordance with your contract of employment. If your maternity leave is due to end during the currency of your notice period then you may be required to return to work until your notice period expires.

When you return to work

In general, you will return to work in the same job and on the same terms as if you had not been absent. However, in some cases where you have taken more than 6 months’ leave or any period of parental leave in conjunction with your maternity leave then we may offer you another suitable role, on terms and conditions that are not less favourable than those that applied before your leave.
If you wish to change your working patterns when you return to work then you should make a request for flexible working in line with set procedures that are set out in our Flexible Working Policy contained within this Staff Handbook. Flexible working requests take time to deal with so it’s important that you make your request as soon as possible, otherwise, you may have to return to work on the basis of your prior working patterns until the process of dealing with the request has finished.

Rights to leave on adoption

Certain employees can take adoption leave, paternity leave or shared parental leave in relation to the adoption of a child. Further details are available from the HR Department.

Paternity Policy

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) recognises and respects the rights of parents to take time away from work in connection with childbirth. No one will be subjected to a detriment for exercising their right to take paternity leave in accordance with this policy or for seeking to do so.
The purpose of this policy is to ensure that staff and managers are clear about entitlements to paternity leave, the process that should be followed for arranging leave and the terms that apply during and after paternity leave.
This policy is intended to summarise your statutory rights. If there is a contradiction between this policy and the statutory paternity leave entitlements that apply at any time, this policy shall be deemed to be amended, as necessary, to comply with legislative requirements.
This is a statement of policy only and does not form part of your contract of employment. We may amend this
policy at any time, at our absolute discretion.

Definitions

In this policy we will use the following definitions:
1. Expected Week of Childbirth: the week, starting on a Sunday, in which your doctor or midwife expects your spouse, civil partner or Partner to give birth.
2. Partner: someone (whether of a different sex or the same sex) with whom you live in an enduring family relationship, but who is not your parent, grandparent, sister, brother, aunt or uncle.
3. Qualifying Week: the 15th week before the Expected Week of Childbirth.

What is paternity leave and who is eligible to take it?

Paternity leave is the right for qualifying employees to take up to 2 weeks’ paternity leave, in connection with the birth of their child or a child for whom they have responsibility.
Paternity leave is available to qualifying employees, for the purpose of caring for a child, or supporting the child’s other parent, in the following cases:
1. On the birth of a child, where either:
  1. you are the biological father and expect to have some responsibility for the child’s upbringing; or
  2. you are the mother’s Partner and you expect to have main responsibility with the mother for the child’s upbringing.
2. On the birth of a child to a surrogate mother where you are, or your Partner is, one of the child’s biological parents, and you expect to obtain a parental order giving you and your Partner responsibility for the child.
3. Where an adoption agency places a child with you and/or your Partner for adoption and you expect to have main responsibility (with your Partner) for the child’s upbringing.
4. Where a local authority places a child with you and/or your Partner under a fostering for adoption arrangement and you expect to have main responsibility (with your Partner) for the child’s upbringing.
To qualify for paternity leave you must have been continuously employed by us for at least 26 weeks ending with the 15th week before the Expected Week of Childbirth or the week in which you or your Partner are notified by the adoption agency or local authority that you/they have been matched with a child.
You may also be eligible to take shared parental leave. For details about shared parental leave, see the Employer’s Shared Parental Leave Policy available from your line manager or the HR Department.

Timing and length of paternity leave

Paternity leave must be taken as a period of either 1 week or 2 consecutive weeks. It cannot be taken in instalments.

Paternity leave can start on the date of the child’s birth or adoption placement, or a later date of your choosing. However, it must end within 56 days (8 weeks) of birth or placement, or within 56 days of the first day of the Expected Week of Childbirth (if the child was born early).

Giving notice of your intention to take paternity leave

To take paternity leave you must give us written notice by the end of the 15th week before the Expected Week of Childbirth or no more than 7 days after you and/or your Partner were notified of having been matched with the child, or as soon as you reasonably can, stating:
1. the Expected Week of Childbirth;
2. the date you would like your leave to start (which may be a specified date after the start of the Expected Week of Childbirth, the actual date of birth or a specified number of days after birth); and
3. whether you intend to take 1 week or 2 weeks’ leave.
We may require a signed declaration from you that you are taking paternity leave to care for the child or to support the child’s other parent in caring for the child.

Changing the dates of paternity leave or cancelling paternity leave

You may vary the start date of your paternity leave if you give notice as follows:
1. If you wish to start your leave on the day of the child’s birth or on the day that the child is placed with you or the adopter, please tell us at least 28 days before the first day of the Expected Week of Childbirth.
2. If you wish to start your leave on a specified number of days after the child’s birth or placement, please tell us at least 28 days (minus the specified number of days) before the first day of the Expected Week of Childbirth.
3. If you wish to start your leave on a specific date that is different to the original start date you informed us of, please tell us at least 28 days before that date.
If you are unable to give us 28 days’ written notice as set out above, you should do so as soon as you can.
Notice should be given to your line manager or the HR Department.

Statutory paternity pay

To qualify for Statutory Paternity Pay (SPP), you must have worked for your employer for at least 26 continuous weeks before:
1. the 15th week before the baby is due; or
2. the end of the week the adoption agency matched you with a child.
If you take paternity leave in accordance with this policy, you will be entitled to SPP if your average weekly earnings are not less than the lower earnings limit set by the Government.
SPP is paid at a prescribed rate which is set by the Government for the relevant tax year, or at 90% of your average weekly earnings calculated over the relevant period if this is lower. For details of the current prescribed rate, please contact your line manager or the HR Department.

During paternity leave

While you are on paternity leave, your normal terms of employment will continue to apply except for your entitlement to pay. In particular, benefits in kind shall continue and you will continue to accrue holiday. The effect of your paternity leave on your pension arrangements depends on the type of scheme in which you are participating and the terms of your participation. For further information on this, speak to your line manager or the HR Department.
Although we will respect your absence during your paternity leave, we may need to make contact with you from time to time.

When you return to work

In general, you will return to work in the same job and on the same terms as if you had not been absent. However, in some cases where you have taken any period of parental leave, in accordance with the Employer’s Parental Leave Policy available from your line manager or the HR Department, in conjunction with your paternity leave then we may offer you another suitable role, on terms and conditions that are not less favourable than those that applied before your leave.

If you wish to change your working patterns when you return to work then you should make a request for flexible working in line with set procedures that are set out in our Flexible Working Policy contained within this Staff Handbook. Flexible working requests take time to deal with so it’s important that you make your request as soon as possible, otherwise, you may have to return to work on the basis of your prior working patterns until the process of dealing with the request has finished.

Rights to leave on adoption

Certain employees can take either adoption leave, paternity leave or shared parental leave in relation to the adoption of a child and adoption leave if they are to have parental responsibility for a child under a surrogacy arrangement. Further details are available from the HR Department.

DATA PROTECTION POLICIES

Data Protection and Data Security Policy

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.
We confirm for the purposes of the data protection laws that the Employer is a Data Controller of the personal data we hold in connection with your employment. This means that we determine the purposes for which, and the manner in which, your personal data is processed.
The purpose of this policy is to help us achieve our data protection and data security aims by:
1. notifying our staff of the types of personal information that we may hold about them, our customers, suppliers, and other third parties and what we do with that information;
2. setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules and the legal standards; and
3. clarifying the responsibilities and duties of staff in respect of data protection and data security.
This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, at our absolute discretion.
For the purposes of this policy:
1. Criminal Records Data means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
2. Data Protection Laws mean all applicable laws relating to the processing of Personal Data, including, for the period during which it is in force, the UK General Data Protection Regulation and the Data Protection Act 2018.
3. Data Subject means the individual to whom personal data relates.
4. Personal Data means any information that relates to an individual who can be identified from that information.
5. Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
6. Special Categories of Personal Data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), health, sex life or sexual orientation, and biometric data.

Data protection principles

Staff whose work involves using personal data relating to staff or others (e.g. customers) must comply with this policy and with the following data protection principles which require that personal information is:
1. processed lawfully, fairly, and in a transparent manner. We must always have a lawful basis to process personal data, as set out in Data Protection Laws. Personal Data may be processed as necessary to perform a contract with the Data Subject, to comply with a legal obligation which the Data Controller is the subject of, or for the legitimate interest of the Data Controller or the party to whom the data is disclosed. The Data Subject must be told who controls the information (us), the purpose(s) for which we are processing the information, and to whom it may be disclosed;
2. collected only for specified, explicit, and legitimate purposes. Personal Data must not be collected for one purpose and then used for another. If we want to change the way we use Personal Data, we must first tell the Data Subject;
3. processed only where it is adequate, relevant, and limited to what is necessary for the purposes of processing. We will only collect Personal Data to the extent required for the specific purpose notified to the Personal Data;
4. accurate and the Employer takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when it is collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information;
5. kept only for the period necessary for processing. Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it. For guidance on how long particular information should be kept, contact the Data Protection Officer (DPO); and
6. secure, and appropriate measures are adopted by the Employer to ensure that it is such.

Who is responsible for data protection and data security?

Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained in it apply to all staff of the Employer, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (Staff).
Questions about this policy, or requests for further information, should be directed to the DPO.
All staff have personal responsibility to ensure compliance with this policy, to handle all Personal Data consistently with the principles set out here, and to ensure that measures are taken to protect the security of data. Managers have special responsibility for leading by example and monitoring and enforcing compliance. You must notify the DPO if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing staff or customer personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

What Personal Data and activities are covered by this policy?

This policy covers Personal Data:
1. which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
2. which is stored electronically or on paper in a filing system;
3. which is in the form of statements of opinion as well as facts;
4. which relates to staff (present, past or future) or to any other individual whose personal data we handle or control; and
5. which we obtain or which is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
6. This Personal Data is subject to the legal safeguards set out in the Data Protection Laws.

What Personal Data do we process about staff?

We may collect Personal Data about you which:
1. You provide or we gather before or during your employment or engagement with us.
2. Is provided by third parties, such as references or information from suppliers or another party that we do business with.
3. Which is in the public domain.
The types of Personal Data that we may collect, store and use about you include records relating to your:
1. Home address, contact details, and contact details for your next of kin.
2. Recruitment (including your application form or curriculum vitae, references received and details of your qualifications).
3. Pay records, national insurance number, and details of taxes and any employment benefits such as pensions and health insurance (including details of any claims made).
4. Telephone, email, internet, fax, or instant messenger use.
5. ID.
6. Performance and any disciplinary matters, grievances, complaints or concerns in which you are involved.

Sensitive Personal Data

We may from time to time need to process sensitive personal information (i.e. ‘Special Categories of Personal Data’).
We will only process sensitive personal information if:
1. we have a lawful basis for doing so (e.g. it is necessary for the performance of the employment contract); and
2. one of the following special conditions for Processing personal information applies:
  1. the Data Subject has given explicit consent;
  2. the Processing is necessary for the purposes of exercising the employment law rights or obligations of the Employer or the Data Subject;
  3. the Processing is necessary to protect the Data Subject’s vital interests, and the Data Subject is physically incapable of giving consent;
  4. the Processing relates to Personal Data which are manifestly made public by the Data Subject;
  5. the Processing is necessary for the establishment, exercise, or defence of legal claims; or
  6. the Processing is necessary for reasons of substantial public interest.
Before processing any sensitive personal information, staff must notify the DPO of the proposed Processing, in order for the the DPO to assess whether the Processing complies with the criteria noted above.
Sensitive personal information will not be processed until the assessment above has taken place and the individual has been properly informed of the nature of the processing, the purposes for which it is being carried out, and the legal basis for it.
Our Employee Privacy Notice (contained within this Staff Handbook) sets out the types of sensitive personal information that we process, what it is used for, and the lawful basis for the processing.

Criminal records information

Criminal records information will be processed in accordance with the Employer’s criminal records information policies and procedures.

How we use your Personal Data

We will tell you the reasons for Processing your Personal Data, how we use such information, and the legal basis for Processing in the Employer’s Employee Privacy Notice. We will not process staff personal information for any other reason.
In general, we will use information to carry out our business, to administer your employment or engagement, and to deal with any problems or concerns you may have. This use of information includes, but not limited to:
1. Staff address lists: to compile and circulate lists of home address and contact details, to enable us to contact you outside working hours.
2. Sickness records: we will maintain a record of your sickness absence and copies of any doctors’ notes or other documents supplied to us in connection with your health, in order to:
  1. inform your colleagues and others that you are absent through sickness, as reasonably necessary to manage your absence;
  2. deal with unacceptably high or suspicious sickness absence;
  3. inform reviewers for appraisal purposes of your sickness absence level; or
  4. publish internally aggregated, anonymous details of sickness absence levels.
3. Monitoring IT systems: to monitor your use of emails, internet, telephone and fax, computer or other communications or IT resources.
4. Disciplinary, grievance or legal matters: in connection with any disciplinary, grievance, legal, regulatory, or compliance matters or proceedings that may involve you.
5. Equal Opportunities Monitoring: to conduct monitoring for equal opportunities purposes and to publish anonymised, aggregated information about the breakdown of the Employer’s workforce.
6. Performance Reviews: to carry out performance reviews.
7. Security.

Accuracy and relevance

We will:
1. ensure that any Personal Data processed is up to date, accurate, adequate, relevant, and not excessive, given the purpose for which it was collected; and
2. not Process personal data obtained for one purpose for any other purpose, unless you agree to this or reasonably expect this.
If you consider that any information held about you is inaccurate or out of date, then you should tell the DPO. If they agree that the information is inaccurate or out of date, then they will correct it promptly. If they do not agree with the correction, then they will note your comments.

Storage and retention

Personal Data (and sensitive personal information) will be kept securely in accordance with the Employer’s Data Retention Policy, available from your line manager or HR Department.
The periods for which we hold Personal Data are contained in the Employer’s Data Retention Policy and Employee Privacy Notice.

Individual rights

You have the following rights in relation to your Personal Data:
Subject access requests:
1. You have the right to make a subject access request. If you make a subject access request, we will tell you:
  1. whether or not your Personal Data is processed and if so why, the categories of personal data concerned, and the source of the data if it is not collected from you;
  2. to whom your Personal Data is or may be disclosed, including to recipients outside of the UK or European Economic Area (EEA) and the safeguards that are used for such transfers;
  3. for how long your Personal Data is stored (or how that period is to be decided);
  4. your rights of rectification or erasure of data, or to restrict or object to Processing;
  5. your right to complain to the Information Commissioner’s Office (ICO)(at www.ico.org.uk/make-a- complaint/) if you think we have failed to comply with your data protection rights; and
  6. whether or not we carry out automated decision-making and the logic involved in any such decision making.
2. We will provide you with a copy of the Personal Data undergoing Processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.
3. To make a subject access request, email lorrihaines@shoorah.io.
4. We may need to ask for proof of identification before your request can be processed. We will let you know if we need to verify your identity and the documents we require.
5. We will normally respond to your request within 28 days from the date your request is received. In some cases, e.g. where there is a large amount of Personal Data being processed, we may respond within 3 months of the date your request is received. We will write to you within 28 days of receiving your original request if this is the case.
6. If your request is manifestly unfounded or excessive we are not obliged to comply with it.

Other rights:
1. You have a number of other rights in relation to your Personal Data. You can require us to:
  1. Rectify inaccurate data.
  2. Stop Processing or erase data that is no longer necessary for the purposes of Processing.
  3. Stop Processing or erase data if your interests override our legitimate grounds for Processing the data (where we rely on our legitimate interests as a reason for Processing data).
  4. Stop Processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override the Employer’s legitimate grounds for Processing the data.

To request that we take any of these steps, please send the request to lorrihaines@shoorah.io.

Data security

We will use appropriate technical and organisational measures to keep Personal Data secure and, in particular, to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage.
Maintaining data security means making sure that:
1. only people who are authorised to use the information can access it;
2. Personal Data is, where possible, pseudonymised or encrypted;
3. information is accurate and suitable for the purpose for which it is processed; and
4. authorised persons can access information if they need it for authorised purposes.
By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it (i.e. from obtaining to destroying the information).
Personal information must not be transferred to any person to Process (e.g. while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.
Security procedures include:
1. Any desk or cupboard containing confidential information must be kept locked.
2. Computers should be locked with a strong password that is changed regularly or should be shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
3. Data stored on CDs, memory sticks, or similar must be encrypted or password protected and the media must be locked away securely when they are not being used.
4. Use of any cloud service to store data must be approved first by the DPO.
5. Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
6. All servers containing Sensitive Personal Data must be approved and protected by security software.
7. Servers containing Personal Data must be kept in a secure location, away from general office space.
8. Data should be regularly backed up in line with the Employer’s back-up procedure.
Staff must abide by telephone precautions. Particular care must be taken by staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:
1. The identity of any telephone caller must be verified before any personal information is disclosed.
2. If the caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing.
3. Callers must not be allowed to bully you into disclosing information. In case of any problems or uncertainty, contact the DPO.
Correct methods of disposal must be adhered to.
1. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and data on CDs or memory sticks or similar must be rendered permanently unreadable.

Data protection impact assessments

Some of the Processing that the Employer carries out may result in risks to privacy.
Where Processing would result in a high risk to staff rights and freedoms, the Employer will carry out a data protection impact assessment to determine the necessity and proportionality of Processing. This will include considering the purposes for which the activity is carried out, the risks for individuals, and the measures that can be put in place to mitigate those risks.

Data breaches

If we discover that there has been a breach of staff personal data that poses a risk to the rights and freedoms of individuals, we will report it to the ICO within 72 hours of discovery.
We will record all data breaches regardless of their effect in accordance with our our practices and procedures on data breaches. Contact the DPO for more information.
If the breach is likely to result in a high risk to individuals’ rights and freedoms, we will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures that have been taken.

International data transfers

In the course of carrying out our business, we may need to transfer your Personal Data to a country outside the UK and European Economic Area (EEA) including to any group company or to another person with whom we have a business relationship.
Your Personal Data will only be transferred to a country outside of the UK or EEA if there are adequate protections in place. To ensure that your personal data receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your personal data with to ensure your personal data is treated by those third parties in a way that is consistent with and which respects Data Protection Laws.
If you wish to know more about international transfers of your personal data, you may contact the DPO.

Individual responsibilities

Staff are responsible for helping the Employer keep their Personal Data up to date.
Staff should let the Employer know if Personal Data provided to the Employer changes, e.g. if you move house or change your bank details.
You may have access to the Personal Data of other staff members and of our customers in the course of your employment. Where this is the case, the Employer relies on staff members to help meet its data protection obligations to staff and to customers.
Individuals who have access to Personal Data are required:
1. To access only personal data that they have authority to access and only for authorised purposes.
2. Not to disclose Personal Data except to individuals (whether inside or outside of the Employer) who have appropriate authorisation.
3. To keep Personal Data secure (e.g. by complying with rules on access to premises, computer access ( including password protection, and secure file storage and destruction).
4. Not to remove Personal Data, or devices containing or that can be used to access Personal Data, from the Employer’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device.
5. Not to store Personal Data on local drives or on personal devices that are used for work purposes.

Training

We will provide training to all individuals about their data protection responsibilities as part of their induction process and at appropriate and regular intervals thereafter.
Individuals whose roles require regular access to Personal Data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.

Employee Privacy Notice

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) collects and processes personal data relating to its employees in order to manage its relationship with them. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

What information does the Employer collect?

We collect and process a range of information about you. This includes:
1. your name, address and contact details, including email address and telephone number, date of birth and gender;
2. the terms and conditions of your employment;
3. details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with us;
4. information about your remuneration, including entitlement to benefits, such as pensions and insurance cover;
5. details of your bank account and national insurance number;
6. information about your marital status, next of kin, dependents and emergency contacts;
7. information about your nationality and entitlement to work in the UK;
8. details of your schedule (days of work and working hours) and attendance at work;
9. details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals and the reasons for the leave;
10. photographs or videos;
11. details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence; and
12. information about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments.
We may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
In some cases, we may collect personal data about you from third parties, such as references supplied by former employers.
Data will be stored in a range of different places, including in your electronic personnel file, in our HR management systems and in other IT systems (including our email system).

Why does the Employer process personal data?

We need to process your personal data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefits, pension and insurance entitlements.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee’s entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows us to:
1. run recruitment and promotion processes;
2. maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
3. operate and keep a record of employee performance and related processes to confirm compliance with our internal policies and procedures, to plan for career development, and for succession planning and workforce management purposes;
4. operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
5. ensure effective general HR and business administration;
6. provide references on request for current or former employees; and
7. respond to and defend against legal claims.
Some special categories of personal data, i.e. sensitive personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities).
We also collect information relating to your sickness records to maintain a record of your sickness absence and copies of any doctor’s notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence and to inform reviewers for appraisal purposes of your sickness absence levels.
Where we process other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of carrying out our legal obligations and exercising specific legal rights in relation to employment.

Who has access to data?

Your information may be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for the performance of their roles.
We share your data with third parties in order to:
1. obtain advice from professional advisers, including accountants, auditors, lawyers, insurers, bankers, and others;
2. help third party service providers who provide products and services to us such as payroll, pension scheme and benefits administration, human resources, performance management, training, expense management, IT, etc; and
3. facilitate the detection of crime or the collection of taxes or duties.
We also share your data with third parties that process data on our behalf in connection with payroll and the provision of benefits.
We may also disclose your personal data to third parties:
1. when we determine that disclosure is required to protect our rights, property, or personal safety, or to respond to requests by public, regulatory, or law enforcement authorities, including to meet national security or law enforcement requirements; or
2. if we sell some or all of our business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets, and if the transaction closes, then your personal data may be transferred to the buyer.
If we transfer employee personal data to a third party vendor for processing (e.g. payroll services), we are responsible as the data controller for the processing of that data.

Choice

We do not currently share your personal data with third parties other than our service providers who act on our behalf. However, if we decide to do so in the future, we will offer you the opportunity to choose (opt out) before your personal data is disclosed to a third party controller (i.e. a non-service provider). Also, if we decide to use your data for purposes that are different from the purpose(s) for which it was originally collected or subsequently authorised by you, we will offer you the opportunity to choose (opt out) before such use.

Transfers outside the United Kingdom and European Economic Area

Data which we collect from you may be stored and processed in and transferred to countries outside of the UK and European Economic Area (EEA). For example, this could occur if we have group companies located in a country outside the UK or EEA or one of our service providers is situated in a country outside the UK or EEA.
We will only transfer your personal data outside the UK or EEA where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, e.g. by way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission.
To ensure that your personal data receives an adequate level of protection, we have put in place appropriate safeguards and procedures with the third parties we share your personal data with. This ensures your personal data is treated by those third parties in a way that is consistent with the data protection laws.

How does the Employer protect data?

We take the protection of your data seriously. We have internal policies and controls in place to try and ensure that your data is not lost, accidentally destroyed, misused or disclosed and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, we do so on the basis of written instructions, and such third parties are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

For how long does the Employer keep data?

We will hold your data for the duration of your employment. The periods for which your data will be held after the end of employment are set out in the Employer’s Data Retention Policy, available from your line manager or the HR Department.

Your rights

As a data subject, you have a number of rights. You can:
1. access and obtain a copy of your personal data on request;
2. require us to change incorrect or incomplete personal data;
3. require us to delete or stop processing your data in certain circumstances such as where the data is no longer necessary for the purposes of processing;
4. object to the processing of your data where we are relying on our legitimate interests as the legal ground for processing, in certain circumstances; and
5. ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data.
If you would like to exercise any of these rights, please contact your line manager or the HR Department.

Complaint resolution

If you believe that we have not complied with this privacy notice or your data protection rights, you have the right to file a complaint with the UK Information Commissioner’s Office (ICO)(at www.ico.org.uk/make-a-complaint/), however, we hope that you will attempt to resolve the complaint with us first.

In addition, If you have any inquiries or complaints about the handling of your personal data, or about our privacy practices generally, please contact us at lorrihaines@shoorah.io and we will respond to your inquiry promptly.

What if you do not provide personal data?

You have some obligations under your employment contract to provide us with certain personal data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment with you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

ABSENCE MANAGEMENT POLICIES

Purpose of the annual leave policy

Shoorah Ltd (the Employer, we, our or us) recognise the right of our staff to take paid annual leave each year. We believe that it is important for you to rest and we strongly encourage you to make use of your annual leave.
The purpose of this policy is to ensure that both staff and managers are clear on the entitlements, rules and processes surrounding your entitlement to annual leave. If you have questions about the contents of this policy, please contact your line manager or the HR Department.
This policy applies to all employees, irrespective of seniority, tenure and working hours, including all directors and officers, casual or agency staff, trainees, interns, fixed-term staff and workers (our Staff, you or your). It does not apply to self-employed contractors.
Some of the entitlements and rules in this policy summarise statutory rights. If any statutory rights change and become inconsistent with this policy, we will amend the policy to reflect these changes.
This policy is not part of your contract of employment and we may amend this policy at any time, at our absolute discretion.

Annual leave entitlement

Our annual leave year runs from 1 January to 30 December.
You are entitled to 28 days of annual leave per year pro rata inclusive of UK bank holidays (your Annual Leave Entitlement).
Your Annual Leave Entitlement is the paid time off that you are entitled to. You may request additional unpaid time off, which may be granted entirely at the discretion of your line manager.
Your Annual Leave Entitlement will continue to accrue while you are on any family leave (ie parental or adoption leave) or sick leave.

Requesting annual leave

Annual leave is recorded Annual leave is recorded in the Shoorah HR software “Bright HR”. Requests for annual leave should be made in writing to your line manager.
You should ensure that your annual leave requests are approved before booking a holiday. We are not liable for any loss incurred by you if you incur costs and make commitments prior to receiving approval.
If you take annual leave without approval we may take disciplinary action against you in accordance with our Disciplinary Procedure, contained within this Staff Handbook.
You should provide double the amount of notice of the time you are requesting off. For example, if you wish to book 2 weeks’ annual leave you should provide 4 weeks’ notice.
Please note that your line manager has the right to refuse your annual leave request, taking into consideration business needs, the high volume of annual leave requests received at certain times of year (eg school holidays), and the notice provided.

Holiday pay

You will be paid your regular pay during any annual leave time that you take. If you work a shift pattern or irregular hours (ie a different number of hours each week), your holiday pay will be worked out based on the average number of hours per week worked during the preceding 52 weeks.
If you are regularly paid a commission, bonuses, or overtime, an average of the amount you receive from these payments will be added to 4 weeks of your standard holiday pay.

Illness and bereavement during annual leave

If you become ill during your annual leave, you may reallocate your leave as sick leave by following our usual policy and procedures for sickness. Any time reallocated as sick leave will be added back onto your Annual Leave Entitlement. To use this time, you should request new annual leave following the ordinary procedures outlined in this document.
If you reallocate your annual leave as sick leave, you will be paid according to our Sickness Policy, contained within this Staff Handbook.
If you experience a bereavement during your annual leave, you may reallocate your leave as bereavement leave if you are entitled to such under our Bereavement Policy, contained within this Staff Handbook. Any time reallocated as bereavement leave will be added back onto your Annual Leave Entitlement. To use this time, you should request new annual leave following the ordinary procedures outlined in this document.
If you reallocate your annual leave as bereavement leave, you will be paid according to our bereavement leave pay rules.

Requiring Staff to take annual leave

We may require you to take annual leave at a certain time, for example, if we decide to close the business for a period. In such situations, we will give you at least twice as many days’ notice as the amount of annual leave days that we require you to take (eg 10 days’ notice for 5 days of annual leave).

When annual leave can be taken

Annual leave may be taken at any time during the annual leave year, subject to the discretion of your line manager.
Annual leave may, at the discretion of your line manager be taken immediately before or after family (ie parental or adoption leave) is taken (ie it may be added onto your family leave).
If you intend to take annual leave immediately before or after family leave, you should discuss this with your HR manager when you arrange your family leave.

Bank holidays

Time off for bank holidays is not provided on top of your ordinary Annual Leave Entitlement. You may choose to take annual leave on these days using your existing entitlement.

Carrying over Annual Leave Entitlement

Wherever possible, you should use your full Annual Leave Entitlement for each annual leave year within that year. If you do not, your entitlement cannot be carried over into the next annual leave year and will be lost (subject to the exceptions below).
Any carried over annual leave must be used within.
You may carry over up to 4 weeks of unused Annual Leave Entitlement if you are unable to use your full entitlement within the annual leave year due to being on long-term sick leave, or because you have taken family (ie parental or adoption) leave at a time which prevents this. Any annual leave carried over for these reasons must be used within 18 months of the date that it is carried over.
If you are unable to use your full Annual Leave Entitlement within an annual leave year due to being sick with Coronavirus (COVID-19), or because you were required to keep working due to Coronavirus (COVID-19), you may carry over up to 4 weeks of your entitlement for use within the following 2 annual leave years.

Ending employment

When you end your employment, you will receive pay for any remaining Annual Leave Entitlement in your final pay. However, we may require you to use any remaining entitlement during your notice period.
If, when you end your employment, the amount of annual leave you have taken exceeds the entitlement that you have accrued to that date, we may subtract the amount in excess from your final pay.

Annual Leave Policy

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) collects and processes personal data relating to its employees in order to manage its relationship with them. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

What information does the Employer collect?

We collect and process a range of information about you. This includes:
1. your name, address and contact details, including email address and telephone number, date of birth and gender;
2. the terms and conditions of your employment;
3. details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with us;
4. information about your remuneration, including entitlement to benefits, such as pensions and insurance cover;
5. details of your bank account and national insurance number;
6. information about your marital status, next of kin, dependents and emergency contacts;
7. information about your nationality and entitlement to work in the UK;
8. details of your schedule (days of work and working hours) and attendance at work;
9. details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals and the reasons for the leave;
10. photographs or videos;
11. details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence; and
12. information about medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments.
We may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
In some cases, we may collect personal data about you from third parties, such as references supplied by former employers.
Data will be stored in a range of different places, including in your electronic personnel file, in our HR management systems and in other IT systems (including our email system).

Why does the Employer process personal data?

We need to process your personal data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefits, pension and insurance entitlements.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee’s entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows us to:
1. run recruitment and promotion processes;
2. maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
3. operate and keep a record of employee performance and related processes to confirm compliance with our internal policies and procedures, to plan for career development, and for succession planning and workforce management purposes;
4. operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
5. ensure effective general HR and business administration;
6. provide references on request for current or former employees; and
7. respond to and defend against legal claims.
Some special categories of personal data, i.e. sensitive personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities).
We also collect information relating to your sickness records to maintain a record of your sickness absence and copies of any doctor’s notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence and to inform reviewers for appraisal purposes of your sickness absence levels.
Where we process other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of carrying out our legal obligations and exercising specific legal rights in relation to employment.

Who has access to data?

Your information may be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for the performance of their roles.
We share your data with third parties in order to:
1. obtain advice from professional advisers, including accountants, auditors, lawyers, insurers, bankers, and others;
2. help third party service providers who provide products and services to us such as payroll, pension scheme and benefits administration, human resources, performance management, training, expense management, IT, etc; and
3. facilitate the detection of crime or the collection of taxes or duties.
We also share your data with third parties that process data on our behalf in connection with payroll and the provision of benefits.
We may also disclose your personal data to third parties:
1. when we determine that disclosure is required to protect our rights, property, or personal safety, or to respond to requests by public, regulatory, or law enforcement authorities, including to meet national security or law enforcement requirements; or
2. if we sell some or all of our business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets, and if the transaction closes, then your personal data may be transferred to the buyer.
If we transfer employee personal data to a third party vendor for processing (e.g. payroll services), we are responsible as the data controller for the processing of that data.

Choice

We do not currently share your personal data with third parties other than our service providers who act on our behalf. However, if we decide to do so in the future, we will offer you the opportunity to choose (opt out) before your personal data is disclosed to a third party controller (i.e. a non-service provider). Also, if we decide to use your data for purposes that are different from the purpose(s) for which it was originally collected or subsequently authorised by you, we will offer you the opportunity to choose (opt out) before such use.

Transfers outside the United Kingdom and European Economic Area

Data which we collect from you may be stored and processed in and transferred to countries outside of the UK and European Economic Area (EEA). For example, this could occur if we have group companies located in a country outside the UK or EEA or one of our service providers is situated in a country outside the UK or EEA.
We will only transfer your personal data outside the UK or EEA where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, e.g. by way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission.
To ensure that your personal data receives an adequate level of protection, we have put in place appropriate safeguards and procedures with the third parties we share your personal data with. This ensures your personal data is treated by those third parties in a way that is consistent with the data protection laws.

How does the Employer protect data?

We take the protection of your data seriously. We have internal policies and controls in place to try and ensure that your data is not lost, accidentally destroyed, misused or disclosed and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, we do so on the basis of written instructions, and such third parties are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

For how long does the Employer keep data?

We will hold your data for the duration of your employment. The periods for which your data will be held after the end of employment are set out in the Employer’s Data Retention Policy, available from your line manager or the HR Department.

Your rights

As a data subject, you have a number of rights. You can:
1. access and obtain a copy of your personal data on request;
2. require us to change incorrect or incomplete personal data;
3. require us to delete or stop processing your data in certain circumstances such as where the data is no longer necessary for the purposes of processing;
4. object to the processing of your data where we are relying on our legitimate interests as the legal ground for processing, in certain circumstances; and
5. ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data.
If you would like to exercise any of these rights, please contact your line manager or the HR Department.

Complaint resolution

If you believe that we have not complied with this privacy notice or your data protection rights, you have the right to file a complaint with the UK Information Commissioner’s Office (ICO)(at www.ico.org.uk/make-a-complaint/), however, we hope that you will attempt to resolve the complaint with us first.

What if you do not provide personal data?

You have some obligations under your employment contract to provide us with certain personal data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment with you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

Bereavement Policy

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) acknowledges the personal nature of bereavement and is committed to supporting employees in practical and reasonable ways.
Bereavement or compassionate leave is leave that allows an employee time off to deal with their personal distress and related practical arrangements, primarily, but not limited to, when a member of their family dies.
This policy shows the minimum leave employees are entitled to in different circumstances.
We further acknowledge that:
1. not all employees may require the full leave allowance; and
2. some employees may need additional time, depending on their relationship with the person who has died and the circumstances of the death.
We will take each situation on a case-by-case basis and will discuss any particular circumstances with employees individually.
We may amend this policy at any time, at our absolute discretion.

Leave entitlements

If employees need to take bereavement leave, they should speak to their line manager or the HR Department as soon as possible or, at the latest, on the first day of absence.

Paid leave

In the event of the death of an immediate relative, employees will be entitled to 5 working days’ paid leave. An immediate relative includes a:
1. spouse, civil partner or partner (partners include anyone the employee is cohabiting with but not married to and include same-sex partners);
2. child (including any children the employee has adopted, is the legal guardian or carer of);
3. parent or step-parent;
4. sibling; or
5. person with whom the employee is in a relationship of domestic dependency.
Employees will be entitled to 1 working day’s paid leave in the event of the death of a:
1. grandparent;
2. grandchild;
3. aunt or uncle;
4. mother- or father-in-law; or
5. daughter- or son-in-law.
In certain circumstances, employees may be granted up to 0 paid working days’ leave in the event of the death of someone outside of their family. These circumstances include, but are not limited to situations where the employee:
1. is responsible for making funeral arrangements; or
2. has to travel abroad to attend the funeral.
Paid compassionate leave days do not have to be taken consecutively.

Unpaid leave

In the event of bereavement, employees may take up to 5 working days of unpaid leave.

Employees should speak to their line manager or the HR Department before taking unpaid bereavement leave.
In exceptional circumstances, employees may apply for paid leave after the first day of absence and line managers and the HR Department will exercise discretion in such exceptional circumstances.

Other kinds of leave

Employees may also be eligible for other types of leave associated with bereavement. If an employee intends to take multiple types of leave, they should discuss the management of this with their line manager or the HR Department. Other types of leave include:
1. Time off for dependents.
2. Parental bereavement leave, which should be taken in line with the Employer’s Parental Bereavement Leave Policy, available from your line manager or the HR Department.

Annual leave

In the event of bereavement, employees may take unpaid leave or annual leave at short notice, to supplement their paid bereavement leave.
Employees should speak to their line manager or the HR Department about taking such supplementary annual leave.
In the event of a family bereavement while on annual leave, employees can change their annual leave into bereavement leave and take their annual leave at a later date.

Returning to work after a bereavement

We acknowledge that, in certain circumstances following the death of a relative, a full return to work may not be immediately possible (e.g. because the employee’s grief may impact their ability to perform their duties or new childcare arrangements need to be made). In such circumstances, employees can, where practicable, have a phased return to work, including:
1. Returning to work on a part-time basis.
2. Returning to work on a reduced hours basis.
3. Undertaking alternative duties.
4. Working remotely.
Any arrangements for a phased return to work will need to be agreed in advance with the employee’s line manager or the HR Department and will be subject to an agreed maximum number of days. Arrangements should be made in accordance with our Flexible Working Policy, contained within this Staff Handbook.

Support for employees

If an employee has any concerns about how their grieving process is impacting their work performance, they should speak to their line manager or the HR Department. This will help ensure that any necessary reasonable adjustments can be discussed and put in place so that the employee is supported in their return to work.
We will cover the cost of up to 1 counselling session with an independent counselling practice, for any employees who wish to seek professional help in coming to terms with a bereavement. Employees should speak to the HR Department or the employee assistance programme to access this service.

Health and safety

Our workplace health and safety assessment considers the impact of bereavement on employees, their duties and responsibilities, and the context in which they work (e.g. if they operate heavy machinery or equipment).
Employees who are concerned about their ability to safely carry out all their duties after a bereavement should speak to their line manager.
We reserve the right to request that an employee meet with their GP before fully returning to work and resuming their previous duties.

Culture and diversity

We acknowledge and recognise that different cultures respond differently to death. Line managers or the HR Department will check if an employee observes any particular religious or cultural practices and will make special arrangements if employees require time off work in such cases.
Employees should make their line manager or the HR Department aware of any religious or cultural practices that may require special arrangements as soon as possible.
If line managers or the HR Department are unsure how to respond to a bereaved employee from a different cultural background they should ask the employee or someone from their cultural group about what is appropriate.

MANAGEMENT POLICIES

Grievance Procedure

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) is committed to dealing with employee grievances fairly, consistently and without unreasonable delay. This policy sets out the way in which an employee should make any complaints they have about work-related matters and the way in which we will deal with these complaints.
This is a non-contractual policy and procedure and can be changed by us at any time. If you have any queries about this policy and procedure, contact their line manager or the HR Department

Primary principles

Grievances will be dealt with confidentially so far as is reasonably possible and employees must keep information learnt during this process confidential.
The purpose of a grievance or appeal meeting is for the employee to explain their grievance and how they think that it should be resolved using evidence available to make representations, allowing us to come to a decision. Employees will not be subjected to a detriment for raising a grievance in good faith, even if the grievance is not upheld. However, the employee should not use this policy to dispute a disciplinary or dismissal decision. The correct policy for this can be obtained from your line manager the HR Department. Also, if an employee deliberately gives false information, is dishonest or makes a false complaint during the grievance process, this may lead to disciplinary action by us.

Employees will not normally be suspended during the grievance process, but we reserve the right to suspend if, at our discretion, we decide that this is helpful and reasonable. For more information on suspensions, see the Employer’s Disciplinary Procedure contained within this Staff Handbook.
The employee has the right to appeal any decision made about a grievance as set out in the appeals section of this policy and procedure.
The Employer processes personal data collected during informal discussions and the formal grievance procedure in accordance with the Data Protection and Data Security Policy contained within this Staff Handbook. In particular, data collected as part of informal discussions and the grievance procedure is held securely and accessed by, and disclosed to, individuals only for the purposes of responding to the grievance or conducting the grievance procedure. Inappropriate access or disclosure of employee data constitutes a data breach and should be reported in accordance with our Data Protection and Data Security Policy immediately. It may also constitute a disciplinary offence, which will be dealt with under our Disciplinary Procedure.

Informal discussion

The Employer promotes communication between employees and so, wherever possible, the employee should try to resolve any grievance at work by firstly talking about it informally with their manager to try and agree on a solution. If the grievance is too serious, or if the employee or we think it is not appropriate in the circumstances to deal with the grievance informally, or if discussing the grievance informally does not work, the employee’s grievance will be dealt with formally.
If we think that an investigatory interview would be helpful at any stage during the grievance process before a formal meeting is held or continued, we may take statements from the employee or witnesses or review documents at our sole discretion. No decision will be taken until after a grievance hearing has been held. An employee does not normally have the right to bring a companion to an investigative interview. However, we may allow the employee to bring a companion at our absolute discretion.

Formal procedure

Stage 1 – Statement of grievance

To raise the matter formally the employee should write to their immediate supervisor setting out the facts of the grievance, avoiding insulting or abusive language and trying to give specific examples of the complaint, copies of documents, names of witnesses, and dates where possible.
Where an employee’s grievance is against their immediate supervisor, the employee should write to the general manager or the HR Department or a manager who is not the subject of the grievance.

Stage 2 – Grievance meeting
1. Within 5 working days, the employee’s manager will respond, in writing, to the employee’s written grievance, inviting the employee to attend a meeting where the alleged grievance can be discussed.
2. The employee’s manager will usually hold the meeting (unless they are the subject of the grievance or it is not reasonably practicable for the employee’s manager to hold the meeting).
3. 5 working days’ notice of the meeting will usually be provided to the employee and they will be informed of their right to be accompanied by a companion.
4. The employee’s choice of companion will be agreed to if the companion is either a colleague, a trade union official or a trade union representative (which if not an employed official, must be certified by their union as competent to accompany a worker) and under the circumstances, the employee has made a reasonable request to be accompanied. The employee should advise us of the identity of the companion (or any change in their choice of companion) and whether they will require any special adjustments to be made for their or their companion’s attendance, at least 24 hours before the start of the meeting.
5. We encourage employees to bring their choice of colleague, trade union representative or trade union official to formal meetings under this procedure, but the employee should bear in mind how practical it is for their choice of companion to attend and consider if there is a suitable and available individual who is geographically close to where the meeting is to be held, rather than first considering an individual geographically based further away.
6. The role of the companion in a formal meeting is to make notes, confer with the employee and if the employee requests it, to address the hearing to state the employee’s case and respond to any views expressed at the meeting. The companion does not have the right to answer questions or address the hearing if the employee does not request this and must not prevent us from explaining our case.
7. If an employee or their companion is unable to attend the meeting at the time, date and place specified by us, they must notify the chair of the meeting as soon as possible in writing. Except in the case of an emergency, this should be at least 24 hours before the start of the meeting and the employee should advise of a time when they and their choice of companion will be available within 5 working days of the original proposed meeting and provided this is reasonable, the new meeting time will be agreed.
8. Employees must make every effort to attend any scheduled meeting under this procedure. If you are unable to attend more than 2 scheduled meetings, we reserve the right to make a decision about your grievance using available evidence but in your absence.
9. If we or the employee will be referring to any documentation during the formal meeting, this should be sent to the other party at least 24 hours before the start of the meeting, so that they have a reasonable chance to prepare.
10. We may at our absolute discretion adjourn a meeting to carry out further investigations, after which the meeting will usually reconvene.
11. After the meeting, the manager will give the employee a decision in writing, normally within 24 hours.
Stage 3 – Appeal
1. If the employee is unhappy with our decision and they wish to appeal, they should write to a more senior manager than their immediate supervisor within 5 working days of the date of the decision, saying that they disagree with the decision and giving their reason(s) why and providing any new evidence they seek to rely on.
2. The employee will be invited to an appeal meeting, normally within 10 working days of us receiving the employee’s letter of appeal. The employee’s appeal will be heard by an impartial manager or if necessary an independent HR advisor who has not been part of the process up until the appeal stage. The employee’s appeal will either be a review of the grievance decision made or a complete rehearing, at our discretion. The right to be accompanied to the appeal meeting is the same as set out in (e)-(g) in Stage 2 above.
3. After the meeting, the employee will be given a decision, normally within 24 hours. Our decision is final and there is no further right to appeal.

Flexible Working Policy

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) is committed to an equal opportunities workplace and recognises the importance of supporting our employees in maintaining a healthy balance between work and their outside lives.
The purpose of this policy is to help us achieve our equal opportunities and work-life balance aims by ensuring that:
1. qualifying staff have a structured opportunity to formally request a change to their working pattern and are clear about how to make such a request; and
2. managers are clear about the process that should be followed if they receive a request for flexible working and the terms that apply to flexible working arrangements. Managers have a specific responsibility to support colleagues and to ensure that this policy is a success by trying to accommodate flexible working requests where operationally possible.
Employees who do not meet the qualifying criteria to request flexible working through the formal process may still make an informal request.
This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, at our absolute discretion.
This policy is intended to summarise your statutory rights (save for the section entitled ‘Making an informal flexible working request’ below) If there is a contradiction between this policy and the statutory flexible working request arrangements that apply at any time, this policy shall be deemed to be amended, as necessary, to comply with legislative requirements.
No one will be subjected to a detriment for exercising their right to request flexible working in accordance with this policy.

What is flexible working?

Flexible working means any change to normal working arrangements, including:
1. working fewer or different hours;
2. working fewer days; and/or
3. working from a different place.
Examples of flexible working arrangements include compressed hours, annualised hours, staggered hours, term-time working, job-sharing, flexi-time working, and working from home.

Who can make a formal request for flexible working?

To be eligible to make a formal request for flexible working you must:
1. be an employee (not a contractor or consultant);
2. have at least 26 weeks of continuous service with us; and
3. not have made a formal flexible working request in the previous 12 months.
If your request for flexible working is accepted then this results in a permanent change to your employment contract. If you don’t want to permanently change your employment contract then you can follow the informal process instead.

Formal flexible working request process

We encourage you to first have an informal discussion about your intention to make a request with Lorri Haines, to discuss eligibility and different ways to achieve your objective. This often helps both sides identify a proposal that can be accepted.
To start the formal process, you should submit a written and dated application to Lorri Haines. This should ideally be submitted at least 2 months before you wish the changes to take effect and should include:

A clear indication that it is a formal flexible working request that you are making.
Confirmation that you meet the eligibility requirements explained above.
As much information as possible about your current and desired working arrangements.
The date when you want the new arrangement to take effect.
The date of any previous formal request for flexible working you have made.
Your thoughts on the impact of your requested changes on your work and your colleagues and our business as well as any suggestions that you have for addressing any adverse impact.

Employees may make a request to work flexibly for any reason and, in general, you are not obliged to tell us why you wish to do so. However, if you are making your request to accommodate a disability or if you think that our Equal Opportunities Policy may be relevant for any other reason then you should tell us this, to ensure that your request is considered according to your legal rights. Our Equal Opportunities Policy is contained within this Staff Handbook.

Meetings or discussions

In most cases, we will arrange to discuss your application with you as soon as possible after receiving it. If there is going to be a delay before the discussion for some reason then we will let you know. In some cases, we may decide not to hold a meeting at all. For example, if we can agree to your request without any further discussion.
As well as the person who is considering your application, Lorri Haines will be present. You may also have a companion present during the discussion.
The discussion may take the form of a meeting but, if both you and we agree, it may alternatively be conducted by phone or videolink or some other method. We will try to arrange the discussion at a place and time convenient to you.
During the discussion, we will talk about and consider your request. We will ask you to explain how the impact of the requested changes on your work and colleagues can be managed. If you wish to, you can explain the reason why you are making the request, but this is not compulsory. If it appears that we cannot accommodate your original request we will also discuss alternative options.
Managers with responsibility to decide flexible working requests are encouraged to facilitate requests unless business or operational factors prevent acceptance and may at their discretion offer you a trial period of the proposed working arrangements to see if these meet your needs and work for the business.

Formal flexible working request decisions

After the discussion (or if we decide that a discussion is not necessary), we will write to you to confirm our decision on your request as soon as possible. We will keep you informed as to any likely delay.
If we agree to your request or propose an alternative arrangement or trial period then the letter will explain the new or proposed arrangements and the resulting changes to your employment contract and start date for the new arrangements. We will ask you to sign the letter confirming your agreement to the change of your contractual terms, which will be kept on your personnel file as a record of the permanent change to your terms and you will not be able to make another formal flexible working request for 12 months from the date you made that request.
If business and operational requirements mean that we are not able to agree to your request then we will confirm this in writing, explaining the business reason for the refusal, how it applies to your case, and how you can appeal our decision.
We may reject your request because of:
1. the burden of additional costs;
2. a detrimental effect on our ability to meet customer demand;
3. an inability to reorganise work among existing staff;
4. an inability to recruit additional staff;
5. a detrimental impact on quality;
6. a detrimental impact on performance;
7. insufficiency of work during the periods that you propose to work; or
8. planned changes.

Appeals against decisions on formal requests

If we reject your request then you can appeal our decision by sending your written and dated grounds of appeal to Lorri Haines. Please submit your appeal within 14 days of receiving our written decision.
We will then arrange for a further discussion with you about your appeal. We will try to make sure the arrangements for the discussion are convenient for everyone and will conduct the appeal in a reasonable way. You may bring a companion to the appeal discussion, as for the first discussion. The manager hearing the appeal will be independent and not have been involved with your flexible working request until the appeal stage and, where possible, will be more senior than the manager who made the initial decision.
We will write to you to inform you as soon as practicable of the outcome of your appeal.
If your appeal is upheld (i.e. successful), and we agree to your request or propose an alternative arrangement or trial period, then the letter will explain the new or proposed arrangements and the resulting changes to your employment contract and start date for the new arrangements. We will ask you to sign the letter confirming your agreement to the change of your contractual terms, which will be kept on your personnel file as a record of the permanent change to your terms and you will not be able to make another formal flexible working request for 12 months from the date you made that request.
If your appeal is rejected we will confirm this in writing, explaining the business reason for the decision and how it applies to your case. You will have to wait at least 12 months after the date of your original request before making another formal request for flexible working.

Timing

We will try to complete the whole process from receiving your request for flexible working to completing any appeal within 3 months.
If it is not possible for us to do this we will ask you to agree to an extension of time (particularly if you lodge an appeal and there is not much time for us to consider it before the end of the 3-month period). We will try to keep you informed about the progress of your application and any likely delays.

Companions

You may have a companion present at the first meeting or discussion concerning your formal request and at any appeal meeting or discussion. The companion must be a colleague or Trade Union Representative and may speak during the discussion to put forward your case but may not answer questions on your behalf. You can confer privately with your companion during the meeting or discussion.
We may allow you to bring a different companion with you if this will help you overcome a disability or will alleviate any communication barrier, at our absolute discretion.

Withdrawal of a formal flexible working application

If you notify us after making a formal flexible working request but before a decision is made that you wish to withdraw the request, you will not be eligible to make another request for 12 months from the date of the withdrawn request. If you fail twice to attend any meeting or discussion scheduled under this process, without reasonable cause, then we may treat your request as withdrawn and will confirm this to you in writing.

Making an informal flexible working request

If you are ineligible to request flexible working under the formal process or for some other reason you wish to make an informal request then you should contact Lorri Haines who will consider our operational requirements and see whether your request can be granted.
It will help us to deal with your request if you set out your request in writing, explaining as much as you can about:
1. the change you would like to make and why;
2. when you would like it to start and whether you would like it to be temporary or permanent; and
3. what the impact on the business is likely to be and how the consequences of the change on our business and your colleagues can be managed.

We will designate someone to consider your request and will confirm to you if we would like to arrange a meeting or discussion with you before reaching our decision.

Data protection

We process personal data collected when managing flexible working requests in accordance with our Data Protection and Data Security Policy, contained within this Staff Handbook.
In particular, data collected as part of managing employees’ flexible working requests is held securely and accessed by, and disclosed to, individuals only for the purposes of responding to flexible working requests and managing flexible working arrangements.
Inappropriate access or disclosure of employee data constitutes a data breach and should be reported in accordance with our Data Protection and Data Security Policy immediately. It may also constitute a disciplinary offence, which will be dealt with under our Disciplinary Procedure, contained within this Staff Handbook.

Working From Home Policy

Statement and purpose of policy

Shoorah Ltd (the Employer, we, our or us) supports working from home for all staff and will agree to an employee working from home in appropriate circumstances, occasionally (to respond to specific circumstances or to complete particular tasks) and in some cases on a regular basis (full or part-time working from home).
In certain circumstances, occasional or permanent working from home allows the Employer to accommodate a disability and can be requested as flexible working by following our Flexible Working Policy, contained within this Staff Handbook.
This policy sets out how requests to work from home can be made, how such requests are dealt with, and the conditions on which working from home will be approved.
The Employer may amend this policy at any time, at our absolute discretion.

What does this policy cover?

This policy and the rules contained within it apply to all employees, irrespective of seniority, tenure and working hours, including all directors and officers, casual or agency staff, trainees, interns, fixed-term staff and volunteers.

Requests to work from home

You can make an application to work from home as soon as you start working for us. Any such application will be considered on its merits. However, note that not all jobs or roles are suitable for working from home.
A request to work from home is unlikely to be approved if:
1. you need to be present in the office to perform your role (e.g. because it involves specialised equipment only available in the office);
2. you require supervision to deliver an acceptable quantity or quality of work;
3. your current standard of work or your performance, as indicated by your line manager or most recent performance review, is unsatisfactory; or
4. you have an unexpired warning relating to conduct or performance.
When applying to work from home, you will need to show that you can:
1. effectively manage your workload, meeting work deadlines;
2. work independently, motivating yourself and relying on your own initiative; and
3. adapt to new working practices when working from home, including by maintaining contact with colleagues and managers.

Requests to work from home on a regular basis

To apply to work from home you must submit a written application to your line manager or the HR Department. Your application must set out:
1. why you believe your role to be suitable to work from home;
2. how you meet the requirements to work from home (as set out above);
3. the date from which you wish to start working from home and, where the arrangement is for a fixed period, the date on which you wish to finish working from home;
4. if you wish to work from home for your entire working week or only on certain days, specifying the days you wish to work from home;
5. your availability for coming into work on days you are proposing to work from home if you are needed (e.g. to attend training days or cover for a sick colleague);
6. how you will maintain contact with your line manager and how your work will be set and monitored; and
7. how you will ensure the security of information and documents while working from home.

For your application to work from home to be considered, you should give the Employer as much notice as possible and, in any event, make an application at least 21 days before your proposed working from home start date.

Requests to work from home on an ad-hoc basis

Ad-hoc working from home requests should be made to your line manager. They do not need to be processed or recorded as a formal flexible working request. Ad-hoc working from home is working from home that is irregular in nature (e.g. working from home temporarily to oversee emergency repair work).
Where possible, ad-hoc working from home should be requested at least 3 days before the desired working from home date. You should request no more than 10 ad-hoc working from home days per month.

Response to working from home application

When considering your application to work from home your line manager or the HR Department may invite you to a meeting to discuss your proposal.
The Employer will endeavour to respond to an application to work from home on a regular basis within 10 days of your application.
If the Employer refuses your request to work from home, you will be given a written response stating the reasons for refusal. If you are unhappy with the decision, you may appeal by following our Grievance Procedure, contained in this Staff Handbook.
If the Employer accepts your application to work from home, this will be recorded in writing. Any such acceptance may be subject to a trial period.
Any agreement regarding your working from home will include the following terms:
1. While working from home you will continue to be subject to the same performance measures, objectives, and processes as when you were working on the business premises.
2. Your line manager will continue to supervise you and will regularly review your working from home arrangements

, taking steps to address and rectify any problems. Your line manager will also ensure that you are up to date with information relevant to your work.

You agree to attend the business premises or other reasonable locations for training courses, important meetings, or other events which you are expected to attend in person.
You acknowledge that when you attend the business premises you may have to share a desk or hot desk.

Hours of work

While you are working from home, your normal working hours will apply. If you do not think it will be possible to work these hours, please make a flexible working request in accordance with our Flexible Working Policy.
Please make sure that you take adequate rest breaks throughout the day, as set out in your employment contract.
In the event that you need to change your hours of work (e.g. to deal with the potentially conflicting demands of work and looking after children), please discuss any changes you need to your working schedule with your line manager.

Communicating with your line manager

Make sure you keep in regular contact with your line manager and notify them if you are unsure about what you are required to do.
You should consider all lines of communication, including email, telephone, and video calls to ensure relationships are maintained and work continues.

Security

You are responsible for ensuring the security of all equipment, documents, and information and must take all necessary steps to ensure that confidential information is kept secure at all times. In particular, you must:
1. Password protect any confidential information held on your home computer.
2. Lock your computer whenever it is left unattended.
3. Store confidential papers securely when they are not in use.
4. Ensure the secure disposal of any confidential papers (e.g. by using a shredder if there is one available).
5. Comply with our Data Protection and Data Security Policy, contained within this Staff Handbook.
6. Comply with our Communications and Equipment Policy, available from your line manager or HR Department.
7. Report any data security breaches to your line manager immediately.

Health and safety

When working from home, you must take reasonable care of your own health and safety and that of anyone else in the home who is affected by your work while working from home.
You should comply with our Health and Safety Policy, contained within this Staff Handbook, and follow all health and safety instructions issued by the Employer from time to time, including attending any health and safety training.
Liaise with your line manager to make sure that your workstation is appropriate and that you are working in a safe manner.
There are steps you can take to make sure you achieve a comfortable posture while working from home using display screen equipment (DSE). Please watch the video from the Health and Safety Executive (HSE) on workstation set-up at www.hse.gov.uk/toolbox/workers/home.htm.
While working with DSE, please also observe these guidelines:
1. Break up long spells of DSE work with rest breaks (at least 5 minutes every hour) or changes in activity.
2. Avoid awkward, static postures by regularly changing your position.
3. Get up and move around or do stretching exercises.
4. Avoid eye fatigue by changing focus or blinking from time to time.
For more information on working safely with DSE, and on staff entitlements to eye tests and glasses for DSE use, see our Health and Safety Policy.
Notify your line manager and the HR Department if you identify any work-related health and safety concerns or hazards while working from home.
You should follow the usual reporting procedures for any work-related accidents that occur in your home.
For health and safety purposes, the Employer retains the right to inspect and check your home office. The need for such inspections will depend on your specific circumstances, including the nature of your work.

Insurance

You acknowledge and understand that working from home may affect your home and contents insurance.
You should check with your home and contents insurance providers that they have adequate cover for the fact that you work from home and whether any of your own equipment is covered for work use.

Rental or mortgage arrangements

You acknowledge and understand that working from home may affect your mortgage, lease, or tenancy agreement.
You are responsible for checking any applicable mortgage or rental agreement to ensure that you can work from home. If permission is necessary, you must make all necessary arrangements with your bank, mortgage provider, or landlord before starting to work from home.

Termination of a working from home arrangement

The Employer reserves the right to bring your working from home arrangement to an end (e.g. if your role changes and working from home is no longer suitable) by providing you with 21 days’ notice.
If you wish to terminate your regular working from home arrangement, you should first notify your line manager. The Employer will only be able to accept the termination if there is sufficient space available for you to return to work on the business premises.

Disciplinary Procedures

Statement and purpose of policy

Employees are expected to know the standard of conduct or work expected of them.
This policy and procedure for Shoorah Ltd (the Employer, we, our or us) is non-contractual and sets out how any issues with employee standards of conduct, attendance and job performance will be dealt with. The aim of this policy and procedure is to ensure consistent and fair treatment for all employees. If you have any queries in respect of this procedure contact your line manager or the HR Department.
This procedure applies to all employees regardless of length of service. It does not apply to agency workers or self- employed contractors.
This procedure does not form part of your contract of employment and it may be amended at any time. We may also vary this procedure, including any time limits, as appropriate in any case.

Informal discussions

For minor issues, where possible and appropriate, we will initially deal with disciplinary matters informally. This will take the form of the employee’s line manager speaking with you in confidence about the disciplinary issue(s), making a confidential note for your personal file and monitoring you informally to see if there is an improvement. Only if this does not resolve the issue(s) or the matter cannot be dealt with adequately informally, will we may start the formal procedure.

Confidentiality

Disciplinary matters will be dealt with confidentially, so far as is reasonably possible and employees should keep confidential any information they learn in relation to any disciplinary matter (unless they are the subject of the investigation and disclosure is required to prepare for a meeting under this procedure).
You, and anyone accompanying you (including witnesses), must not make electronic recordings of any meetings or hearings conducted under this procedure.

Investigations

We may conduct preliminary investigations into the alleged disciplinary issue. The purpose of an investigation is for us to establish a fair and balanced view of the facts relating to any disciplinary allegations against you, before deciding whether to proceed with a disciplinary hearing. The amount of investigation required will depend on the nature of the allegations and will vary from case to case. It may involve interviewing and taking statements from you and any witnesses, and/or reviewing relevant documents.
Investigative interviews are solely for the purpose of fact-finding and no decision on disciplinary action will be taken until after a disciplinary hearing has been held.
You do not normally have the right to bring a companion to an investigative interview, if we choose to hold one. However, we may allow you to bring a companion if it helps you to overcome any disability, or any difficulty in understanding the allegations against you.
You must cooperate fully and promptly in any investigation. This will include informing us of the names of any relevant witnesses, disclosing any relevant documents to us and attending investigative interviews if required.

Criminal allegations

Where your conduct is the subject of a criminal investigation, charge or conviction we may investigate the facts before deciding whether to take formal disciplinary action.
We will not usually wait for the outcome of any prosecution before deciding what action, if any, to take. Where you are unable or have been advised not to attend a disciplinary hearing or say anything about a pending criminal matter, we may have to take a decision based on the available evidence.
A criminal investigation, charge or conviction relating to conduct outside work may be treated as a disciplinary matter if we consider that it is relevant to your employment.

Suspension

In some circumstances, we may need to suspend you from work. The period of suspension will be as short as is reasonably practicable in the circumstances and is not a disciplinary penalty, or an indication as to the decision that will be made once the investigations have been completed by us. We will confirm the arrangements to you in writing.
You agree that whilst suspended, you will not contact our clients, employees, suppliers or other business contacts of the Employer whilst suspended from work.
During suspension, you will continue to receive your normal pay and benefits except for:
1. The employee will not be able to access or use the following benefit(s):
  1. Work laptop.
  2. Work mobile phone. Gym.
  3. Canteen.
  4. Company car.
  5. All shoorah software.

Certain aspects of performance-based pay or benefit(s) such as:
1. Bonuses.
2. Commissions.
3. Discretionary shares or options.
4. Rights under any incentive plan.

Notification of a hearing

Following any investigation, if we consider there are grounds for disciplinary action, we will invite you to attend a disciplinary hearing. We will inform you in writing of the allegations against you, the basis for those allegations, and what the likely range of consequences will be if we decide after the hearing that the allegations are true. We will also include the following where appropriate:
1. a summary of relevant information gathered during the investigation;
2. a copy of any relevant documents which will be used at the disciplinary hearing; and
3. a copy of any relevant witness statements, except where a witness’ identity is to be kept confidential, in which case we will give you as much information as possible while maintaining confidentiality.
We will give you written notice of the date, time and place of the disciplinary hearing. The hearing will be held as soon as reasonably practicable, but you will be given a reasonable amount of time to prepare your case based on the information we have given you.

Bringing a companion to the hearing

You may bring a companion to any disciplinary hearing or appeal hearing under this procedure. The companion may be either a trade union representative or a colleague. You must tell your line manager or the HR Department who your chosen companion is, in good time before the hearing.
You should advise us of the identity of the companion (or any change in your choice of companion) and whether you will require any special adjustments to be made for you or your companion’s attendance, at least 24 hours before the start of the formal meeting.
We encourage you to bring your choice of colleague, trade union representative or trade union official to formal meetings under this procedure, but you should bear in mind how practical it is for your choice of companion to attend and consider if there is a suitable and available individual who is geographically close to where the meeting is to be held, rather than first considering an individual geographically based further away.

The role of the companion in a formal meeting is to make notes, confer with the employee and if the employee requests it, to address the hearing to state the employee’s case and respond to any views expressed at the meeting.
The companion does not have the right to answer questions or address the hearing if the employee does not request this and must not prevent us from explaining our case.

Procedure at disciplinary hearings

If your choice in companion is unable to attend the hearing, you should inform us as soon as possible and we will arrange an alternative time. You must make every effort to attend the hearing, and failure to attend without good reason may be treated as misconduct in itself. If you fail to attend without good reason, or are persistently unable to do so (for example for health reasons), we may have to take a decision based on the available evidence.
The hearing will be chaired by Managing Directors and C panel .
At the disciplinary hearing we will go through the allegations against you and the evidence that has been gathered. You will be able to respond and present any evidence of your own. Your companion may make representations to us and ask questions, but should not answer questions on your behalf. You may confer privately with your companion at any time during the hearing.
You may ask relevant witnesses to appear at the hearing, provided you give us sufficient advance notice to arrange their attendance. You will be given the opportunity to respond to any information given by a witness.
We may adjourn the disciplinary hearing if we need to carry out any further investigations such as re-interviewing witnesses in the light of any new points you have raised at the hearing. You will be given a reasonable opportunity to consider any new information obtained before the hearing is reconvened.
We will inform you in writing of our decision and our reasons for it, usually within 1 week of the disciplinary hearing. Where possible we will also explain this information to you in person.

Disciplinary penalties

The usual penalties for misconduct are set out below. No penalty should be imposed without a hearing. We aim to treat all employees fairly and consistently, and a penalty imposed on another employee for similar misconduct will usually be taken into account but should not be treated as a precedent. Each case will be assessed on its own merits.
You will not normally be dismissed for a first act of misconduct, unless we decide it amounts to gross misconduct or you have not yet completed your probationary period.
Stage 1 – First written warning. A first written warning may be authorised by us. It will usually be appropriate for a first act of misconduct where there are no other active written warnings on your disciplinary record.
Stage 2 – Final written warning. A final written warning may be authorised by us. It will usually be appropriate for:
1. misconduct where there is already an active written warning on your record; or
2. misconduct that we consider sufficiently serious to warrant a final written warning even though there are no other active warnings on your record.
Stage 3 – Dismissal. Dismissal may be authorised by us. It will usually only be appropriate for:
1. any misconduct during your probationary period;
2. further misconduct where there is an active final written warning on your record; or
3. any gross misconduct regardless of whether there are active warnings on your record. Gross misconduct will usually result in immediate dismissal without notice or payment in lieu of notice (summary dismissal). Examples of gross misconduct are set out below.
Alternatives to dismissal. In some cases, we may at our discretion consider alternatives to dismissal. These may be authorised by us and will usually be accompanied by a final written warning. Examples include:
1. Demotion.
2. Transfer to another department or job.
3. A period of suspension without pay.
4. Loss of seniority.
5. Reduction in pay.
6. Loss of future pay increment or bonus.
7. Loss of overtime.

The effect of a warning

Written warnings will set out the nature of the misconduct, the change in behaviour required, the period for which the warning will remain active, and the likely consequences of further misconduct in that active period.
A first written warning will usually remain active for 6 months and a final written warning will usually remain active for 12 months. In exceptional circumstances, a final written warning may state that it will remain active indefinitely. Your conduct may be reviewed at the end of a warning’s active period and if it has not improved sufficiently we may decide to extend the active period.
After the active period, the warning will remain permanently on your personnel file but will be disregarded in deciding the outcome of future disciplinary proceedings.

Gross misconduct

If you are accused of an act of gross misconduct, you may be suspended from work, while the alleged offence is investigated by us.
If, on completion of the investigation and a formal meeting, the Employer is satisfied that gross misconduct has occurred, the result will normally be summary dismissal without notice or payment in lieu of notice.
The following is a non-exhaustive list of the type of offences which are normally regarded as gross misconduct, together with any other behaviours which in the reasonable opinion of the Employer constitute gross misconduct:
1. any form of dishonesty, including theft or fraud;
2. physical violence or assault;
3. deliberate damage to Employer property;
4. breaking any law, even outside of work, which could bring the Employer into disrepute;
5. repeated or serious failure to follow reasonable instructions given by the Employer or repeated or serious
6. failure to comply with the terms of your contract of employment or the Employer’s policies and procedures;
7. discrimination, harassment, victimisation or bullying of staff, customers, suppliers or other third parties;
8. committing an act of arson;
9. misusing confidential information acquired during and as a result of your employment;
10. failing to devote all working time and effort to the Employer or being disloyal to the Employer whilst employed by us;
11. a serious or repeated breach of the Employer’s Health and Safety Policy contained within this Staff Handbook;
12. accepting bribes; and/or
13. being under the influence of drink or drugs at work, so as not to be able to perform contractual duties.

Appeals

An employee will be advised about their right of appeal whenever a decision is made under this procedure. An employee who wishes to appeal against a disciplinary decision must do so in writing as directed by the Employer when they are informed by the Employer of the disciplinary decision, within 5 working days.
A manager who has not been involved with the process until this stage will invite the employee to an appeal hearing where the process above will be reapplied. At the appeal hearing, any disciplinary penalty imposed will be reviewed or the case reheard, at the Employer’s discretion.
The employee will be informed in writing of the result of their appeal, usually within 5 working days and our decision on the appeal is final.
If the employee appeals a dismissal, their employment will not continue whilst the appeal process is taking place. However, if the appeal is successful the employee will be reinstated with no loss of continuity of employment or pay.

OTHER POLICIES

Environmental Policy

Statement and purpose of policy

Shoorah Ltd (the Employer, we or our) recognises that it has a responsibility to the environment beyond legal and regulatory requirements. We are committed to reducing our environmental impact and continually improving our environmental performance as an integral part of our business strategy and operating methods.

Responsibility

HR is responsible for ensuring that this Environmental Policy is implemented, however, all employees have a responsibility in their area to ensure that the aims and objectives of this policy are met.

Policy aims

We endeavour to:
1. Comply with all relevant regulatory requirements.
2. Continually improve and monitor environmental performance.
3. Continually improve and reduce environmental impacts.
4. Incorporate environmental factors into business decisions.
5. Increase employee awareness through training.

Energy and water

We will seek to:
1. Reduce the amount of energy used as much as possible.
2. Switch off lights and electrical equipment when not in use.
3. Adjust heating with energy consumption in mind.
4. Take energy consumption and efficiency of new products into account when purchasing them.

Office supplies

We will:
1. Evaluate if the need can be met in another way.
2. Evaluate if renting or sharing is an option before purchasing equipment.
3. Evaluate the environmental impact of any new products we intend to purchase.
4. Favour more environmentally friendly and efficient products wherever possible.
5. Reuse and recycle everything we are able to.

Transportation

We will:
1. Reduce the need to travel, restricting to necessary trips only.
2. Promote the use of travel alternatives such as email or video/phone conferencing.
3. Make additional efforts to accommodate the needs of those using public transport or bicycles.
4. Favour ‘green’ vehicles and maintain them rigorously to ensure ongoing efficiency.

Maintenance and cleaning

We will:
1. Use cleaning materials that are as environmentally friendly as possible.
2. Use materials in any office refurbishment that are as environmentally friendly as possible.
3. Only use licensed and appropriate organisations to dispose of waste.

Monitoring and improvement

We will:
1. Comply with all relevant regulatory requirements.
2. Continually improve and monitor environmental performance.
3. Continually improve and reduce environmental impacts.
4. Incorporate environmental factors into business decisions.
5. Increase employee awareness through training.
6. Review this policy and any related business issues at monthly management meetings.

Culture

We will:
1. Update this policy at least once annually in consultation with staff and other stakeholders where necessary.
2. Involve staff in the implementation of this policy, for greater commitment and improved performance.

Lorri Haines CEO

Date of signature

EXISTING POLICIES

In addition to the policies contained within this Staff Handbook, Shoorah Ltd has the following policies in place:

Shared Parental Leave Policy Parental Leave Policy
Data Retention Policy
Communications and Equipment Policy

These policies are available from your line manager or the HR Department.

ENVIRONMENTAL POLICY

Shoorah Ltd recognises that it has a responsibility to the environment beyond legal and regulatory requirements. We are committed to reducing our environmental impact and continually improving our environmental performance as an integral part of our business strategy and operating methods.

Responsibility

Lorri Haines, CEO, is responsible for ensuring that this environmental policy is implemented, however, all employees have a responsibility in their area to ensure that the aims and objectives of this policy are met.

Policy aims

We endeavour to:

Comply with all relevant regulatory requirements.
Continually improve and monitor environmental performance.
Continually improve and reduce environmental impacts.
Incorporate environmental factors into business decisions.
Increase employee awareness and training.

Paper

We will:

Minimise the use of paper in the office.
Reduce packaging as much as possible.
Seek to buy recycled and recyclable paper products.
Reuse and recycle all paper where possible.

Energy and water

We endeavour to:

Comply with all relevant regulatory requirements.
Continually improve and monitor environmental performance. Continually improve and reduce environmental impacts.
Incorporate environmental factors into business decisions. Increase employee awareness and training.

Office supplies

We will:

Evaluate if the need can be met in another way.
Evaluate if renting or sharing is an option before purchasing equipment.
Evaluate the environmental impact of any new products we intend to purchase.
Favour more environmentally friendly and efficient products wherever possible.
Reuse and recycle everything we are able to.

Transportation

We will:

Reduce the need to travel, restricting to necessary trips only.
Promote the use of travel alternatives such as e-mail or video/phone conferencing.
Make additional efforts to accommodate the needs of those using public transport or bicycles.
Favour ‘green’ vehicles and maintain them rigorously to ensure ongoing efficiency.

Maintenance and cleaning

We will:

Use cleaning materials that are as environmentally friendly as possible.
Use materials in any office refurbishment that are as environmentally friendly as possible. Only use licensed and appropriate organisations to dispose of waste.

Monitoring and improvement

We will:

Comply with all relevant regulatory requirements.
Continually improve and monitor environmental performance.
Continually improve and reduce environmental impacts.
Incorporate environmental factors into business decisions.
Increase employee awareness through training.
Review this policy and any related business issues at monthly management meetings.

Culture

We will:

Update this policy at least once annually in consultation with staff and other stakeholders where necessary.
Involve staff in the implementation of this policy, for greater commitment and improved performance.
Use local labour and materials where available to reduce CO2 and help the community.

Lorri Haines

CEO

16/06/2023

Date of signature

EQUAL OPPORTUNITIES POLICY

Statement of policy and purpose of policy

Shoorah Ltd (the Employer) is committed to equal opportunities for all staff and applicants.
It is our policy that all employment decisions are based on merit and the legitimate business needs of the organisation. The Employer does not discriminate on the basis of race, colour or nationality, ethnic or national origins, sex, gender reassignment, sexual orientation, marital or civil partner status, pregnancy or maternity, disability, religion or belief, age or any other ground on which it is or becomes unlawful to discriminate under the laws of England, Wales and Scotland (referred to as Protected Characteristics).
Our intention is to enable all our staff to work in an environment which allows them to fulfill their potential without fear of discrimination, harassment or victimisation. The Employer’s commitment to equal opportunities extends to all aspects of the working relationship including:
- recruitment and selection procedures;
- terms of employment, including pay, conditions and benefits;
- training, appraisals, career development and promotion;
- work practices, conduct issues, allocation of tasks, discipline and grievances;
- work-related social events; and
- termination of employment and matters after termination, including references.
This policy is intended to help the Employer achieve its diversity and anti-discrimination aims by clarifying the responsibilities and duties of all staff in respect of equal opportunities and discrimination. The Employer will promote effective communication and consultation between the Employer and staff concerning equal opportunities by means it considers appropriate.
The principles of non-discrimination and equal opportunities also apply to the way in which staff treat visitors, clients, customers, suppliers and former staff members.
This is a statement of policy only and does not form part of your contract of employment. This policy may be amended at any time by the Employer, in its absolute discretion.

Who is responsible for equal opportunities?

Achieving an equal opportunities workplace is a collective task shared between the Employer and all its staff. This policy and the rules contained in it therefore apply to all staff of the Employer irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers or interns (referred to as Staff).
The board of directors of the Employer has overall responsibility for this policy and for equal opportunities and discrimination law compliance in the workplace and the Lorri Haines has been appointed as the person with day-to-day operational responsibility for these matters.
All Staff have personal responsibility to ensure compliance with this policy, to treat colleagues with dignity at all times and not to discriminate against or harass other members of Staff, visitors, clients, customers, suppliers and former staff members. In addition, Staff who take part in management, recruitment, selection, promotion, training and other aspects of career development (referred to as Managers) have special responsibility for leading by example and ensuring compliance.
Managers must take all necessary steps to:
- promote the objective of equal opportunities and the values set out in this policy;
- ensure that their own behaviour and those of the Staff they manage complies in full with this policy;
- ensure that any complaints of discrimination, victimisation or harassment (including against themselves) are dealt with appropriately and are not suppressed or disregarded.

What is discrimination?

Discrimination occurs in different ways, some more obvious than others. Discrimination on the grounds of any of the Protected Characteristics is prohibited by law, even if unintentional, unless a particular exception applies.

Direct discrimination

Direct Discrimination is less favourable treatment because of one of the Protected Characteristics. Examples would include refusing a woman a job as a chauffeur because you believe that women are not good drivers or restricting recruitment to persons under 40 because you want to have a young and dynamic workforce.
Direct discrimination can arise in some cases even though the person complaining does not actually possess the Protected Characteristic but is perceived to have it or associates with other people who do. For example, when a person is less favourably treated because they are (wrongly) believed to be homosexual or because they have a spouse who is Muslim.

Indirect discrimination

Indirect discrimination arises when an employer applies an apparently neutral provision, criterion or practice which in fact puts individuals with a particular Protected Characteristic at a disadvantage, statistically and this is unjustified. To show discrimination the individual complaining also has to be personally disadvantaged. An example would be a requirement for job candidates to have ten years’ experience in a particular role, since this will be harder for young people to satisfy. This kind of discrimination is unlawful unless it is a proportionate means of achieving a legitimate aim.

Victimisation

Victimisation means treating a person less favourably because they have made a complaint of discrimination or have provided information in connection with a complaint or because they might do one of these things.

Harassment

Harassment is defined as unwanted conduct related to a relevant Protected Characteristic (within the Equality Act 2010) which has the effect of violating an individual’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for that individual.
Unlawful harassment may involve conduct of a sexual nature or it may be related to age, race, colour or nationality, ethnic or national origins, sex, gender reassignment, sexual orientation, disability, religion or belief, pregnancy or maternity.
Harassment can arise in some cases even though the person complaining does not actually possess a Protected Characteristic but is perceived to have it (for example, when a person is harassed because they are (wrongly) believed to be homosexual) or associates with other people who possess a Protected Characteristic (for example, because they have a spouse who is Muslim).
A person may also be subject to harassment even if they were not the intended target. For example, a person may be harassed by a sexist joke about a different gender if it created an offensive environment for them to work in.
Harassment may include:
- use of insults or slurs based on a Protected Characteristic or of a sexual nature or other verbal abuse or derogatory, offensive or stereotyping jokes or remarks;
- physical or verbal abuse, threatening or intimidating behaviour because of a Protected Characteristic or behaviour of a sexual nature;
- unwelcome physical contact including touching, hugging, kissing, pinching or patting, brushing past, invading personal space, pushing grabbing or other assaults;
- mocking, mimicking or belittling a person’s disability, appearance, accent or other personal characteristics;
- unwelcome requests for sexual acts or favours; verbal sexual advances, vulgar, sexual, suggestive or explicit comments or behaviour;
- repeated requests, either explicitly or implicitly, for dates;
- repeated requests for social contact or after it has been made clear that requests are unwelcome;
- comments about body parts or sexual preference;
- displaying or distributing offensive or explicit pictures, items or materials relating to a Protected Characteristic or of a sexual nature;
- shunning or ostracising someone, for example, by deliberately excluding them from conversations or activities;
- ‘outing’ or threatening to ‘out’ someone’s sexual orientation (ie to make it known);
- explicit or implicit suggestions that employment status or progression is related to toleration of, or acquiescence to sexual advances, or other behaviour amounting to harassment;
- racists, sexist, homophobic or ageist jokes, and stereotypical remarks about a particular ethnic or religious group or gender;
- posters, graffiti, obscene gestures, flags and emblems; and
- isolation from normal work or study places, conversations or social events.
Other important points to note about harassment:
- a single incident can amount to harassment;
- behaviour that has continued for a long period without complaint can amount to harassment;
- it is not necessary for an individual to intend to harass someone for their behaviour to amount to harassment;
- it is not necessarily for an individual to communicate that behaviour is unwelcome before it amounts to harassment; and
- the onus is on each individual to be certain that their behaviour and conduct is appropriate and is not unwanted and in the case of doubt, you must refrain from such conduct.

Disability discrimination

This could be direct or indirect discrimination, and is any unjustified less favourable treatment because of the effects of a disability, and failure to make reasonable adjustments to alleviate disadvantages caused by a disability.

Disabled persons

Any Staff member who considers that they may have a disability is strongly encouraged to speak with the Lorri Haines, particularly if they experience difficulties at work because of their disability so that any reasonable adjustments to help overcome or minimise difficulties can be discussed. For these purposes, disability includes any physical or mental impairment which substantially affects your ability to perform day to day activities and has lasted (or is likely to last) more than 12 months. Disclosure of this information will be treated in confidence, if you wish it to be, so far as is reasonably practicable and we will do our best to handle matters sensitively and to ensure that you are treated with dignity and with respect for your privacy.
We will consult with you about whether adjustments are needed to avoid you being disadvantaged and may ask you to see a doctor appointed by us, to advise on this. We will seek to accommodate your needs within reason. If we consider a particular adjustment unreasonable we will explain why and try to find an alternative solution.
Managers with responsibility for managing a member of Staff who they know or think to be disabled should speak to the Lorri Haines to ensure that all relevant duties are complied with.

Making employment decisions fairly

As noted above, the Employer will recruit employees and make other employment decisions concerning promotion, training, dismissal and related issues on the basis of objective criteria.
Managers should only stipulate criteria or conditions for employment decisions (including job selection, promotion and redundancy) which are based on a legitimate business need and which do not go further than is needed to satisfy that need. If you are in any doubt about whether particular criteria or conditions are indirectly discriminatory or justifiable, then please speak to the Lorri Haines.

Recruitment

Managers involved in recruitment must:
- specify only recruitment criteria that are relevant to the job, reflect genuine business needs and are proportionate. More than one person should be involved in shortlisting of applicants wherever practicable;
- ensure that vacancies are advertised to a diverse audience and try to avoid informal recruitment methods that exclude fair competition. In very rare cases, it may be legitimate and necessary to restrict recruitment to a particular role to certain groups, but it is essential that this is discussed with the Lorri Haines so that appropriate steps can be taken to ensure legality;
- review job advertisements carefully to ensure that stereotyping is avoided and that particular groups are not unjustifiably discouraged from applying;
- not ask applicants about health or disability before a job offer is made (other than in exceptional circumstances and after having been approved by the Lorri Haines). If necessary a job offer can be expressed to be conditional upon satisfactorily passing a medical check.
- not ask candidates about any Protected Characteristic if the question may demonstrate an intention to discriminate. For example, candidates should not be asked about current or future pregnancy, childcare or related matters; and
- not make assumptions about immigration status based on appearance, accent or apparent nationality;
- so far as reasonably practicable, keep a written record of their reasons for relevant decisions.
The Employer is legally required to verify that all employees have the right to work in the UK. Prior to starting employment, all employees must produce original documents to the Employer’s satisfaction, irrespective of nationality. Information about the documents required is available from the CEO .
The Employer monitors applicants’
- Sex
- Sexual orientation
- Ethnic group
- Disability
- Religion
- Age

as part of our recruitment process. We do this to assess the effectiveness of our measures to promote equal opportunities and to help us identify and take appropriate steps to avoid discrimination, under-representation and potential disadvantage and improve diversity. Provision of this information is voluntary and the information is kept in an anonymised format solely for the purposes stated here. The information will not be used as part of any decision-making process relating to the recruitment or employment of the person providing the information. Our recruitment policies must be reviewed at regular intervals to ensure people are being treated fairly and according to ability and merit.

Staff training, career development and promotion

Training needs may be identified during the normal appraisal process. Appropriate training to facilitate progression will be accessible to all staff.
All promotion decisions will be made on the basis of merit and according to proportionate criteria determined by legitimate business need.
Staff diversity at different levels of the organisation will be kept under review to ensure equality of opportunity. Where unjustified barriers to progression are identified, these will be removed.

Conditions of service

Access to benefits and facilities and terms of employment will be kept under review to ensure that they are appropriately structured and that no unlawful barriers to qualification or access exist.

Discipline and termination of employment

Any redundancy selection criteria and procedures that are used, or other decisions taken to terminate employment, will be fair and not directly or indirectly discriminatory.
Disciplinary procedures and penalties will be applied without discrimination, whether they result in disciplinary warnings, dismissal or other disciplinary action.

Discipline and termination of employment

Part-time and fixed-term staff will be treated the same as full-time or permanent staff of the same position and enjoy no less favourable terms and conditions (pro-rata, where appropriate), unless different treatment is justified.

What to do if you encounter discrimination

If you believe that you have been the victim of discrimination, you should follow the Employer’s Grievance Procedure.
Every member of Staff has a responsibility to combat discrimination if they encounter it. Staff who observe or are aware of acts that they believe amount to discrimination directed at others are encouraged to report these to the Lorri Haines.
Any grievance or report raised about discrimination will be kept confidential so far as this is practicable. We may ask you if you wish your complaint(s) to be put to the alleged discriminator if disciplinary action appears to be appropriate. It sometimes may be necessary to disclose the complaint or take action even if this is not in line with your wishes, but we will seek to protect you from victimisation and, if you wish, we will seek to protect your identity. You should be aware that disciplinary action may be impossible without your co-operation or if you refuse to allow relevant information to be disclosed.
Staff who raise a complaint about or report discrimination in good faith will be protected from retaliation or victimisation. As long as you act in good faith, the fact that you have raised a complaint or report will not affect your position within the Employer, even if the complaint is not upheld. Making a false allegation deliberately and in bad faith is a misconduct offence and will be dealt with in accordance with our disciplinary policy. Any member of Staff who attempts acts of retaliation or victimisation may be subject to disciplinary action up to and including summary dismissal for gross misconduct.
If you make a complaint, it may be necessary to ask you to stay at home on paid leave while investigations are being conducted and the matter is being dealt with through the appropriate procedure. This may particularly be necessary in cases of alleged harassment.

Non-compliance with equal opportunities rules

Any breach of equal opportunities rules or failure to comply with this policy will be taken very seriously and is likely to result in disciplinary action against the offender, up to and including immediate dismissal.
Staff should also note that:
- in some cases, they may be personally liable for their acts of discrimination and that legal action may be taken against them directly by the victim of any discrimination; and
- it may be a criminal offence intentionally to harass another employee.

Review of this policy

Any breach of equal this policy

The board of directors of the Employer will keep this policy under review.
The Employer encourages Staff to comment on this policy and suggest ways in which it might be improved or ask any questions if they are unsure about any part of this policy or how it is applied by contacting the Lorri Haines.

Attribution

This Equal Opportunities Policy was created using a document from Rocket Lawyer(https://www.rocketlawyer.com/gb/en).

Infection Control Policy for Shoorah Ltd

Purpose

The purpose of this Infection Control Policy is to minimise the risk of infection within Shoorah Ltd by establishing guidelines and procedures that protect employees, clients, and visitors.

Scope

This policy applies to all employees, contractors, and visitors at Shoorah Ltd.

Policy Statement

Shoorah Ltd is committed to maintaining a safe and healthy environment. We adhere to best practices in infection control to prevent the spread of infectious diseases.

Infection Control Guidelines

Personal Hygiene

- Employees must wash hands regularly with soap and water for at least 20 seconds, especially after using the restroom, before eating, and after coughing or sneezing.
- Hand sanitizers should be used when soap and water are not available.

Respiratory Hygiene

- Employees should cover their mouths and noses with a tissue or their elbow when coughing or sneezing.
- Used tissues should be disposed of immediately, and hands should be sanitized afterward.

Sick Leave Policy

- Employees are encouraged to stay home if they are feeling unwell or displaying symptoms of an infectious illness.
- A clear sick leave policy will be communicated to all employees to facilitate this practice.

Cleaning and Disinfection

- Regular cleaning and disinfection of common areas, equipment, and surfaces will be conducted, particularly in high-touch areas.
- A schedule for routine cleaning should be established and maintained.

Training and Awareness

- Regular training sessions will be provided to educate employees about infection control practices and the importance of following these guidelines.
- Informational materials will be made available to reinforce best practices.

Personal Protective Equipment (PPE)

- Appropriate PPE will be provided as necessary based on the nature of work and potential exposure to infectious agents.
- Employees must be trained in the proper use and disposal of PPE if required.

Monitoring and Reporting

- Employees are encouraged to report any concerns regarding infection control practices or potential outbreaks to management.
- The company CEO will act as the designated infection control officer and will oversee compliance with this policy and address any reported issues.

Visitor Protocols

- Visitors must adhere to the same hygiene and safety protocols as employees.
- Any visitors displaying symptoms of illness may be asked to postpone their visit.

Emergency Procedures

- In the event of a confirmed infectious disease outbreak, specific emergency procedures will be implemented, including communication with public health authorities.

Review and Amendment

This policy will be reviewed annually and updated as necessary to reflect current guidelines and best practices in infection control.

Approval

This policy has been approved by the management team of Shoorah Ltd.

Personal Data Breach Notification Procedure

Objective

This Personal Data Breach Notification Procedure outlines the steps to be followed in the event of a personal data breach as required by the General Data Protection Regulation (GDPR). The procedure aims to ensure prompt and appropriate notification to affected individuals and relevant authorities to mitigate the impact of the breach and uphold the rights and freedoms of individuals.

Scope

This procedure applies to all employees, contractors, and data processors of Shoorah Ltd who handle or have access to personal data. It covers all breaches involving accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

Personal Data Breach Notification Procedure

Definitions

Personal Data: Personal data refers to any information relating to an identified or identifiable natural person, such as names, identification numbers, contact details, financial information, health data, etc.
Personal Data Breach: A personal data breach refers to a breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

Reporting a Personal Data Breach

Any employee, contractor, or data processor who becomes aware of a personal data breach must immediately report it to the designated Data Protection Officer (DPO) or the Privacy Officer.
The report should include details such as the date, time, and description of the breach, the type of personal data involved, and any known or suspected causes.

Assessment and Investigation

The Privacy Officer will promptly initiate an assessment and investigation upon receiving a personal data breach report.
The investigation will determine the nature and scope of the breach, assess potential risks and impacts on individuals’ rights and freedoms, identify affected individuals, and establish the cause and source of the breach.

Breach Notification
1. Notification to Supervisory Authority:

- - In the event of a personal data breach, where it is likely to result in a risk to the rights and freedoms of individuals, Shoorah Ltd will notify the relevant Supervisory Authority within 72 hours of becoming aware of the breach unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
  - The notification will include details of the breach, the approximate number of affected individuals, the likely consequences, and any measures taken or proposed to address the breach.

1. Notification to Affected Individuals:

- - If the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, Shoorah Ltd will notify the affected individuals without undue delay.
  - The notification will include a description of the breach, the type of personal data involved, potential risks or impacts, recommended actions for individuals to mitigate harm, and contact information for further inquiries.

Mitigation and Remediation

Shoorah Ltd will take immediate and appropriate actions to mitigate the impact of the personal data breach and prevent further unauthorized access or harm.

This may include but is not limited to:

Implementing additional security measures
Recovering or restoring the personal data
Coordinating with relevant authorities and stakeholders
Offering support services to affected individuals, such as identity theft protection or credit monitoring, where necessary.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

The Privacy Officer is responsible for approving and reviewing policy and related procedures. Supporting functions, departments, and staff members shall be responsible for implementing the relevant sections of the policy in their area of operation.

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Personal Data Breach Notification Procedure. For version history, please see the next page.

Privacy By Design Policy

Objective

The objective of this policy is to outline the principles and practices for protecting the privacy of personal information in the design, development, and delivery of Shoorah Ltd products and services. Privacy by Design is to proactively protect the privacy of individuals by minimizing the amount of personal data collected, ensuring that the data collected is used only for the intended purpose, and implementing strong security measures to prevent unauthorized access or disclosure.

Scope

This policy applies to all employees, contractors, and third-party service providers who handle personal information in the course of their work for our organization.

Policy Statement

At Shoorah Ltd, we are committed to safeguarding the privacy and security of personal information. We believe in integrating privacy considerations into our products, services, and business processes from the earliest stages of development. This Privacy by Design policy outlines our commitment to protecting personal information and our approach to embedding privacy protections into our operations.

Principles

Our organization is committed to the following Privacy by Design principles:

Proactive, not Reactive: Privacy considerations are integrated into all aspects of our products and services, from the initial design phase through to end-of-life.
Privacy as the Default Setting: Our products and services are designed to minimize the collection and use of personal information and to make privacy the default setting.
Privacy Embedded into Design: Privacy considerations are incorporated into the design and architecture of our products and services, including security measures to protect personal information from unauthorized access, use, and disclosure.
End-to-End Security: Our products and services are designed to ensure end-to-end security of personal information, from collection to storage, use, and disposal.
Transparency and User Control: We provide clear and concise information about our privacy practices, including how personal information is collected, used, and disclosed, and give individuals control over their personal information.
Respect for User Privacy: We respect the privacy of individuals and do not use personal information for any purpose other than the intended purpose.

Procedures

To implement these principles, Shoorah Ltd will:

Conduct privacy impact assessments (PIAs) to identify and mitigate privacy risks associated with our products and services.
Implement data minimization practices to limit the collection, use, and retention of personal information to only what is necessary to provide the intended product or service and in accordance with Data Protection Policy.
Provide clear and concise privacy notices that explain our collection, use, and disclosure practices to individuals.
Obtain the appropriate consent from individuals before collecting or using their personal information, where required by law.
Implement appropriate technical and organizational security measures to protect personal information from unauthorized access, use, and disclosure.

Regularly review and update our Privacy by Design Policy and related procedures to ensure ongoing compliance with applicable laws and regulations.

Training and Accountability

Shoorah Ltd will provide training and resources to employees, contractors, and third-party service providers to ensure they understand their roles and responsibilities under this policy. We will also hold individuals accountable for complying with this policy and related procedures and take appropriate disciplinary action for non-compliance.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Privacy By Design Policy. For version history, please see the next page.

SHARED PARENTAL LEAVE POLICY

Statement and purpose of policy

Shoorah Ltd (‘we’ or ‘us’) recognises and respects the rights of parents to take time away from work in connection with childbirth. No employee will be subjected to a detriment for exercising their right to take Shared Parental Leave (‘SPL’) in accordance with this policy or for seeking to do so.
The purpose of this policy is to ensure that staff and managers are clear about entitlements to SPL, the process that should be followed for arranging leave and the terms that apply during and after SPL.
This policy is intended to summarise your statutory rights. If there is a contradiction between this policy and the statutory SPL entitlements, this policy shall be amended, as necessary, to comply with legislative requirements.
This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.

What SPL is and who qualifies

SPL offers parents the flexibility to choose how to share the care of their child during the twelve months following the child’s birth, giving qualifying employees up to 50 weeks SPL during those twelve months.
A mother can start SPL after the first two weeks following childbirth. The father/partner can take SPL immediately after the child’s birth, but may wish to exhaust paternity leave and pay entitlements first, as these rights are lost if any SPL or Shared Parental Pay (ShPP) is taken first.

The number of SPL weeks is calculated by looking at how many weeks the mother has reduced their maximum 52- week maternity leave entitlement by. For the same number of weeks of the reduction, the mother and/or their partner may opt-in and take those weeks as SPL. A mother can reduce their entitlement to maternity leave by returning to work before the 52 weeks has been taken, or by giving notice that their leave will end on a set future date.
If a mother gives notice of maternity leave ending on a set date before the maximum entitlement, the mother’s partner can take leave while the mother is still on maternity leave and/or receiving maternity pay.
Only the mother and either the father of the child or the partner of the child’s mother can qualify for SPL. Both parents must share the main responsibility of childcare at the time of birth and:
1. the mother must be entitled to statutory maternity leave or statutory maternity pay or maternity allowance and have ended or given notice to reduce maternity entitlements;
2. you must still be working for us at the start of each period of SPL;
3. you must pass the ‘continuity test’ which means you have a minimum of 26 weeks’ service at the end of the 15th week before the child’s expected due date;
4. your partner must meet the ’employment and earnings test’ which means in the 66 weeks immediately before the child’s expected due date they have worked for at least 26 weeks and earned an average of at least £30 a week in any 13 of those weeks; and
5. you must correctly notify us of your entitlement and provide evidence as required.

Notification and booking of SPL

You must notify us of your entitlement to SPL and ShPP and book any SPL by giving us notice. You can do both of these things at the same time but you must do both at least eight weeks before you take SPL.
You are encouraged to informally discuss your entitlement and intention to take SPL with Lorri Haines as early as possible, in order that we can best support the requests you make. If you formally notify us that you are entitled to SPL, we may meet with you informally to discuss this, if we have not already.
Whether or not you have had an informal discussion, to notify us of your entitlement to SPL, you must write to your manager at least eight weeks before the SPL start date stating:
1. your name;
2. the name of the other parent;
3. the start and end dates of any maternity leave or pay, or maternity allowance, taken in respect of the child and the total amount of SPL available;
4. the date on which the child is expected to be born and the actual date of birth;
5. the amount of SPL you and your partner each intend to take (SPL can only be taken in complete week blocks, but can start on any day of the week); and
6. a non-binding indication of when you expect to take the leave.
You must provide us with a signed declaration stating:
1. that you meet or will meet the conditions to take SPL;
2. that all of the information you have given is correct, full and accurate;
3. that if you are not the mother of the child, that you are the father of the child or partner of the mother of the child; and
4. that if for any reason you become ineligible for SPL, you will immediately inform us.
You must provide a signed declaration from your partner stating:
1. their name, address and national insurance number (or confirmation they do not have a national insurance number);
2. that they are the mother, father or partner of the mother of the child;
3. that they satisfy the employment and earnings test, above and at the date of the child’s birth shared parental responsibility with you;
4. that they consent to the amount of SPL you are requesting to take;
5. that they consent to us processing the information in the declaration form; and
6. if they are the mother, that they will inform us immediately if they are no longer eligible.
Within 14 days of your SPL request we may require further evidence of your eligibility, which you will need to provide to us within 14 days of our request, this might be:
1. your partner’s name and their employer’s business address, or your partner’s details if they are no longer employed; and/or
2. a copy of the child’s birth certificate.
If we have reasonable suspicion that fraudulent information has been provided, or have been informed by HMRC that a fraudulent claim has been made, we will investigate this and start our disciplinary procedure as we deem necessary.
To book SPL you must provide notice of SPL on an SPL booking form available from Lorri Haines as well as notification of entitlement, making sure there is at least eight weeks between your booking notice and the start of SPL.
You are entitled to a maximum of three requests to book or vary SPL and may book a continuous block of SPL, which provided you satisfy the requirements in this policy and have provided us with the evidence requested, will be confirmed by us to you within 14 days.

You can book two or three blocks of discontinuous leave and work in between, provided you have agreement from us to do this on the dates you request. If you have notified us you wish to take discontinuous leave, which does not require further discussion, agreement to your SPL will be confirmed in writing within 14 days. If further discussion is required, we will usually contact you in writing within 14 days to arrange a meeting on at least two days’ notice where you can be accompanied by a colleague or trade union representative.
The purpose of a meeting with you after we receive your notification and booking notice, is to discuss what will happen in your absence and how we can meet your discontinuous SPL request and if we cannot, whether we can agree a different pattern of leave.
All discontinuous leave notifications will be considered carefully on their individual merits and benefits to you as well as negative impacts on the business will be looked at in detail before a decision is made to grant or refuse the leave. No decision made about one employee’s discontinuous SPL shall impact another employee’s request, leave requests will be considered individually at the time they are made.
If a discontinuous leave request is refused by us, you have the right to withdraw your notification within 15 days of giving it, or taking SPL in a continuous block. You have until the 19th day after giving the original notification to choose when your SPL starts, but this must be at least eight weeks after the original notification date. If you do not state a start date your SPL will start on the first date given in your original notification.
You can vary or cancel agreed and booked SPL, provided that you advise us in writing at least eight weeks before the date your leave was supposed to start and give eight weeks notice of the new start date for your SPL.

A variation to SPL because of a child being born early or agreed by you on our request, will not reduce the number of new notifications you have the right to make.

Shared Parental Pay (ShPP)

If eligible you may be entitled to take up to 37 weeks ShPP while taking SPL. The amount of weeks available will depend on the amount by which the mother reduces their maternity pay period or maternity allowance period. ShPP may be payable during some or all of SPL depending on the length and timing of SPL.
If eligible, you will receive statutory ShPP, at the rate set by the government for the relevant tax year.
To receive ShPP you must qualify for SPL and satisfy the following criteria:
1. the mother must be/have been entitled to statutory maternity pay or maternity allowance and must have reduced their maternity pay period or maternity allowance period;
2. you must intend to care for the child during the week in which ShPP is payable;
3. you must have an average weekly earnings for the period of eight weeks leading up to and including the 15th week before the child’s expected due date are not less than the lower earnings limit in force for national insurance contributions;
4. you must remain in continuous employment until the first week of ShPP has begun; and
5. you must give proper notification as stated in this policy.
You must give Lorri Haines at least eight weeks written notice of your entitlement to ShPP and where possible this notice should be given as part of your notice of entitlement to take SPL.
Your notice of entitlement to ShPP must also include:
1. the start and end dates of any maternity pay or maternity allowance;
2. the total amount of ShPP available, the amount of ShPP you and your partner each intend to claim, and a non- binding idea of when you expect to claim ShPP; and
3. your signed declaration that the information you have given is correct, that you meet, or will meet, the criteria for ShPP and that you will immediately inform us should you become ineligible.
Your partner must also sign a declaration to go with your notice of entitlement to ShPP and this must include:
1. their agreement to you claiming ShPP and for us to process any ShPP payments to you;
2. (in the case where the partner is the mother) that they have reduced their maternity pay or maternity allowance; and
3. (in the case where the partner is the mother) that they will immediately inform you should they become ineligible.

Terms and conditions during SPL

During SPL, your contract of employment continues as usual and you are entitled to receive all your contractual benefits, except for salary.
SPL is in addition to your annual leave entitlement. Annual leave should wherever possible be taken in the year that it is accrued. Your line manager will discuss with you when annual leave is best taken around your SPL.
Pension contributions will continue to be made during the time you receive ShPP but not during any period of unpaid SPL. Employee contributions will be based on actual pay, while our contributions will be based on the salary that you would have received had you not been taking SPL.

Contact during SPL

Before your SPL begins, we will discuss means of keeping in touch during your leave. We have the right to make reasonable contact with you during your SPL to discuss matters, which might include; updating you on business developments, possible promotion opportunities, or special arrangements to be made or training to be given on your return to work and how you will return to work.
You can agree to work for us for up to 20 days during SPL without bringing your SPL to an end or affecting your right to claim ShPP. These are known as “Shared Parental Leave In Touch” or “SPLIT” days. Any work carried out on a day or part of a day counts as a day’s work under this policy.
You are not obliged to carry out any work, and we are not obliged to offer you any work, during your SPL. Any work undertaken must be agreed between us. If you work a SPLIT day you will receive full pay for any day worked, so if you are receiving ShPP at the time, this will be ‘topped up’ by your usual pay. You do not gain extra SPL by working a SPLIT day.

Returning to work after SPL

You will be informed in writing of the end date of your SPL and should return on the working day after that date, to avoid your late return being treated as an unauthorised absence. If you cannot return on the agreed date, you should notify us of this in advance. If you cannot work due to sickness or injury, our sickness policy will apply.
If you wish to return to work earlier than the expected return date, you may provide a written notice to vary the leave and must give us at least eight weeks notice of your new return date. This will count as one of your notifications. If you have already used your three notifications to book and/or vary leave then we do not have to accept the notice to return early.
On returning to work after SPL, you are entitled to return to the same job if your total statutory maternity/paternity leave and SPL amounts to 26 weeks or less, you will return to the same job on the same terms and conditions, as if you had not been absent.
If your maternity/paternity leave and SPL amounts to 26 weeks or more in total, you have the right to return to the same job, or, if this is not reasonably practicable, to a suitable and appropriate job on terms and conditions no less favourable.
If you also take a period of unpaid parental leave of four weeks or less this will have no effect on your right to return to the same job if the total weeks of maternity/paternity and SPL do not exceed 26 weeks.
If a parent takes five weeks of unpaid parental leave, even if the total number of weeks taken on maternity/paternity and SPL do not exceed 26 weeks, you will be entitled to return to the same job, or, if this is not reasonably practicable, to another suitable and appropriate job on terms and conditions no less favourable.
If your situation changes before or during SPL, or you have any questions about anything relating to this policy you should contact Lorri Haines.

Data Protection

Shoorah Ltd processes personal data collected when managing employees’ shared parental leave in accordance with its data protection policy.
In particular, data collected as part of the shared parental leave procedure, and from the point at which an employee informs us that they plan to take shared parental leave, is held securely and accessed by, and disclosed to, individuals only for the purposes of responding to shared parental leave requests and managing shared parental leave.
Inappropriate access or disclosure of Employee data constitutes a data breach and should be reported in accordance with the Employer’s data protection policy immediately. It may also constitute a disciplinary offence, which will be dealt with under the Employer’s disciplinary procedure.

Attribution

This shared parental leave policy was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).

SICKNESS POLICY

Statement and purpose of policy

Shoorah Ltd (‘we’ or ‘us’) recognises that you may not always be fit to attend work or may become ill or be injured at work and so this policy is designed to ensure that instances of sickness are dealt with consistently, fairly and in a non- discriminatory way.
We must ensure that the reasons for sickness absence are understood in each case and investigated, if necessary. We will adopt practical and reasonable measures to assist employees returning to work after sickness absence if we think they would be helpful.
This sickness policy sets out our procedures for reporting and managing sickness absence, whether the absence is for several short illnesses or a long-term illness. All employees must abide by the terms and spirit of this policy.
This policy summarises your statutory rights. If there is a conflict between this policy and the statutory entitlements, this policy is amended, as necessary, to comply with legal requirements.
This is a statement of policy, which applies to employees only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.
We process personal data when managing sickness absence and employees’ right to sick pay in accordance with our data protection policy – in particular, our policy on processing ‘special categories of personal data’ (which includes, but is not limited to information about an individual’s health). Data collected as part of this procedure is held securely and accessed by, and disclosed to, individuals only for the purposes of managing sickness absence and administering sick pay. Inappropriate access or disclosure of employee data constitutes a data breach and should be reported in accordance with our data protection policy immediately. It may also constitute a disciplinary offence, which will be dealt with under our disciplinary procedure.

Disabilities

You should inform Lorri Haines if any medical condition affects your ability to do your job or if you are affected by a disability.
We will consider at each stage of our sickness procedure, whether sickness absence is the result of a disability and whether reasonable adjustments will assist with a return to work.

Reporting sickness absence

If you become ill or are injured at work, you should contact Lorri Haines and fill in the accident book if appropriate. If you require basic first aid, you should contact Lorri Haines, otherwise, you should leave work to go home or to receive medical treatment.
If you are ill or injured and cannot attend work you should telephone Lorri Haines no later than 30 minutes before you normally start work, unless an extreme emergency does not allow for this. You should tell Lorri Haines:
1. the nature of your illness or injury;
2. the expected length of your absence from work; and
3. urgent work that requires attention.
Managers should record all sickness absences they are notified of and arrange for any urgent work to be covered until the relevant employee’s return.
Your line manager may contact you during your sickness absence to discuss your health, urgent work being covered in your absence and to be advised, if possible, of your expected return date. This contact will be kept to a minimum to allow you to recover, but you should contact Lorri Haines if you wish to discuss your condition further.
For sickness absence of up to seven days, you must complete a self-certification form, available from Lorri Haines. Where we are concerned about the reason for absence or short-term absence is frequent, we may require a medical certificate for sickness absences of less than one week. In such circumstances, we will cover the costs of this, if you provide your doctor’s invoice. For an absence of more than a week, you must provide us with a “Statement of Fitness for Work”/”Fit Note” stating that you are not fit for work and the reason(s) why and provide this to Lorri Haines. Medical certificates must be provided for the whole time you are away.
If your doctor provides a certificate stating that you “may be fit for work” you should inform Lorri Haines immediately. We will discuss any measures suggested by your doctor to help you return to work, but if suitable arrangements cannot be made you will stay on sick leave and we will set a date to review your situation.
We may, at any time, require you to consent to a medical examination by a doctor nominated by us. You agree that any report produced after such examination may be disclosed to us and that we may discuss the contents of the report with the relevant doctor.
If it is suspected that you are claiming to be unwell whilst absent, but that you are indeed well, or you fail to follow the procedure set out in this policy for reporting sickness absence, your absence will be treated as an unauthorised absence and will be dealt with under our disciplinary policy.

Sick pay

You may qualify for Statutory Sick Pay (SSP) at the rate set by the government, if you satisfy the statutory requirements and provide us with medical certificates as stated in this policy. Qualifying days for SSP are Monday to Friday, or as stated in your employment contract. No payment is made for the first three consecutive days of sickness absence, but from the fourth day, SSP may be payable for up to 28 weeks. If you do not qualify or your SSP entitlement is coming to an end we will give you a form SSP1 telling you why.
If sickness absence is or appears to be caused by a third party and damages are or may be recoverable, you must immediately tell Lorri Haines of that fact and of any claim, settlement or judgment made or awarded in connection with it. If we require you to do so, you must co-operate in any related legal proceedings and refund to us that part of any damages or compensation you recover that relates to lost earnings for the sickness absence we have paid you for.
Any employer and employee pension contributions will continue subject to the relevant scheme rules during any period of SSP.

Returning to work after sickness absence

If you have been on sick leave for more than five days we will arrange for you to have a return-to-work interview with Lorri Haines to confirm the details of your absence and to raise any concerns or questions. The contents of any certificate from your doctor stating you ‘may be fit for work’ will also be discussed at an informal return-to-work interview.
We are committed to helping employees return to work from long-term sickness absences. As part of our sickness absence meetings procedure we will, where appropriate and possible, support a return to work after long-term sickness by:
1. obtaining medical advice;
2. making reasonable adjustments to the workplace, working practices and working hours;
3. considering redeployment; and/or
4. agreeing a return-to-work programme.
If you are unable to return to work in the longer term, we will consider whether you are entitled to any benefits under your contract and/or any insurance schemes we operate.

Sickness absence meetings procedure

We will follow this procedure whenever we feel it is necessary, including where:
1. you have been absent due to illness on a number of occasions;
2. the contents of a return-to-work interview need further discussion; and/or
3. you have been absent for more than ten consecutive days.
Lorri Haines will usually give you at least two days’ written notice of why the meeting is being called, the date, time and place of a sickness absence meeting. This notice will give you a reasonable opportunity to consider what will be discussed before the meeting takes place.
You may bring a companion with you to the meeting (a colleague or trade union representative unless we, in our absolute discretion, allow for you to bring someone else to assist in overcoming difficulties caused by a disability or understanding English). You must supply Lorri Haines with the details of your companion at least 24 hours before the start of the meeting. Employees are allowed reasonable time off without loss of pay to act as a companion but are not obliged to. A companion may make representations, ask questions, and sum up your position, but will not be allowed to answer questions on your behalf. You may discuss relevant matters privately with your companion at any time during a meeting.
Failure to attend a meeting or at least to make all reasonable steps to attend a meeting may be treated as misconduct. A meeting may be adjourned if:
1. you or your companion are unable to attend at the time set for the meeting and you have immediately informed Lorri Haines;
2. Lorri Haines is awaiting receipt of information, needs to gather any further information or give consideration to matters discussed at a previous meeting; or
3. you are given new information and so will be given a reasonable opportunity to consider this before the meeting is reconvened.
Decisions, reasons for the decisions and your right of appeal will be confirmed in writing within 14 days of any meeting under this procedure (unless this is not practicable, when it will be provided as soon as is practicable).

Sickness absence meetings

This is a first formal opportunity to discuss reasons for absence, how long an absence is likely to last, the likelihood of recurring absence, whether we should refer you to a doctor, what, if anything, we could do to assist with your attendance at work and when a further review should take place. You may be accompanied at this meeting by a companion, as set out in paragraph 26 of this policy.
Further meeting(s) may be required to discuss:
1. reasons for and impact of your ongoing absence(s);
2. how long your absence is likely to last and the likelihood of further absences;
3. seeking medical advice or considering advice already given and whether further advice is required;
4. your ability to return to or remain in your job, looking at your capabilities and any reasonable adjustments we are able to make and looking at our business need;
5. redeploying you to a role you could perform without any adjustments, or where we can assist in making reasonable adjustments in order that you could perform the role;
6. any benefits you should be considered for if you are unable to return from long-term sickness absence; and
7. action that will be taken and when a review and/or further meetings will be held.

Again, you may be accompanied at these meetings by a companion, as set out in paragraph 26 of this policy.

After warning you that you are at risk of dismissal, we may invite you to a final sickness procedure meeting. You may be accompanied at this meeting by a companion, as per paragraph 26 of this policy.
At a final sickness absence meeting, we may discuss the content of previous meetings, any changes since our last meeting under this procedure, which could impact on your return. We may discuss whether it is reasonable to expect you to return to work, the hours of work required and a reasonable timescale for this, as other relevant matters you would like to discuss. We may also discuss the possible termination of your employment at a final sickness absence meeting, which would normally be on full notice or payment in lieu of notice.

Appeals

You may appeal in writing against the outcome of any meeting during this procedure, setting out your reasons, to Lorri Haines within seven days of the date on which you were sent the decision. You may bring a companion to an appeal meeting (see paragraph 26).
You will usually be given one week’s written notice of an appeal meeting. If new matters are raised in an appeal more investigation may delay the meeting. If there is new information, you will be provided with a copy at least 24 hours before an appeal meeting so that you have a reasonable opportunity to consider it before the meeting.
Where practicable, an appeal meeting will be conducted by a more senior manager than the individual who conducted the sickness absence meeting.
Depending on the circumstances, an appeal meeting may be a complete rehearing of the matter or a review of the original decision.
The final decision will be confirmed in writing, usually within one week of the appeal meeting. There will be no further right of appeal.
The dismissal date will not be delayed whilst the outcome of an appeal is awaited. However, if the appeal is successful, the decision to dismiss will be overturned and there will be no loss of continuity or pay.

Attribution

This sickness policy was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).

WHISTLEBLOWING POLICY

Statement and purpose of Policy

Shoorah Ltd (the Employer, we, our or us) is committed to upholding and providing information about our Staff Members’ rights in relation to making qualified and protected disclosures (i.e. whistleblowing), to help our organisation operate with honesty and integrity. We expect all Staff Members to maintain high standards, however, we recognise that all organisations face the risk of things going wrong from time to time and the risk of unknowingly harbouring illegal or unethical conduct. A culture of openness and accountability is essential for preventing such situations from occurring and for addressing them when they do.
All Staff Members should have the confidence to raise a suspected wrongdoing and should know that it will be taken seriously and investigated as appropriate. Staff Members raising genuine concerns should be able to do so without fear of reprisals, even if the Staff Member turns out to be mistaken.
Any questions in relation to this Policy should be referred to Lorri Haines in the first instance.

Scope of this Policy

This Policy explains the law on whistleblowing and provides Staff Members with guidance as to how to raise any malpractice or wrongdoing concerns.
This Policy applies to all individuals working for Shoorah Ltd in the UK at all levels, including senior managers, officers, employees, consultants, trainees, homeworkers, part-time and fixed-term workers, casual workers, agency workers, volunteers, and interns (collectively ‘Staff Members’).
This Policy should not be used for complaints relating to Staff Members’ own personal circumstances, for example, complaints about the way they have been treated at work. In such cases, Staff Members should use Shoorah Ltd’ s Grievance Procedure.

This Policy does not form part of any contract of employment and the Employer may amend it at any time at its absolute discretion.

What can be reported under this Whistleblowing Policy?

Whistleblowing is the disclosure of information that relates to suspected wrongdoing or dangers at work, as defined by the Public Interest Disclosure Act 1998 (the ‘Act’). To constitute whistleblowing, a disclosure must be a ‘Qualifying Disclosure’ under the Act (i.e. the Staff Member must reasonably believe that the disclosure is in the public interest and the disclosure must communicate that the alleged wrongdoing is happening, has happened, or will happen). Such disclosures may be disclosures about:
1. Criminal activity;
2. Miscarriages of justice;
3. Danger to health and safety;
4. Damage to the environment;
5. Failure to comply with any legal obligation;
6. Bribery;
7. Financial fraud or mismanagement;
8. Breach of Shoorah Ltd’s internal policies and procedures including any Codes of Conduct;
9. Unauthorised disclosure of confidential information; or
10. The deliberate concealment of any of the above matters.
A whistleblower is a person who raises a genuine concern relating to any of the above. It is important to note that the Act only covers concerns raised by workers and employees.

If you have any genuine concerns related to suspected wrongdoing or danger affecting any of Shoorah Ltd’s activities (i.e. a whistleblowing concern), you should report it following the procedures set out in this Policy.
If you are uncertain whether something is within the scope of this Policy, you should seek advice from Lorri Haines.

How to raise a whistleblowing concern

For a Qualifying Disclosure to constitute a ‘Protected Disclosure’ (i.e. a disclosure within the scope of this Policy and covered by the law on whistleblowing) it must be made in the correct way. To ensure disclosures are made correctly, it is recommended that the steps within this section of the Policy are followed.
We hope that in many cases you will be able to raise any concerns with Shoorah Ltd. Where possible, we ask that any concerns are raised with Lorri Haines. You may tell them your concerns in person or put the matter in writing. They may be able to agree with you on a way of resolving your concern quickly and effectively. In some cases, they may refer the matter to another department within Shoorah Ltd.
However, where the matter is more serious, or you feel that Lorri Haines has not addressed your concern, or you would prefer not to raise it with them for any reason, you should contact the person or department within Shoorah Ltd responsible for the area of concern. For example:
1. If the concern relates to alleged dishonesty, fraud, or corruption, please contact Lorri Haines.
2. If the concern relates to working conditions or terms and conditions of employment, please contact Lorri Haines.
3. If the concern relates to health and safety matters, please contact Lorri Haines.

Wider disclosures

The aim of this Policy is to provide an internal mechanism for reporting, investigating and remedying any wrongdoing in the workplace. In most cases, you should not find it necessary to alert anyone externally (i.e. anyone outside of Shoorah Ltd).
The law recognises that in some circumstances it may be appropriate for you to report your concerns to an external body, for example, a regulator. It will very rarely if ever be appropriate to alert the media. We strongly encourage you to seek advice (e.g. legal advice) before reporting a concern to anyone external.
Be aware that unique rules sometimes apply to determining when a Protected Disclosure can be made to an external party. For example, disclosures can be made to an external party if a Staff Member reasonably believes that the disclosure is substantially true, is not acting for personal gain, and it is reasonable for them to make this disclosure in all the circumstances of the situation. You can contact Lorri Haines for more information on this.

How Shoorah Ltd will respond to disclosures

Once you have raised a concern, it will be assessed to determine what initial action or further investigation should be taken. You will be advised:
1. Who is handling the matter;
2. How to contact them; and
3. Whether any further assistance will be needed from you (e.g. whether any further information is required).
You may be required to attend additional meetings in order to provide further information. You may bring a colleague or union representative to any such meetings. Your companion must respect the confidentiality of your disclosure and of any subsequent investigation.
All allegations will be investigated thoroughly. Depending on the complexity of the matter, it may take time to investigate. We will try to keep you informed of the progress of the investigation and its likely timescale. However, sometimes the need for confidentiality may prevent us from giving you specific details of the investigation, its outcome, or any disciplinary action taken as a result. You should treat any information about the investigation as confidential.
If we conclude that a Staff Member has made false allegations maliciously or with a view to personal gain, the Staff Member may be subject to disciplinary action in accordance with our Disciplinary Procedure.
We cannot always guarantee the outcome you seek. However, we will always deal with your concerns fairly and in an appropriate way.

Assurances

We are committed to this Policy. All staff should be able to voice concerns openly under this Policy. However, if you are concerned of reprisal as a result of raising a concern under this Policy, we can take additional measures to preserve confidentiality.
The law on whistleblowing requires that Staff Members do not suffer any detrimental treatment as a result of raising a whistleblowing concern (i.e. a concern under this Policy), even if the Staff Member turns out to be mistaken in their claim. Detrimental treatment includes dismissal, disciplinary action, threats, or other unfavourable treatment connected with raising a concern. Shoorah Ltd will always take care not to subject Staff Members to detrimental treatment when dealing with whistleblowing disclosures. However, if you believe that you have suffered any such treatment, you should inform Lorri Haines immediately to discuss resolution of the situation. If the matter is not remedied, you should raise it formally using our Grievance Procedure.
Staff Members (e.g. managers) must not in any way threaten or retaliate against other Staff Members who have made whistleblowing disclosures. If you are involved in such conduct you may be subject to disciplinary action.

Attribution

This Whistleblowing Policy was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).

WORKING FROM HOME POLICY

Statement and purpose of policy

Shoorah Ltd (the Employer) supports working from home for all staff and will agree to an employee working from home in appropriate circumstances, occasionally (to respond to specific circumstances or to complete particular tasks) and in some cases on a regular basis (full or part-time working from home).
In certain circumstances, occasional or permanent working from home allows the Employer to accommodate a disability and can be requested as flexible working under our Flexible Working Policy.
This policy sets out how requests for working from home can be made, how such requests are dealt with and the conditions on which working from home will be approved.
The Employer may amend this policy at any time, at our absolute discretion.

What does this policy cover?

This policy and the rules contained within it apply to all employees, irrespective of seniority, tenure and working hours, including all directors and officers, casual or agency staff, trainees, interns, fixed-term staff and volunteers.

Requests to work from home

You can make an application to work from home as soon as you start working for us. Any such application will be considered on its merits. However, note that not all jobs or roles are suitable to work from home.
A request to work from home is unlikely to be approved if:
1. you need to be present in the office to perform your role (e.g. because it involves specialised equipment only available in the office);
2. you require supervision to deliver an acceptable quantity or quality of work;
3. your current standard of work or your performance, as indicated by your line manager or most recent performance review, is unsatisfactory; or
4. you have an unexpired warning relating to conduct of performance.
When applying to work from home, you will need to show that you can:
1. effectively manage your workload, meeting work deadlines
2. work independently, motivating yourself and relying on your own initiative; and
3. adapt to new working practices when working from home, including maintaining contact with colleagues and managers.
To apply to work from home you must submit a written application to your line manager or HR department. Your application must set out:
1. why you believe your role to be suitable to work from home;
2. how you meet the requirements to work from home as set out in paragraph 7;
3. if you wish to work from home on a permanent basis or for a fixed period, stating the date from which you wish to start working from home and, where the arrangement is for a fixed period, the date on which you wish to finish working from home;
4. if you wish to work from home for your entire working week or only on certain days, specifying the days you wish to work from home;
5. your availability for coming into work on days you are proposing to work from home if you are needed (e.g. to attend training days or cover for a sick colleague);
6. how you will maintain contact with your line manager and how your work will be set and monitored; and
7. how you will ensure the security of information and documents while working from home.
For your application to work from home to be considered, you should give the Employer as much notice as possible and, in any event, make an application at least 3 days before your proposed working from home start date.
Ad-hoc working from home requests should be made to your line manager, and do not need to be processed or recorded as a formal flexible working request. Ad-hoc working from home is working from home that is irregular in nature (e.g. working from home to oversee emergency repair work).
Where possible, ad-hoc working from home should be requested at least 3 days before the desired working from home date. You should request no more than 10 ad-hoc working from home days per month.

Response to working from home application

When considering your application to work from home, your line manager or HR department, may invite you to a meeting to discuss your proposal.
The Employer will endeavour to respond to your application within 2 days of your application.
If the Employer refuser your request to work from home, you will be given a written response stating the reasons for refusal. If you are unhappy with our decision, you may appeal to Lorri Haines.
If the Employer accepts your application to work from home, this will be recorded in writing. Any such acceptance may be subject to a trial period.
Any agreement regarding your working from home, will include the following terms:
1. While working from home, you will continue to be subject to the same performance measures, objectives and processes as when you were working on the business premises.
2. Your line manager will continue to supervise you and will regularly review your working from home arrangements, taking steps to address and rectify any problems. Your line manager will also ensure that you are up to date with information relevant to your work.

1. You agree to attend the business premises or other reasonable location for training courses, important meetings or other events which you are expected to attend in person.
2. You acknowledge that when you attend the business premises, you may have to share a desk or hot desk.

Hours of work

While you are working from home, your normal working hours will apply. If you do not think it will be possible to work these hours, please make a flexible working request in accordance with our Flexible Working Policy.
Please make sure that you take adequate rest breaks throughout the day, as set out in your employment contract.
In the event that you need to change your hours of work (e.g. to deal with the potentially conflicting demands of work and looking after children), please discuss any changes you need to your working schedule with your line manager.

Communicating with your line manager

Make sure you keep in regular contact with your line manager and notify them if you are unsure about what you are required to do.
You should consider all lines of communication, including email, telephone and video calls to ensure relationships are maintained and work continues.

Equipment and materials

It is your responsibility to ensure that you have sufficient and appropriate equipment and materials when working from home. In the event of loss or damage to personal equipment used while working from home, the Employer is not responsible for the provision, maintenance, replacement or repair of such personal equipment.

Expenses

The Employer is not responsible for any costs associated with you working from home, including costs of heating, lighting, electricity, broadband internet charges, telephone calls or printing. If you think an exception needs to be made as a result of your particular role, please discuss this with your line manager, for example where you are having to make work related calls and you do not have a work issued phone.
You will be responsible for any other associated costs of you working from home, including the costs of heating, lighting, electricity and printing.

Security

You are responsible for ensuring the security of all equipment, documents and information and must take all necessary steps to ensure that confidential information is kept secure at all times. In particular, you must:
1. password protect any confidential information held on your home computer;
2. lock your computer whenever it is left unattended;
3. store confidential papers securely when they are not in use;
4. ensure the secure disposal of any confidential papers (e.g. by using a shredder if there is one available);
5. comply with our Data Protection Policy; and
6. report any data security breaches to your line manager immediately.

Health and safety

When working from home, you must take reasonable care of your own health and safety and that of anyone else in the home who is affected by your work while working from home.
You should follow all health and safety instructions issued by the Employer’s from time to time, including attending any health and safety training.
Liaise with your line manager to make sure that your workstation is appropriate and that you are working in a safe manner.
There are steps you can take to make sure you achieve a comfortable posture while working from home on display screen equipment (DSE). Please watch the video from the Health and Safety Executive (HSE) on workstation set-up at www.hse.gov.uk/toolbox/workers/home.htm.
While working with DSE, please also observe these guidelines:
1. Break up long spells of DSE work with rest breaks (at least five minutes every hour) or changes in activity.
2. Avoid awkward, static postures by regularly changing your position.
3. Get up and move around or do stretching exercises.
4. Avoid eye fatigue by changing focus or blinking from time to time.
Notify your line manager and the HR department if you identify any work-related health and safety concerns or hazards while working from home.
You should follow the usual reporting procedures for any work-related accidents that occur in your home.
For health and safety purposes, the Employer retains the right to inspect and check your home office. The need for such inspections will depend on your specific circumstances, including the nature of your work.

Insurance

You acknowledge and understand that working from home may affect your home and contents insurance.
You should check with your home and contents insurance providers that they have adequate cover for the fact that you work from home and whether any of your own equipment is covered for work use.

Rental or mortgage arrangements

You acknowledge and understand that working from home may affect your mortgage, lease or tenancy agreement.
You are responsible for checking any applicable mortgage or rental agreement to ensure that you can work from home. If permission is necessary, you must make all necessary arrangements with your bank, mortgage provider or landlord before commencing to work from home.

Termination of working from home arrangement

The Employer reserve the right to bring your working from home arrangement to an end (e.g. if your role changes and working from home is no longer suitable), by providing you with 21 days’ notice.
If you wish to terminate your working from home arrangement, you should first notify your line manager. The Employer will only be able to accept the termination if there is sufficient space available for you to return to work on the business premises.

Attribution

This working from home policy was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).

Acceptable Usage Policy

Objective

Scope

This policy applies to all staff members, including employees, contractors, consultants, temporary, and other workers that interact with Shoorah Ltd systems. All such individuals are responsible for exercising good judgment in appropriately using electronic devices, data, and network resources in accordance with policies and standards, local laws, and regulations. This policy applies to:

Any company-issued electronic, computing, storage, or network device.
Any company-owned systems on the Internet or Intranet accessed wirelessly, including but not limited to servers, software, operating systems, storage, and network accounts.
Any company-administered accounts with third-party services providing email, storage, infrastructure, software, data, APIs, business systems, etc., irrespective of whether such accounts are accessed via devices owned/leased by the company or are owned by staff members or a third party.

Policy Statement

Shoorah Ltd has a culture of trust and integrity. This policy aims to reinforce the trust we place in each other by ensuring we can collectively depend on each other to protect the assets of our staff, company, partners, and customers.

Security is a company-wide effort and requires cooperation from every staff member who works with Shoorah Ltd systems. Individuals should take precautions to ensure they use systems appropriately and not deliberately or inadvertently perform destructive or illegal actions.

Separation of Concerns

Company-issued devices and accounts are not personal property, so limiting their use for personal reasons is strongly recommended.

Security of Critical Data

All data stored on computing and storage devices, whether owned or leased by Shoorah Ltd, the employee, or a third party, remains the sole property of Shoorah Ltd.
You must ensure that all critical data is handled and secured in accordance with the Data Classification Policy.
You are required to promptly report theft, loss, or unauthorized disclosure of any critical data.
You may access, use or share critical data only to the extent authorized and necessary to perform your job responsibilities.
Staff members are responsible for exercising good judgment when using Shoorah Ltd systems for reasonable personal use. If there is any uncertainty, staff members must consult their supervisor or manager.
Shoorah Ltd reserves the right to audit any system at any time to ensure compliance with this policy. Authorized individuals within Shoorah Ltd may monitor equipment, systems, and network anytime.

Unacceptable Use

Staff members may not use Shoorah Ltd-managed resources for activities that are illegal or prohibited under applicable law, no matter the circumstances.

Unacceptable System & Network Activities

Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations.
Unauthorized copying, distribution, or use of copyrighted material.
Exporting software, technical information, encryption software, or technology in violation of international or national export control laws.
Intentional introduction of malicious programs into Shoorah Ltd networks or any Shoorah Ltd-managed computing device.
Intentional misuse of any Shoorah Ltd-managed computing device or Shoorah Ltd networks (e.g., for cryptocurrency mining, botnet control, etc.).
Sharing your credentials for any Shoorah Ltd-managed computer or 3rd party service that Shoorah Ltd uses with others, or allowing the use of your account or a Shoorah Ltd-managed computer by others. This prohibition does not apply to single-sign-on or similar technologies, the use of which is approved. Using a Shoorah Ltd computing asset to procure or transmit material that is in violation of sexual harassment policies or that creates a hostile workplace.
Making fraudulent offers of products, items, or services originating from any Shoorah Ltd account. Intentionally accessing data or logging into a computer or account that the team member or contractor is not authorized to access, disrupting network communication, or computer processing or access.
Executing any form of network monitoring that intercepts data not intended for the team member’s or contractor’s computer, except when troubleshooting networking issues for the benefit of Shoorah Ltd.
Circumventing user authentication or security of any computer host, network, or account used by Shoorah Ltd.
Tunneling between network segments or security zones, except when troubleshooting issues for the benefit of Shoorah Ltd and its customers.

Unacceptable Email & Communications Activities

Forwarding confidential business emails or documents to personal external email addresses.
Note: Shoorah Ltd may retrieve messages from archives and servers without prior notice if Shoorah Ltd has sufficient reason to do so. If deemed necessary, this investigation shall be conducted with the knowledge of the Information Security Officer, Senior Management, People Business Partners, and the Legal team.

Return of Shoorah Ltd-Owned Assets

All Shoorah Ltd owned computing resources should be returned upon separation from the company.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Acceptable Usage Policy. For version history, please see the next page.

Access Control Policy

Objective

The objective of this policy is to provide a framework to ensure that access to Shoorah Ltd assets is provided in a controlled manner based on business and information security requirements.

The framework is designed to ensure that appropriate controls for access management are established to protect Shoorah Ltd assets from security threats arising from unauthorized access.

Scope

This policy applies to specific systems that, from an access standpoint, have significant implications on Shoorah Ltd’s ability to render its service commitments and safeguard information.

Policy Statement

Centralized access control is key to ensuring that the correct Shoorah Ltd staff members access the correct data and systems at the correct level. The principle of least privilege guides Shoorah Ltd’s access controls. These controls apply to information and information processing systems at the application and operating system layers, including networks and network services.

The confidentiality, integrity, and availability of information stored within the information system of Shoorah Ltd shall be assured by ensuring that only authorized users have access to specific information assets as needed for their business activities.

Access Control Policy

Requirement for Access Control

Every organization possesses information and information assets that need to be protected from unauthorized use.
A list of critical systems within Shoorah Ltd that host services or sensitive data as defined in the scope of this document shall be identified and documented.
It is the responsibility of the Information Security Officer to ensure all such systems used to meet business requirements at Shoorah Ltd are identified, and the list of critical systems is kept updated.

Access Management

Access Provisioning

Shoorah Ltd shall provide access privileges to its systems based on the following principles:
- Need to know – users or resources shall be granted access to systems that are necessary to fulfill their roles and responsibilities.
- Least privilege – users or resources shall be given minimum privileges necessary to fulfill their roles and responsibilities.
- Separation of duties – the practice of ensuring responsibility to perform critical actions is distributed among different individuals to keep a single individual from subverting the process.
The minimum requirements for access control are to be achieved using one or both of the following methodologies:
- Role-based Access control: This methodology restricts access to systems and resources based on individuals or groups with defined business functions — e.g., executive level, engineer level 1, etc. — rather than the identities of individual users.
- Rule-based access control: This involves a formal registration and de-registration process for individual users where access is provided based on requests and approvals from authorized personnel.
For Role-based access Control:
- Access to information systems and services is restricted based on the role assigned to staff members.
- The roles that may access each critical system shall be identified and documented.
- By default, staff members are granted access to systems according to their role or team. The ability to grant access to systems is restricted to the administrators of each system.
- If any access is required outside the defined role matrix, the business justification for such an event must be documented.
For Rule-based/ Ticket-Based access control:
- Requests for users’ accounts and access privileges must be formally documented and appropriately approved. Access authorization information for a user must be retained for a minimum amount of time as defined in business, contractual, and legal requirements.
- For any staff member requiring access to systems/platforms/tools, a request needs to be submitted detailing the specific access being requested.
- The Acceptable Usage Policy needs to be accepted by an employee before being granted access to systems that contain customer data. This policy outlines responsibilities and commitments regarding the acceptable use of the Shoorah Ltd’s assets.
- If a Shoorah Ltd staff member requires access outside of the default for their role or team, either they or their managers may request additional access to the administrators of the respective systems.
- When granting such access, it shall be limited to the minimum level required to perform the intended business operation.

Management of Privileged Access Rights

Shoorah Ltd operates its access management under the principle of least privilege.
Under the principle of least privilege, a staff member should only be granted the minimum necessary access to perform their function. Access is considered necessary only when a Shoorah Ltd staff member cannot perform a function or action without that access. If an action can be performed without the requested access, it’s not considered necessary. The least privilege is important because it protects Shoorah Ltd and its customers from unauthorized access and configuration changes and in case of an account compromise by limiting access.

Management of Passwords and Secret Authentication Information of Users

It is recommended to minimize the use of passwords wherever possible. Please follow the guidelines to reduce the reliance on passwords:
- Use a single-sign-on mechanism to authenticate yourself wherever possible. This avoids the need to create new strong passwords. Please ensure that the password/authentication mechanism for the SSO system is secure
- Use multi-factor authentication (MFA) techniques to authenticate yourself wherever possible.This adds an additional barrier even if the password is compromised
Where passwords are the only way to login to a system, it is recommended to consider the below security requirements:
- Staff members must use complex passwords, wherever possible, for all of their accounts that have access to critical data. A strong password should consist of at least 8 characters and should contain a combination of alphanumeric + special characters
- It is strongly recommended against the reuse of passwords that are or were used elsewhere, e.g., passwords used for personal accounts. A common way attackers obtain access to corporate resources is by using employees’ personal passwords that were obtained in breaches of other services
Shoorah Ltd shall ensure that any password or authentication details stored within systems owned and managed by Shoorah Ltd should be encrypted or masked to avoid exposing such details

Review of Access Rights

There shall be a periodic reconciliation of user accounts and the associated rights. The reconciliation needs to be performed at least annually.
Review of access rights must also include a review of privileges assigned to users.
It is essential that appropriate actions are taken immediately to remove, disable or modify any irregularities found in the access reconciliation.

Removal or Adjustment of Access Rights

Employment termination or change of roles shall trigger relevant processes for revoking or amending access rights.
If there is a role change, necessary changes/adjustments shall be made so that the user does not have more rights than required to carry out the new job function.
The removal or modification of access rights for terminated Shoorah Ltd employees or contract staff shall be carried out by the relevant administrators.

Secure Log-On Procedures

Following shall be considered for security when accessing critical systems:
- If the login is unsuccessful, the error message shall not display which part of the login information was incorrect.
- Limit the number of unsuccessful log-on attempts.
- Password shall not be displayed while it is being entered.
- Multi-factor authentication shall be adopted wherever possible.
- Using an authentication mechanism like single sign-on (SSO) is also recommended wherever possible.
Session Time-Out
- Inactive sessions (Application sessions, Administration Sessions, etc.) shall be shut down where feasible after a defined period of inactivity.
- Intranet site may be exempted from the requirement of session time-out.
- Session time-out requirements shall be implemented for all the critical systems as feasible and applicable.
- Re-authentication may be considered at timed intervals.

Access Monitoring

For all production infrastructure, logging must be enabled to ensure user accountability is maintained in case of any issues. It is recommended to have additional security measures like an intrusion detection/prevention system to detect any unauthorized access.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Access Control Policy. For version history, please see the next page.

Access Control Procedure

Objective

The objective of this document is to establish a procedure and framework for user access management and controlling access to assets and information systems of Shoorah Ltd, in accordance with the Access Control Policy.

Scope

This procedure applies to all users and administrators with access to any critical systems in Shoorah Ltd.

Access Control Procedure

Requirements for Access Control

A list of systems that are critical from an access control standpoint are listed and maintained in Sprinto App. Shoorah Ltd information security officer is responsible for maintaining this list up to date.
A list of all critical systems that require access control shall be made available in the Sprinto App in one of the following ways:
- Integrated Systems – Where possible, the respective administrators of critical systems should integrate the system with Sprinto App for automated and continuous monitoring of access control requirements. Examples of such systems include cloud infrastructure providers (like AWS, Azure), version control systems (like Github, bitbucket), email providers (like Google Workspace, Microsoft O365), HRMS systems, etc.
- Monitored Systems – Where Integrations are not possible, the critical systems should be added to Sprinto App for tracking and monitoring. Adding such systems to Sprinto App to ensure they are monitored is the responsibility of the Information Security Officer.
It is the responsibility of the Information Security Officer to ensure that the roles that can get access to each critical system are configured in the Sprinto App.

Access Provisioning

The access to Shoorah Ltd systems should be initiated only after an offer letter, including the terms and conditions of employment, has been formally signed by the employee.
By default, all employees get access to systems that are configured to be given to all staff. Examples include email providers or internal messaging tools.
Access to other systems should be assigned by respective system administrators based on the role matrix defined once the employee has been onboarded.
Users who are not configured to have access to a particular system will be automatically monitored and alerted by Sprinto App. It is the responsibility of the Information Security Officer to respond to such alertsand ensure the role matrix is updated or the access is removed.
For Integrated systems, the Information Security officer should ensure that User IDs created in the systems for each user are tagged to their respective company email IDs in Sprinto App to ensure users are identified and tracked continuously.
For access provisioning of third-party users (consultants, auditors, vendors/suppliers, etc.) Information Security Officer or Business heads should approve the access. For such users, care should be taken by the system administrator to disable the account after the requirement is over.

Management of Privileged Access Rights

It is the responsibility of system administrators to ensure that the least privilege principle is followed when granting access.
As a part of access reviews, the Information Security Officer shall take the help of individual system administrators and business heads to review the privileges assigned to users.

Management of Secret Authentication Information of Users

Where possible, SSO and MFA need to be enabled to reduce reliance on passwords.
For critical systems which are integrated with the Sprinto App, it is the responsibility of the Information Security Officer to ensure the MFA status for users with access to systems is monitored continuously on the Sprinto App.
In case of discrepancies alerted by Sprinto App, the Information Security Officer should ensure corrective actions are taken immediately.
For Monitored Systems, the Information Security Officer should make sure that secure login/password management is enabled and that the evidence for it is uploaded on Sprinto App.

Review of Access Rights

Access reviews should be carried out once every quarter by the Information Security Officer with help from respective system administrators for all production systems. For non-production systems, access reviews should be carried out at least annually.
The access review for critical systems should be completed within the Sprinto App where possible. For all monitored systems, evidence of performing reviews needs to be uploaded to the Sprinto App.
Any corrective that needs to be taken in case of discrepancies noted should be documented as a part of the access review activity.
Review of access rights should also include reviews of privileges assigned to individual users to ensure segregation of duties.

Removal or Adjustment of Access Rights

In case of any termination or change in role, the HR team should inform the system administrators and respective managers to revoke or modify access.
On termination of employment, access revocation from all critical systems should be completed within three days from the employee’s last working day.
In case of a change in role, the HR team should check and ensure that the roles assigned to the employee in Sprinto App/HRMS are valid or if it needs to be updated. They should notify respective administrators and managers immediately to update the access if required. The HR team should also notify the Information Security Officer to update the role-based access matrix.

User Responsibilities

Users are responsible for following the organization’s access control policy and procedure.
Users are responsible for keeping their passwords confidential.
Users are responsible for changing the passwords whenever there is any indication of possible system or password compromise.
Incidents relating to passwords/personal authentication information sharing should be reported via the Employee Portal in the Sprinto App.
Users shall not leave their system unattended while logged on. They shall lock the system even if they are moving away from the system for a short period of time.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Access Control Procedure. For version history, please see the next page.

Access Control Procedure

Business Continuity Plan for Shoorah Ltd

Introduction

Purpose: Outlines the purpose of the BCP and its importance for Shoorah Ltd.
Scope: Defines the scope of the plan, including departments and functions covered.

Business Impact Analysis (BIA)

Identify Critical Functions:
- Sales
- Customer Service
- IT Support
- Logistics
Assess Impact of Disruptions:
- Analyze the impact of potential disruptions (e.g., natural disasters, cyber-attacks).
- Prioritize functions according to their criticality.

Risk Assessment

Identify Risks:
- Natural disasters (floods, earthquakes)
- Technological failures (server crashes, cyber threats)
- Human-related risks (pandemics, employee turnover)
Evaluate Risks:
- Evaluate the likelihood and potential impact of each risk.
Legal and Compliance Considerations:
- Address compliance with local regulations and industry standards.
- Include measures to protect sensitive data and meet data privacy requirements

Recovery Strategies

HR:
- Establish an emergency response team.
- Implement cross-train programs for employees to cover critical functions.
Technology:
- Implement regular data backups.
- Develop IT disaster recovery plans.
Facilities:
- Identify alternative work locations.
- Ensure safety protocols are in place.

Financial Contingency Planning:

- Reserve funds for emergency use
- Develop cash flow management strategies during downtime

Communication Plan

Internal Communication:
- Define protocols for notifying employees during a disruption.
- Use multiple channels (email, messaging apps, phone trees).
External Communication:
- Communicate with customers, suppliers, and stakeholders.
- Prepare templates for announcements.

Plan Activation

Activation Criteria:
- Define clear triggers for activating the BCP.
Activation Process:
- Define the steps to follow when activating the plan.
- Designate the authority responsible for activation.

Training and Awareness

Employee Training:
- Conduct regular training sessions on the BCP.
Drills and Exercises:
- Schedule periodic drills to test the effectiveness of the plan.
Testing and Simulation:
- Regularly conduct simulations of various disruption scenarios (e.g, cyberattacks, power outages) to ensure preparedness.

Plan Maintenance

Review Frequency:
- Review the BCP at least annually or after significant changes.
Updates:
- Incorporate lessons learned from drills and real events.

Documentation

Plan Documentation:
- Keep all BCP documents accessible and up to date.
Contact Information:
- Maintain a list of key contacts, including emergency services and critical suppliers.

Appendices

Appendix A: Contact List

Employee contact details are stored on the employee system

Appendix B: Critical Functions Matrix

Function/Activity	Criticality Level	Impact of Disruption	RTO	Resources Required	Dependencies
Customer Service	High	Loss of customer trust	2 hours	Staff, IT systems	Sales, IT support
IT Support	High	System downtime, productivity loss	1 hour	IT staff, infrastructure	All operational functions
Payroll Processing	Medium	Employee dissatisfaction	1 day	HR staff, payroll software	HR policies, IT support
Marketing Campaigns	Low	Decrease in brand visibility	1 week	Marketing team, budget	Sales, customer feedback

Appendix C: Risk Assessment Details

Risk Description	Likelihood (1-5)	Impact (1-5)	Risk Score (Likelihood x Impact)	Mitigation Strategies	Responsible Person	Review Date
Cybersecurity Breach	4	5	20	Implement robust security protocols and training	IT	Oct-24
Natural Disaster	3	4	12	Develop a disaster recovery plan	HR & CEO	Oct-24
Employee Turnover	3	3	9	Enhance employee engagement and retention programs	HR	Oct-24
Regulatory Changes	2	5	10	Monitor regulations and provide training	CFO	Oct-24

Appendix D: Communication Templates

To be created as per required by the CEO and HR, all to cover:

Event
Action required
Impact
Timeframe

Code of Business Conduct Policy

Objective

Shoorah Ltd’s Code of Business Conduct policy outlines the company’s expectations regarding employees’ behavior towards their colleagues, supervisors, and the overall organization.

Shoorah Ltd promotes freedom of expression and open communication. All staff members are expected to follow the code of conduct. Staff members should avoid offending others, participating in serious disputes, and disrupting our workplace. Shoorah Ltd also expects all staff members to foster a well-organized, respectful, and collaborative environment.

This policy outlines the expectations for all Shoorah Ltd staff and the consequences for unacceptable behavior.

Scope

This policy applies to all Shoorah Ltd staff members. Staff members include employees (both full-time and part-time) as well as contractors, regardless of the employment agreement or the level of seniority. Shoorah Ltd staff members are expected to follow this policy in all matters pertaining to their work.

Policy Statement

Shoorah Ltd is committed to creating and maintaining a professional and respectful work environment. This policy describes the desired behavior of all staff members and emphasizes the importance of diversity and inclusion in the workplace.

Guidelines

Be welcoming, friendly, and patient.
Be considerate. Other people will use your work, and you, in turn, will depend on the work of others. Any decision you make will affect users and colleagues, and you should take those consequences into account when making decisions.
Be respectful. Not all of us will always agree, but disagreement is no excuse for poor behavior and manners. Everyone experiences some frustration occasionally, but one cannot allow that frustration to become a personal attack. It’s important to remember that an organization where people feel uncomfortable or threatened is not productive. Shoorah Ltd Staff should be respectful when dealing with other staff.
Be careful with the words that you choose. Remember that sexist, racist, and other exclusionary jokes can offend those around you. Be kind to others. Do not insult or put down others. Behave professionally. Remember that harassment and sexist, racist, or exclusionary jokes are inappropriate for the organization. Such unacceptable behavior includes, but is not limited to:
- Violent threats or language directed against another person. Discriminatory jokes and language Posting sexually explicit or violent material.
- Posting (or threatening to post) other people’s personally identifiable information (“doxing”).
- Personal insults, especially those using racist or sexist terms.
- Unwelcome sexual attention.
- Advocating for or encouraging any of the above behavior.
- Repeated harassment of others. In general, if someone asks you to stop, then stop.
When there is a disagreement, efforts should be made to try to understand why. Social and technical disagreements happen all the time, and Shoorah Ltd is no exception. Disagreements and differing views must be resolved constructively. Remember that everyone is different. Different people have different perspectives on issues. Being unable to understand why someone holds a viewpoint doesn’t mean they’re wrong. Remember that it is human to err. Blaming each other doesn’t help. Instead, offer to help resolve issues and to help learn from mistakes.
The company requires that all staff members demonstrate commitment to impartially treating all people and organizations with whom they come into contact or conduct business. Unsolicited gifts or entertainment may only be accepted if they do not go beyond common courtesy and do not have a risk of influencing any business decisions.
Shoorah Ltd requires all staff members (including senior management) to disclose any personal relationships, business transactions, and related parties that might cause reputational/financial harm to the organization while benefiting them.
Shoorah Ltd requires all staff members that they do not offer, give, receive, or solicit anything of value to influence an official act by a public official, agent, or government employee.

Shoorah Ltd prohibits all staff members from bribing foreign officials as well as making unauthorized facilitation payments to those individuals involved in customs, permitting the flow of goods and other activities.

Reporting Violations

If you are a victim of or notice unacceptable behavior, please notify your reporting manager or anyone up the reporting structure, including the CEO.

Note that this policy does not allow retaliation against a person for reporting unacceptable behavior or participating in an investigation of any such report. Disciplinary actions listed below also apply to any such retaliation or intimidation.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Responsibilities

Schedule

This document is to be reviewed annually and whenever significant changes occur in the organization.

End of Code of Business Conduct Policy. For version history, please see the next page.

Communications & Network Security Policy

Objective

Shoorah Ltd shall take adequate precautions and design appropriate controls to prevent misuse of its information assets and information processing facilities. In this regard, Shoorah Ltd shall establish necessary communication and network security procedures, protect information in networks and support infrastructure, maintain the security of information being transferred, and detect any unauthorized information processing activities.

Scope

This document applies to all processes and operations within the scope of the Information Security Management System at Shoorah Ltd.

Policy Statement

Shoorah Ltd is committed to ensuring the highest level of service to its customers. Consequently, it is paramount to manage and control networks to protect them from threats and maintain the security of their systems and applications.

Communication & Network Security

Network Security Management

Network Controls

Networks shall be adequately managed and controlled to be protected from threats and to maintain the security of the systems and applications using the network, including information in transit.
Network-based intrusion prevention/detection system shall be deployed, wherever possible, to cover critical network segments within IT infrastructure.
Infrastructure elements and software(s) exposed to un-trusted or semi-trusted networks/users (e.g., Internet-facing systems, distributors, call centers, Contract Partners, etc.) shall be adequately protected by firewalls, Intrusion Prevention Systems (IPSs), and limited connectivity and encryption.
Any system deployed on the Internet must go through a thorough vulnerability check.
All configurations must be done by trained and authorized personnel. Any changes to network configurations should follow the Operations Security Procedure.
Vulnerability assessment of these infrastructure elements shall be carried out every year.
All end-user systems connecting to the Shoorah Ltd infrastructure should have baseline security implemented.

Information Transfer Policies & Procedure

Users shall be made aware, and information transfer guidelines shall be captured in the Data Classification Policy and Asset Management procedure, and users shall be made aware of these guidelines.
Acceptable use standards shall be established to define guidelines for the appropriate use of communication facilities.
Appropriate anti-malware controls shall be established to detect and prevent malware that could be transmitted through electronic communication channels.
Employees shall treat all correspondence sent using Shoorah Ltd email systems as confidential.
To prevent loss, modification, destruction, or misuse of information, Shoorah Ltd shall protect and control the exchange of critical business information assets and software with third parties and outside organizations.
Where feasible, it is recommended to consider the implementation of appropriate web filtering mechanisms that will restrict user access to external networks and websites based on the organization’s policies.

Electronic Messaging

Information involved in electronic messaging (e.g., emails, instant messengers) shall be appropriately protected from unauthorized access, modification, or denial of service.
Public email accounts shall not be used for conducting Shoorah Ltd operations unless authorized.
Forwarding of Shoorah Ltd mailbox to public or non-Shoorah Ltd email accounts shall be done in accordance with the Data Classification policy.

Confidentiality or Non-Disclosure Agreements

Confidentiality or non-disclosure agreements reflecting Shoorah Ltd needs for the protection of information shall be identified and maintained with all the third parties, and this will be based on the criticality of the information to be protected. These requirements shall be reviewed at least once in a year and at the time of any change in the business environment, legal requirements, and contractual obligations.
Confidentiality and non-disclosure agreements shall comply with all applicable laws and regulations for the jurisdiction to which they apply.
Both staff members and contract partners of Shoorah Ltd shall sign and comply with the non-disclosure agreement (NDA) that is established and maintained by the Shoorah Ltd’s HR team, where applicable.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Communications & Network Security Policy. For version history, please see the next page.

Compliance Policy

Objective

The purpose of this policy is to establish guidelines for the management of regulatory and legal compliance requirements for systems in accordance with applicable standards such as ISO 27001:2013, ISO 27001:2022, SSAE 18(SOC 2), and other standards.

Scope

This document is applicable to all Shoorah Ltd’s processes and operations that are within the scope of the Information Security Management System (ISMS) (refer to the definition in Section 3 of the Information Security Policy).

Policy Statement

The information security management system of Shoorah Ltd shall be established and operated with due consideration for compliance with statutory, regulatory, or contractual obligations as well as any specific security requirements.

Compliance Policy

Identification of Applicable Legislations & Compliance Requirements
All relevant statutory, regulatory, and contractual requirements of the operations shall be explicitly defined and documented for Shoorah Ltd’s information systems. The policies and procedures shall encompass and adhere to the applicable laws where applicable. Documentation of the requirements is mandatory only for ISO 27001. For other standards, ensuring compliance with the applicable requirements must be taken into account, but explicit documentation is not required.
Intellectual Property Rights
Shoorah Ltd shall comply with the terms and conditions and license requirements of copyrighted software, client intellectual property, or any other proprietary information used within the organization.
1. Protection of Organizational Records
  Shoorah Ltd’s records related to information security shall be protected from loss, destruction, and falsification in accordance with statutory, regulatory, contractual, and business requirements.

1. Data Protection and Privacy of Personal Information
  Data protection and privacy shall be ensured as required by relevant legislation, regulations, and if applicable, contractual clauses for each business

1. Prevention of Misuse of Information Processing Facilities
  Information processing facilities shall be used in accordance with the policies detailed in this document, the Acceptable Usage policy, and the Code of Business Conduct policy. Disciplinary action shall be taken for any violations of these policies

1. Compliance with Security Policies, Standards, and Technical Compliance
  Department heads shall ensure that all security procedures within their area of responsibility are correctly carried out to achieve compliance with security policies and standards

1. Information Systems Audit Considerations
  Shoorah Ltd shall conduct periodic audits by competent, independent parties to ensure compliance with information security policies, procedures, standards, and guidelines. Formal procedures shall be developed for planning and reporting audits, as well as addressing audit findings and implementing prompt and accurate remedial actions.

- Audit requirements and activities involving checks on operational systems shall be carefully planned and agreed upon to minimize the risk of disruptions to business processes.
- Access to information systems audit tools shall be protected to prevent any possible misuse or compromise.

Document Security Classification

Company Internal (please refer to the Data Classification policy for mode details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur within the organization.

End of Compliance Policy. For version history, please see the next page.

Confidential Information and Intellectual Property

Confidential information

For the purposes of this Agreement:
1. Associated Company has the meaning given by the Companies Act 2006;
2. Confidential Information means any information disclosed by or on behalf of the Company (or any Group Business) to the Director during their tenure that at the time of disclosure (whether in writing, electronic or digital form, verbally or by inspection of documents, computer systems or sites or pursuant to discussions or by any other means or other forms and whether directly or indirectly) is confidential in nature or may reasonably be considered to be commercially sensitive, and which relates to the business and affairs of the Company (or any Group Business) including but not limited to: (a) all Director IPRs (b) all Director Inventions and (c) all analyses, compilations, studies and other documents prepared by the Director which contain or otherwise reflect or are generated from the information referred to above.
3. Director IPRs means Intellectual Property Rights you create in the course of your tenure with us (whether or not during working hours or using our premises or resources) that:
4. relate to any part of (or demonstrably anticipated business of) the Company or any Group Business; or
5. are reasonably capable of being used by the Company or in any part of a Group Business.
6. Director Inventions means any Invention which is made wholly or partially by you at any time during the course of your:
7. normal duties; or
8. duties specifically assigned to you, if those duties are such, that an Invention might reasonably be an expected result (whether or not during working hours or using our premises or resources, and whether or not recorded in material form).
9. Group Business means any business owned or operated by us or an Associated Company or all of those businesses together, as the context allows;
10. Intellectual Property Rights means without limitation all existing or future intellectual and industrial property rights, anywhere in the world including any Invention, patent, utility model right, copyright and related right, trade mark, trade name, internet domain name, design right, design, service marks, trade secret, database right, topography right, right in get-up, right in goodwill or to sue for passing off and any other right of a similar nature, whether registered (or capable of registration) and the right to apply for any of these; and
11. Inventions mean without limitation, inventions, ideas and improvements, whether or not patentable and whether or not recorded in any medium.
You shall not use or disclose to any person either during or at any time after your tenure with the Company any confidential information. For the purposes of this clause, confidential information means any information or matter about the business or affairs of the Company [or any of its business contacts or clients] or about any other matters which may come to your knowledge in the course of your tenure, and which is not in the public domain or which is in the public domain as a result of your breach of this agreement. This restriction does not apply to:
1. any use or disclosure of confidential information that has been authorised by the Company, is required by law or is carried out in the proper course of your duties; or
2. any protected disclosure within the meaning of section 43A of the Employment Rights Act 1996.
3. Nothing in this clause 16 shall prevent you or, where applicable, us (or any of our officers, employees, workers or agents) from:
4. reporting a suspected criminal offence to the police or any law enforcement agency or co-operating with the police or any law enforcement agency regarding a criminal investigation or prosecution;
5. doing or saying anything that is required by HMRC or a regulator, ombudsman or supervisory authority;
6. whether required to or not, making a disclosure to, or co-operating with any investigation by, HMRC or a regulator, ombudsman or supervisory authority regarding any misconduct, wrongdoing or serious breach of regulatory requirements (including giving evidence at a hearing);
7. complying with an order from a court or tribunal to disclose or give evidence;
8. disclosing information to HMRC for the purposes of establishing and paying (or recouping) tax and National Insurance liabilities arising from your tenure or its termination;
9. disclosing information to any person who owes a duty of confidentiality (which you and we agree not to waive) in respect of information disclosed to them, including legal or tax advisers or, in your case, persons providing you with medical, therapeutic, counselling or support services (provided they owe you a duty of confidentiality which remains unwaived); or
10. making any other disclosure as required by law.
As soon as your tenure ends, however that happens, or earlier if we request it, you must:
1. return to us, all property that you have or control that belongs to us or relates to our business including but not limited to all documents and any car, keys, swipe cards, laptops and mobile phones; and
2. delete any such property and Confidential Information from any electronic device which belongs to you.
3. You agree that if you do not comply with this clause, damages would not be an adequate remedy and we can apply for an injunction to prevent any (further) breach, without prejudice to any other remedy that we might pursue, including but not limited to claiming damages.

Intellectual Property

You acknowledge that:
1. all Director IPRs, Director Inventions and works embodying them shall be owned automatically and absolutely by the Company to the fullest extent permitted by law. To the extent that they are not automatically owned by the Company, you hold them on trust for us; and
2. because of the nature of your duties and the particular responsibilities arising from the nature of your duties, you have, and shall have at all times while you are engaged by us, a special obligation to further the interests of the Company.
You agree:
1. to promptly and on their creation, give us full written details of all Director Inventions you make wholly or partially during the course of your tenure;
2. at our request, and in any event, on the termination of your tenure, to give us all originals and copies of correspondence, documents, papers and records on all media which record or relate to any of the Director IPRs;
3. to use your best endeavours to execute all documents and do all acts both during and after your tenure by us as may, in the opinion of the Company, be necessary or desirable to vest the Director IPRs in the Company, to register them in the name of the Company and to protect and maintain the Director IPRs and the Diirector Inventions;
4. to give us all necessary assistance to enable us to enforce our Intellectual Property Rights against third parties, to defend claims for infringement of third party Intellectual Property Rights and to apply for registration of Intellectual Property Rights, where appropriate throughout the world, and for the full term of those rights;
5. not to attempt to register any Director IPR nor patent any Director Invention unless we request that you do so; and
6. to keep confidential each Director Invention unless we have consented to its disclosure in writing.
You waive all moral rights under the Copyright, Designs and Patents Act 1988 (and all similar rights in other jurisdictions) which you have or will have in any existing or future works.
You hereby irrevocably appoint the Company to be your attorney in your name and on your behalf to execute documents, use your name and do all things which are necessary or desirable for the Company to obtain for itself or its nominee the full benefit of this section.

Name:

———————————————-

Signature

Date:

Encryption Policy

Objective

Encryption is a process in which data is encoded so that it remains hidden from or inaccessible to unauthorized users. It helps securely protect data that you do not want anyone to access. By encrypting our data at rest and in transit, we can better protect private, proprietary, or critical data and enhance communication security between client applications and servers. This policy provides the guidelines to follow for the encryption of data.

Scope

This policy is applicable to all systems and networks that store and transfer critical data. This includes cloud- hosted vendor services, endpoints, production networks, cloud assets, etc., used in delivering Shoorah Ltd’s services. This may also include third-party systems that support the business of Shoorah Ltd.

Policy Statement

The purpose of this policy is to ensure the security of data at rest and data in transit for Shoorah Ltd. Data at rest refers to physically stored data, which is encrypted using various tools and managed by the infrastructure provider. Data in transit, actively moving between locations, also needs to be encrypted using TLS and trusted security certificates. Passwords and cryptographic keys need to be encrypted and stored securely. Rolling one’s own cryptography is strongly discouraged.

Encryption Guidelines

Encryption at Rest

Data at rest is defined as data that is physically stored and not actively moving from one location to another (i.e., device to device or network to network). This includes data stored on laptops, flash drives, and hard drives.
Shoorah Ltd encrypts data at rest using a variety of tools, including but not limited to
- Utilizing managed databases by infrastructure providers that have options to encrypt data at rest.
- In these cases, encryption keys are managed by the infrastructure provider.
- Utilizing the infrastructure provider’s option to encrypt the underlying storage of the assets that persist data. Again, encryption keys are managed by the infrastructure provider.
- Company laptops are encrypted as outlined in the Endpoint Security Policy.

Encryption in Transit

Data in transit is defined as data that is actively moving from one location to another (i.e., device to device or network to network). This includes data transferred over public networks such as the Internet. Shoorah Ltd encrypts data in transit using a variety of tools, including:
- TLS: Always use HTTPS, SSL enabled (minimum standard is TLS v1.2).
- Use security certificates provided by a known, trusted provider for all of Shoorah Ltd’s public- facing properties on the Internet.

Rolling your own Crypto
Please don’t roll your own crypto. If you really think you have a situation where it makes sense to do this, please don’t. If you’re absolutely sure you have an edge case where this makes sense, please contact the Information security officer so they can work with you on finding an alternative.

Password Encryption
All passwords of end-users and customers should be encrypted in transit and when stored at rest within the application or database.

Cryptographic Keys
Cryptographic keys should be generated and stored in a secure manner that prevents collision, loss, theft, or compromise.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Encryption Policy. For version history, please see the next page.

Endpoint Security Policy

Objective

This policy outlines how Shoorah Ltd protects unauthorized access to its production systems or critical data via endpoints like laptops that are used by Shoorah Ltd staff members. It also details what should be done if such endpoints are lost, destroyed, or otherwise damaged.

Scope

This policy applies to all staff members with endpoint systems that are used to access production systems or critical data within the scope of ISMS at Shoorah Ltd.

Policy Statement

Securing endpoint devices (like laptops) is paramount to ensuring the Confidentiality, Integrity, and Availability of our customer data. To ensure endpoint security, Shoorah Ltd staff should install firmware and software updates, use antivirus software on endpoints with access to critical systems, enable hard disk encryption, use strong passwords (preferably with a password manager), activate auto-screen-lock, report lost or damaged devices, follow removable media guidelines, and comply with periodic reviews and audits.

Definitions

Endpoints: An endpoint is any device that is physically an endpoint on a network. These can include laptops, desktops, mobile phones, tablets, and servers.
Endpoint Security: Endpoint security is used to protect Shoorah Ltd systems when accessed via remote devices such as laptops. Each laptop with the ability to access Shoorah Ltd systems can be a potential entry point for security threats

Endpoint Security Guidelines

Shoorah Ltd staff should take the following steps to ensure the security of the endpoints they use to perform their work:

Shoorah Ltd staff is responsible for installing critical firmware and software updates on the endpoints they use exclusively or those where they’re the assigned owner. All communal assets (like large TVs etc.) should have assigned owners.
Shoorah Ltd requires that all endpoints with access to critical systems like the production infrastructure use antivirus software to protect themselves and our critical systems from malware.
All Shoorah Ltd staff are required to turn on the hard disk encryption option of their respective operating systems (ex: FileVault on Mac).
As detailed in the password policy, Shoorah Ltd staff should use strong passwords to protect against unauthorized access to their system or any services they use. While it is not mandatory, it is recommended to use a password manager.
All staff must turn on auto-screen-lock on their systems within a reasonable amount of inactive period. While the screen lock will protect your device in most cases, it is recommended that you do not leave your computer unattended and unlocked. The maximum allowed period of inactivity before which screen lock should be activated is recommended to be at 20 minutes.
Employees must immediately report lost, stolen, or damaged devices to the management, who will then attempt to stop access to critical systems and data through the exposed device.
Employees must follow the removable media guidelines outlined in Physical Security Policy and Asset Management Policy.
Endpoints may be verified for compliance with this policy through various methods, including but not limited to periodic reviews, Sprinto App monitoring, and internal and external audits.
Endpoint security does not require the following:
- Collect, log, or track personal activity (including website visits or purchases). Remote viewing.
- Key-logging.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Endpoint Security Policy. For version history, please see the next page.

Shoorah Governance Document

Creation date: 30th October 2024

Review date: 30th October 2024

Person accountable for policy: Dr Neetu Johnson, CMO

Relevant legislation

This Policy summarise SHOORAH’S philosophy in promoting a culture of Good Governance.

This is in accordance with the requirements of

Health and Safety at Work etc. Act 1974
Medicines Act 1968
Data Protection Act 2018
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR)

Definition

For SHOORAH, Good Governance refers to the holistic approach taken SHOORAH’s management to implement policies and procedures that collectively ensure the delivery of excellent and ethical standards of service, and their continuous improvement.

SHOORAH’s values, behaviours, decisions and processes will be open to scrutiny as safe and effective evidence-based practices are developed. Good Governance is defined as recognising accountability, acting upon lessons learned, and being open and honest in seeking the best possible outcomes and results for patients.

Implementation

The implementation of Good Governance will depend upon implementation of the established policies and procedures, and the maintenance of supporting records, which are relevant to the modules of SHOORAH’s Quality Management System.

We will seek patient participation and provide patients with the mechanism to feedback and suggest. SHOORAH will discuss feedback received from patients and publicise both suggestions and the clinical organisation’s response. Where individuals are identified, they will receive a personal response. We will view the organisation from the patient perspective (in particular from formal patient survey results) and actively seek to implement feasible and beneficial ideas.

Clinical Audits & Quality Monitoring System

We will undertake regular clinical audits, record the results, and plan improvements to patient benefit. We will also undertake audit of administrative procedures to ensure that they are working effectively.

SHOORAH will undertake reviews and monitor systems and processes in order to identify where quality or safety issues are being affected or compromised.

We will respond appropriately and promptly by:

Undertaking audits in areas such as safeguarding, health and safety, medication management against appropriate Regulations and Standards.
Maintaining compliance to these Regulations and Standards, and the improvement of policies, practices, and the overall delivery of the care services provided through the audits.
Using best practice such as NICE guidelines
Involving patients where possible
Planning that each policy and related record forms will be reviewed through audit at least annually to verify their on-going validity

Evidence-based treatment

We will maintain an up-to-date knowledge of current developments and research and assess these against established and proven methods of working. We will share expertise and opinion within the organisation in order to ensure the continuous improvement of the clinical service.

Staff and staff management

We will encourage team working across the clinical organisation, establish a “no-blame” learning culture and provide an open and equal working relationship with colleagues. We will support training, development, devolution of control and empowerment.

Information and its use

We will make full use of information both electronic and paper-based in clinical and non-clinical decision-making processes. We will share best practices with others both inside and outside the organisation and we will seek to improve data quality continually.

GDPR 2016 and the Data Protection Act 2018 are underpinned by eight important principles.

SHOORAH will adhere to these principles of good governance of information by ensuring that personal data of patients and staff must:

Be processed fairly and lawfully
Be obtained only for specific, lawful purposes
Be adequate, relevant and not excessive
Be accurate and kept up to date
Not be held for any longer than necessary
Processed in accordance with the rights of data subjects
Be protected in appropriate ways
Not be transferred outside the European Economic Area unless that county or territory also ensures adequate level of protection.

In accordance with Data Protection Act 2018, SHOORAH will process personal information of our patients and staff members, and we will pay an annual data protection fee to ICO. The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Risk control

We will operate a free system of Significant Event Reporting to encourage review, feedback and learning from incidents in an open and no-blame culture. All significant events will be discussed and documented within the forum of a review / policy meeting. Our objective is to continually improve the service by reviewing the Significant Events reported throughout a year.

Continuing Professional Development (CPD)

We will ensure CPD for our staff members via full participation in appraisals, revalidation, attendance at training events, and the organisation of regular in-house clinical seminars. All development activity will be documented as part of individual learning portfolios. Non-clinical staff will be encouraged to attend events related to their own specialism or professional development needs.

Strategic capacity

We will operate a 3-year strategic plan based on projected patient needs and gear activity towards creating resources to achieve both immediate and longer-term patient clinical needs.

Dr Neetu Johnson is the Clinical Governance lead and is responsible for;

Promotion of quality care within the organisation
Provide clinical governance leadership and advice
Keeping up to date with research and governance recommendations, and communicating these accordingly
To act as an expert resource and advisor in the examination and review of significant events
To initiate and review audits
To oversee the management of the key Policy provisions above

SHOORAH Organisation Chart

(to be added in here)

DR NEETU JOHNSON

JOB TITLE: Chief Medical Officer

DUTIES AND RESPONSIBILITIES:

Responsible for the supervision of staff during their training period influencing their development and guiding them through the processes of the organisation.
Review patient’s information at regular intervals. If necessary, take appropriate action to address any issues or complaints
Offer supervision to the clinical team
Support, train and mentor team members
Ensure accurate and timely monitoring and recording
Ensure a high level of discretion and confidentiality with regard to the patient’s information
Working with doctors and the Training Department to deliver training and development to staff as required.
Actively participate in undertaking clinical audit, disseminating audit findings and actively leading the implementation of changes to protocol and/or procedure.
Lead and manage the processes, which ensure the principles of clinical governance are embedded in practice and assist with clinical audits.
Maintain accurate records of all clinical assessments, consultation notes and prescribed medication and to audit the agreed percentage of these.
To assist in clinical investigations when required
To conform to all Policies and Procedures laid down by the organisation in respect of carrying out these care duties and in other administrative aspects of the business, as relevant.
To assist with the identification of staff training needs, and to participate in induction training
To participate in Staff, Team and Quality Management Review Meetings.

Data Breach Notification Policy

Objective

The objective of this policy is to outline the guidelines for notifying individuals, regulatory authorities, and other relevant parties in the event of a data breach. The policy aims to ensure prompt and appropriate actions are taken to mitigate the impact of a data breach, uphold the privacy and security of individuals’ data, and comply with applicable laws and regulations.

Scope

This policy applies to all employees, contractors, and third-party service providers who handle personal information in the course of their work for our organization.

Policy Statement

At Shoorah Ltd, we are committed to safeguarding the data that we collect for the delivery of our services. If sensitive data is acquired, accessed, used, or disclosed in a manner not permitted under the privacy law or in a manner that compromises the security or privacy of the sensitive data(personal data or PHI), it may be considered a Breach.

Data breach notification procedures shall be created to define procedures and responsibilities to ensure a quick, effective, consistent, and orderly response to Information Security Incidents which lead to a Data breach.

Reporting of Suspected Breach

Any Shoorah Ltd staff member who discovers a potential breach of sensitive data shall report it to the company’s Information Security Officer immediately.

Investigation of Suspected Breach

The Information Security Officer shall review the circumstances of the suspected breach to determine if the incident was intentional or unintentional. Certain unintentional incidents described more fully below, do not constitute reportable breaches.

If sensitive data was acquired, accessed, or used by a staff member of Shoorah Ltd, but the acquisition, access, or use was made in good faith and within the scope of permitted activities of the staff member, and there is no further unpermitted use or disclosure, then this does not constitute a breach.
If sensitive data was inadvertently disclosed by one staff member of Shoorah Ltd to another staff member, and there is no further unpermitted use or disclosure, then this does not constitute a breach.
The Information Security Officer shall review the circumstances of the suspected breach to determine if the incident poses a significant risk of financial, reputational, or other harm to the customer. The risk assessment shall be documented. If the risk assessment results in a conclusion that the incident could cause a significant risk of harm, notification will be made as described in the Breach Notification section below.

Breach Notification to the customer

In the case of a sensitive customer data breach, the Information Security officer shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the authority competent in accordance with laws governing the contract, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Mitigation
Shoorah Ltd shall mitigate, to the extent practicable, any harmful effect that is known to the company of a use or disclosure of sensitive data in violation of its business associate agreements.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Data Breach Notification Policy. For version history, please see the next page.

Data Classification Policy

Objective

The Data Classification Policy provides a way to categorize any data processed by the Shoorah Ltd staff, software, and systems. The purpose of this policy is to establish a framework for classifying data based on its sensitivity, value, and criticality to the organization. By understanding the types of available data, their classification, and access level, one shall be able to map the appropriate access or level of protection needed. This clarity ensures that critical company data can be secured.

Scope

The Shoorah Ltd Data Classification Policy applies to all the data handled, managed, stored, or transmitted by Shoorah Ltd and the Shoorah Ltd staff. Managers and information owners shall assign the appropriate classification as and when required.

Policy Statement

Each individual at Shoorah Ltd shall be responsible for reviewing, adhering to, and handling data according to the classification levels defined below. The Data Classification definitions below provide a list of various types of data and their classification levels. In case of difficulty in identifying a specific data element or uncertainty regarding the associated risk and appropriate classification and handling, individuals are encouraged to contact Shoorah Ltd’s Information Security Officer for guidance and assistance.

Data Classification Definitions

Shoorah Ltd’s data is classified as follows:

Public Data
This data or information may be shared with any person, organization, or system regardless of their relationship with Shoorah Ltd. This classification is not limited to data or information meant for public consumption but also includes any data or information that requires no special handling or any kind of safeguarding from disclosure. The distribution of such data does not expose Shoorah Ltd, its customers, or its partners to any harm.
Examples of Public Data include product blogs, company websites, press releases, marketing collaterals, career pages, etc.

Company Internal Data
This data shall be accessible by all staff within Shoorah Ltd and may be required for the smooth operational functioning of the organization. Such information shall not be made available to parties outside Shoorah Ltd but may be shared if requested.
Examples of Company Internal Data include Information Security Policies & Procedures, HR Policies, Leave Policies & Holiday Lists, Operational Procedures, etc.
Company Confidential Data
This data & information shall be accessible by pre-authorized staff members and shall not be made generally available within Shoorah Ltd. Unauthorized access or disclosure could cause significant financial or material loss and poses a risk to Shoorah Ltd if exposed. Such exposure can lead to breaking contractual obligations and may adversely impact Shoorah Ltd, its partners, employees, and eventually its customers. Such information needs to be protected from unauthorized access and changes. Note that access to such data may also be limited to specific staff members or groups of staff members like executives, HR, legal teams, etc.
Examples of Company Confidential Data include employee salaries, legal documents, internal product specifications, customer lists, strategy documents, internal roadmaps, design documents, internal memos, emails, etc.
Customer Confidential Data
This data, if accessed by unauthorized parties, may adversely affect Shoorah Ltd’s customers. This includes data that Shoorah Ltd is required to keep confidential, either by law or under a customer agreement. The company needs to protect such information from unauthorized access and unauthorized modification. Customer Confidential Data needs to be safeguarded when it is stored, processed, used, and transmitted.
Unauthorized access to such data can violate contractual confidentiality agreements with customers, cause a security incident, or affect Shoorah Ltd’s customer and industry confidence.
Examples of Customer Confidential Data include data provided by customers by using our system, information on customer accounts, personally identifiable information of customers (or customers’ customers), etc.
Personal Data
This data, if accessed by unauthorized parties, may adversely affect the privacy of individuals. Personal Data refers to any data relating to an identifiable individual or person. This includes data Shoorah Ltd is required to safeguard, either by law (GDPR for EU citizens’ data) or under a customer agreement. The company needs to protect such information from unauthorized access and unauthorized modification. Personal Data needs to be safeguarded when it is stored, processed, used, and transmitted.
Unauthorized access to such data may potentially violate the law, break contractual data protection agreements with customers, cause a security incident, or affect Shoorah Ltd’s customer and industry confidence.
Examples of Personal Data include name, email, phone number, IP Address, political views of individuals, cookies, Personal Health Records, Credit Card information, etc.
Note that personal health records, credit card information, and other sensitive personal data may be subject to additional laws based on the location of the owner of such data. For example, HIPAA regulations shall apply to US citizens’ personal health information.

Document Security Classification

Company Internal (as described in section 4.2 of this document).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Data Classification Policy. For version history, please see the next page.

HR Security Procedure

Objective

This procedure specifies the information security requirements that should be considered throughout the various stages in the Human Resource lifecycle of employees (full-time and part-time) and external parties, including contractors and other third-party staff, (as applicable), including pre-employment, during employment, and at the end of employment.

Scope

This procedure applies to all employees (full-time and part-time) and external parties, including contractors and other third-party staff (as applicable), having access to Shoorah Ltd information systems.

HR Security Procedure

Before Employment

Before releasing the offer letter, the People Operations Head must ensure that potential employees are duly evaluated on their capability to perform the job role. This shall be documented as a hiring evaluation and are maintained after the employee has joined Shoorah Ltd.
The People Operations Head should ensure that the offer letter which includes the terms and conditions for the employees has been signed by the employee.
The People Operations Head must ensure that the Background Verification (BGV) of employees is initiated at the time of the joining and that the final Background Verification reports are documented and maintained.

During Employment

Once the employee has joined, the People Operations Head must ensure that the user has been onboarded onto all necessary tools and systems, granting them appropriate access as required.
After an employee joins, People Operations Head must assign them a role and reporting manager to make sure the organization chart is updated and documented. The list of active roles within the organization and their job description also needs to be documented and maintained.
People Operations Head should make sure that the new joiners read and acknowledge organizational policies within 30 days of joining.
Employees must also finish the information security awareness training. The status should be tracked, and the HR head must make sure that Employees finish the training within 30 days of joining.
The Information Security Officer or the People Operations Head should send out periodic training requests and policy acknowledgment requests to all employees at least annually. The status ofcompletion can be tracked, and it is their responsibility to ensure all employees finish the periodic activities.
Employees shall be evaluated by their reporting manager regarding their job and information security responsibilities atleast once annually. These evaluations also need to be documented and maintained.

Termination or change in employment

Once an employee decides to terminate his employment with Shoorah Ltd, the last working day must be decided in concurrence with the reporting manager and People Operations Head. The following processes need to be kickstarted on the last working day:
- HR team must ensure any company owned asset or device is returned to the organization.
- The user needs to be offboarded from all critical systems that they have been provided access to by the People Operations Head.
- Access to critical systems must be revoked within 3 days. The respective administrators need to be notified by the People Operations Head. The status can be tracked and monitored.
- In case any user access needs to be retained, HR must notify respective admins to change the password to such accounts and document the justification for the same.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document should be reviewed annually and whenever significant changes occur in the organization.

End of HR Security Procedure. For version history, please see the next page.

HR Security Policy

Objective

The objective of this policy is to provide a framework within which the information security requirements of human resources are addressed throughout the entire lifecycle of recruitment, employment, change of employment, and termination. Shoorah Ltd shall ensure that employees (full-time and part-time) and external parties, including contractors and other third-party staff, understand the responsibilities for the roles they are considered for and are aware of and fulfill their information security responsibilities. Additionally, Shoorah Ltd shall protect the company’s interests while changing or terminating employment.

Scope

This policy applies to all employees (full-time and part-time) and external parties, including contractors and other third-party staff (including housekeeping staff and security personnel), with access to Shoorah Ltd information systems.

Policy Statement

Shoorah Ltd shall ensure that employees (both full-time and part-time) and external parties, including contractors and other third-party staff, understand their responsibilities for the roles they are considered for and are aware of and fulfill their information security responsibilities. Moreover, Shoorah Ltd shall also protect the company’s interests while changing or terminating employment.

Human Resource Security Guidelines

Before employment

As part of the hiring process, the competence of all candidates considered for employment shall be evaluated to ensure that they can perform the expected job responsibilities.
Once employed, all Shoorah Ltd employees and contract partners shall sign the terms and conditions of employment, which shall include the employee’s responsibilities for information security and related obligations, both during and after employment.
Background verification checks shall be performed on all prospective employees where possible:
- The extent of background verification checks will be proportional to business requirements, the classification of information to be accessed, and the perceived risks. This may include previous employment checks, confirmation of claimed academic and professional qualifications, identity checks, or criminal record checks for prospective Shoorah Ltd employees.
- In specific geographies, background verification checks may be considered illegal. In such cases, you may consider conducting a reference check depending on the level of informationaccessible to such employees.
- Considering privacy, protection of personal data, and other relevant employment laws and regulations that may be applicable, contract partners shall be assessed for their information security practices as part of the Vendor Risk assessment. For more details, please refer to the Vendor Management Policy.

During Employment

Roles and responsibilities related to Information Security shall be defined and documented for all employees (full-time and part-time), contractors, and third-party staff where applicable.
All employees, relevant contractors, and third-party staff shall receive appropriate awareness training on organizational policies and procedures, including security requirements, legal responsibilities, and other controls, such as understanding the acceptable use of Shoorah Ltd systems and the Code of Business Conduct at Shoorah Ltd.
Awareness training on organizational policies shall also be conducted upon joining and at least once a year thereafter.
Formal information security training shall be provided to employees upon joining and at least once a year thereafter.
Organizational policies and the formal information security training deck shall be available to all employees on a public portal.
The Information Security Officer shall be responsible for implementing and complying with information security controls by all employees.

Termination or Change in Employment

Upon termination, Shoorah Ltd employees shall return/hand over the organization’s assets under their purview.
Upon termination, all access rights and privileges to critical information systems granted to employees or contractors shall be revoked according to the access control policy.
In the case of a change in employment status, access rights and privileges to critical information systems granted to employees and contractors shall be reviewed and adjusted accordingly.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of HR Security Policy. For version history, please see the next page.

Governance Policy

Purpose

The purpose of this Governance Policy is to establish a framework for effective governance within Shoorah Ltd. This policy aims to promote transparency, accountability, and ethical conduct in all operations, ensuring the organisation meets its objectives and complies with applicable laws and regulations.

Scope

This policy applies to all employees, management, and board members of Shoorah Ltd, as well as any stakeholders involved in governance processes.

Definitions

Governance: The structures, processes, and practices that ensure effective decision-making and accountability within an organisation.
Board of Directors: The governing body responsible for overseeing the management and strategic direction of Shoorah Ltd.
Stakeholders: Individuals or groups with an interest in the organization’s activities, including employees, clients, suppliers, and the community.

Policy Statement

Shoorah Ltd is committed to:

Promoting good governance practices that align with its mission and values.
Ensuring transparency in decision-making processes.
Fostering an organizational culture that emphasizes accountability and ethical behaviour.

Governance Structure

Board of Directors
1. The Board of Directors is responsible for the overall governance of Shoorah Ltd, including setting strategic direction and ensuring compliance with legal and regulatory requirements.
2. Board members must act in the best interest of the organization and its stakeholders.
Committees
1. The Board may establish committees to focus on specific areas such as finance, audit, risk management, and compliance. Each committee will operate under a defined charter.
Management
1. The management team is responsible for the day-to-day operations of Shoorah Ltd, implementing the strategies set by the Board, and ensuring compliance with policies and procedures.

Roles and Responsibilities

Board Members
1. Attend and actively participate in board meetings.
2. Review and approve organisational policies and strategies.
3. Monitor organizational performance and risk management.
Management
1. Implement the policies and strategies approved by the Board.
2. Report regularly on organisational performance and compliance to the Board.
3. Foster a culture of accountability and ethical behaviour within the organization.
Employees
1. Adhere to organisational policies and procedures.
2. Report any concerns regarding unethical behaviour or governance issues to management or the Board.

Code of Conduct

Shoorah Ltd expects all employees and board members to adhere to a Code of Conduct that emphasizes integrity, respect, and accountability.

Board members and employees must disclose any potential or actual conflicts of interest. The Board will review all such disclosures and take appropriate action to resolve any conflicts.

Violations of the Code will be taken seriously and addressed promptly.

Risk Management

Shoorah Ltd is committed to identifying and managing risks that may impact its operations. The Board will oversee the development and implementation of a risk management framework.

Communication and Transparency

Shoorah Ltd will maintain open lines of communication with stakeholders, providing timely and accurate information regarding its operations and governance practices.
Regular reports on organizational performance, governance practices, and strategic initiatives will be made available to stakeholders

Review and Revision

This Governance Policy will be reviewed annually or in response to changes in legislation or organizational practices. All amendments must be documented and communicated to relevant stakeholders.

References

Companies Act
Relevant local and national governance guidelines

Media Disposal Policy

Objective

Secure disposal of electronic and physical media adds a layer of protection to prevent critical data from being exposed to unauthorized individuals. This policy aims to mitigate the risk of unauthorized data recovery. It demonstrates to customers, Shoorah Ltd staff, and other partners that Shoorah Ltd protects their data even after it has fulfilled its purpose.

Scope

This policy applies to all Shoorah Ltd issued devices or equipment that process, store, transmit, or serve as an access point for any critical data. Specifically, it applies to company-issued laptops/workstations that are being permanently decommissioned.

Policy Statement

To securely dispose of company-issued laptops/workstations, the following steps can be followed:

Encrypt the entire hard disk using a robust algorithm and a lengthy password.
Securely delete all information by using software solutions.
Physically destroy the device through methods such as incineration or shredding.
It is recommended to use all three methods for extremely critical and sensitive data.
For data with lower levels of criticality, one of these methods is sufficient.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur within the organization.

End of Media Disposal Policy. For version history, please see the next page.

Medicines Management Policy

Purpose

The purpose of this Medicines Management Policy is to ensure the safe, effective, and efficient use of medications within Shoorah Ltd. This policy aims to protect the health and well-being of all employees and clients by promoting best practices in medicines management.

Scope

This policy applies to all employees of Shoorah Ltd involved in the prescribing, dispensing, administering, or managing of medications, as well as any stakeholders involved in medication management processes.

Definitions

Medicines Management: The process of prescribing, supplying, and administering medications to ensure that they are used safely and effectively.
Prescribing: The act of authorising the use of a medication for a patient.
Dispensing: The preparation and provision of medications to patients.
Administration: The act of giving a medication to a patient.

Policy Statement

Shoorah Ltd is committed to:

Ensuring that all medicines are managed in accordance with relevant legislation and best practices.
Promoting a culture of safety and accountability in medicines management.
Providing staff with the necessary training and resources to manage medications effectively.

Responsibilities

Management
1. Ensure compliance with all relevant legislation, including the Medicines Act and Health and Safety regulations.
2. Provide training and resources for staff involved in medicines management.
Employees
1. Follow the procedures outlined in this policy.
2. Report any incidents, errors, or near misses related to medicines management.
Pharmacists
1. Provide expertise in the safe and effective use of medications.
2. Assist in the development of policies and procedures related to medicines management.

Procedures

Prescribing
1. Only qualified and authorised personnel may prescribe medications.
2. Prescriptions must be clear, legible, and include the patient’s details, medication name, dosage, frequency, and duration.
Dispensing
1. Medications must be dispensed by qualified personnel in accordance with the prescription.
2. All dispensed medications must be labelled with the patient’s name, medication name, dosage instructions, and expiry date.
Administration
1. Staff administering medications must verify patient identity and medication details.
2. A medication administration record (MAR) must be completed for each dose administered.
Storage
1. Medications must be stored securely and in accordance with manufacturer guidelines.
2. Regular checks must be conducted to ensure medications are within their expiry date and stored correctly.
Monitoring and Review
1. Patients’ responses to medications must be monitored regularly.
2. Staff should conduct regular audits of medicines management processes to identify areas for improvement.

Training

All staff involved in medicines management must receive training on:

Relevant legislation and guidelines.
Safe prescribing, dispensing, and administration practices.
Procedures for reporting incidents and managing errors.

Incident Reporting

All incidents related to medicines management must be reported immediately to the designated manager. An investigation will be conducted, and appropriate actions will be taken to prevent recurrence.

Review and Revision

This policy will be reviewed annually or in response to changes in legislation or organisational practices. All amendments must be documented and communicated to relevant staff.

References

Medicines Act
Health and Safety at Work Act
Relevant local and national guidelines on medicines management.

Approval

Policy Approved By: CEO
Date: October 2024

This Medicines Management Policy is intended to promote the highest standards of safety and efficacy in the management of medications within Shoorah Ltd.

Operations Security Procedure

Objective

The objective of this procedure is to provide guidelines to ensure the operational security of Shoorah Ltd’s services through procedures for backup, change management, logging, and vulnerability management.

Scope

This procedure covers all systems within our production environment. The production environment includes all cloud assets used in hosting and its subdomains.

Operations Security Procedure

Change Management Procedure
1. Use of Version Control Systems

- - All software developed in the service of Shoorah Ltd or any subdomain of Shoorah Ltd’s products should be version controlled i.e. the latest version of our software as well as any previous version of our software are readily available.
  - Shoorah Ltd uses a decentralized version control system like git for code changes. This allows engineers to work on bug fixes, new feature development, and other independent projects simultaneously. Before synchronizing with the central repository, it is recommended that engineers work on local branches created from an appropriate version of the central repository. All changes must be tested locally before the changes are deployed to users.

1. Initiating Planned Changes

- - While developing new features in Shoorah Ltd’s products, it is recommended to start a new feature branch in git. All requirements and specifications of a feature may not be known at the beginning of the development of the feature. One can create new branches of the feature branch to develop sub- features as necessary.
  - Most feature branches exist on the local systems of developers working on the feature. They need not be synced with the central, company-wide, repository. However, when a feature is considered ready to be used by customers, a pull request is created. Any developer or software engineer can initiate a pull request.
  - Alternatively, for other changes like network changes, it is recommended to be tracked in a ticketing platform where change its owner, approver, its impact and details steps for rollback are well documented

1. Approving Planned Changes

- - A pull request outlines the differences in code that this feature proposes. A pull request has to be reviewed by other peer developers or managers. All pull requests should be reviewed and approved by someone who is not the author of the changes. It is recommended (but not necessary) that a pull request be reviewed by someone who has expertise in the area where the changes are proposed.
  - Some automated triggers, like tests, can be integrated with pull requests. That is, a pull request might automatically prompt an automated set of tests to run on the changed code, indicating whether it passes some basic safety checks. Other such checks might include code quality, code linting, or code style checks. The results of such checks are recommended to be logged by the change management system.
  - A similar approach is recommended in case of using a ticketing system, it should be ensured that every ticket has an owner who raises an approval request to the relevant head
  - Before approving and merging a pull request or ticket, the reviewer checks that all prerequisites are met. Typical checks that the reviewer is encouraged to perform are listed below. Not all items in the list are necessary (depending on the type of change), nor is the list exhaustive. Please use your judgment to determine what is necessary, depending on the change at hand. Below are some questions to ask:
    - Does the proposed change solve the problem it set out to solve? Are all requirements for solving the problem met? If not, were reasonable trade-offs made?
    - Are there any unintended consequences of this change to other parts of the system? Does the change adversely affect any related or unrelated user experience?
    - Are there any algorithmic or logical errors in the proposed change?
    - Does the proposed change require changes in the environment itself (like adding production environment variables etc)?
    - Could the change create performance issues for itself (or other parts of the system)?
    - Could the proposed change be achieved in a more extensible, robust, or less disruptive way?

1. Unplanned Changes

- - Sometimes, it becomes necessary to apply unplanned changes, like hotfixes, to the production system in order to maintain Shoorah Ltd’s operational effectiveness. This is usually done to address a situation where the production system is in an undesired state – either from a customer-experience standpoint (like critical bugs, system-down, etc.) or from a security standpoint.
  - Depending on the urgency of the fix required, unplanned changes may skip the requirements of a peer review/approval. Such requests are peer-reviewed post facto.
  - In such cases, we can create changes in a new branch. For all such cases, the commit and/or pull request messages should detail the nature of the issue being fixed as a result of this change.Unplanned changes follow the same process as planned changes (at least one review or approval from someone who is not the author of the change).
  - Since we use a version control system, emergency changes can be rolled back if it has unintended or undesirable consequences.

Backup Procedure

- Shoorah Ltd shall have a daily full backup configured for all customer data on the Infrastructure operated on Shoorah Ltd.
- The backup retention period shall be configured to a minimum of 7 days.
- Restoration shall be performed on the backup to ensure that data is readable/accessible. This exercise shall be performed at least once every year.
- The restoration tests shall be documented. The backup snapshot that was restored shall be documented along with any sanity checks performed to ensure that the restoration was successful.
- Restoration tests shall be performed by the administrators of Shoorah Ltd’s production infrastructure along with the Information Security Officer.
- In an unlikely event of a natural or human-induced disaster, a disaster recovery plan needs to be in place for the systems to recover from the failure and be up and running. This can be achieved in the form of tabletop exercises which must be carried out by the Engineering Head and the Information Security Officer.

Vulnerability Management Procedure

- Shoorah Ltd performs various internal vulnerability scans and package monitoring on a constant basis. The Information Security Officer must ensure that Shoorah Ltd also performs external vulnerability scans/penetration tests periodically.
- All vulnerabilities detected by vulnerability scanners are tracked together along with their severity.
- It is the responsibility of the Infra operations person to ensure that vulnerabilities are remediated by the engineering team within defined SLAs (Process Config page).
- It is important to track the SLAs for the remediation of vulnerabilities. In case SLA is breached, it is the responsibility of the Information Security Officer along with engineering leads to ensure appropriate actions are taken. E.g. If a vulnerability needs more time to remediate, ensure that the justification for the same is documented.
- Vulnerabilities that are identified through external assessments may also be tracked along with other vulnerabilities for their closure if required.
- The engineering team addresses the reported vulnerabilities and tracks them to resolution. Resolution statuses can include (but are not limited to) the following:
  - Fixed: This means that the reported vulnerability has been fixed via a patch or system changes.
  - Inaccurate/Incorrect/False-positive: This means that the reported vulnerability has been thoroughly investigated, but found to be invalid.
  - Vulnerable but section unused: This means that the reported vulnerability affects parts of the codebase/system that are not in use, and consequently the vulnerability is no longer a threat.
  - Acceptable risk: This means that the reported vulnerability has been analyzed and deemed to not pose any debilitating risk to the system. This is a rare-case scenario, and should only occur when there are extenuating circumstances or extremely high remediation costs.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document should be reviewed annually and whenever significant changes occur in the organization.

End of Operations Security Procedure. For version history, please see the next page.

Operation Security Policy

Objective

The objective of this policy is to provide guidelines to ensure the secure processing of Shoorah Ltd’s production infrastructure and ensure there are no disruptions to the availability of Shoorah Ltd’s services through adequate planning, operating procedures, back-up, change management, logging, and vulnerability management.

Scope

This document is applicable to all processes and operations in Shoorah Ltd within the scope of the ISMS.

Policy Statement

Shoorah Ltd shall take adequate precautions and design appropriate controls to prevent misuse of its information assets and ensure that any operational activities at Shoorah Ltd do not affect the confidentiality, integrity, and availability of Shoorah Ltd’s services. In this regard, Shoorah Ltd shall ensure to maintain the appropriate level of information security, minimize risks of system failures, protect the integrity of software and information, maintain the integrity and availability of information, protect information in networks and infrastructure, prevent unauthorized disclosure, manage technical vulnerabilities, maintain security of information and software exchanged and detect any unauthorized activities.

Operations Security Policy

Change Management

- Formal change management procedures shall be established to ensure controlled changes of all critical elements that affect information security which may include but are not limited to software, production infrastructure, network devices, configurations, and documented policies and procedures.
- It is recommended that the procedure should consider how to handle scheduled and emergency changes.
- All changes shall be recorded, approved, and tested before being implemented.
- It is essential to have all the changes, along with approvals, recorded in centralized systems like version control systems or ticketing tools.
- The requestor, reviewer/approver, and implementer’s responsibilities for addressing the change shall not rest with the same user to ensure segregation of duties.
- Changes should be tested in an isolated, controlled, and representative environment (where such an environment is feasible) prior to implementation to minimize the effect on the relevant business process,
- assess its impact on operations and security, and verify that only intended and approved changes were made.
- The production environment shall be separated from other environments to reduce the risks of unauthorized access or changes to the operating system.
- Modifications to vendor-supplied products should be discouraged. Vendors must be intimated if a change is warranted to obtain system patches/releases and ensure that security and functionality features are not impacted. The original software shall be retained, and changes shall be documented.

Capacity Management

- Critical parameters and their thresholds shall be monitored for all critical infrastructure elements and software(s) at periodic intervals to ensure required performance levels and availability.
- Capacity planning shall take into account current and projected trends in the organization’s information- processing capabilities.
- System monitoring shall be enabled to ensure and, where necessary, improve the availability and efficiency of systems. Detective controls like alerts or alarms shall be put in place to indicate problems in due time.

Configuration Management

- Configuring baselines for critical infrastructure and software should be established and documented where required. Such baselines include server hardening, end-point device hardening, firewall, and network device configurations. It is the decision of the organization whether such documentation is required or not.
- Any change to existing configurations of all production infrastructure, network devices, and firewall configurations must always follow the change management process and must be approved before such configuration changes are made.
- If the baselines are documented, any change must be approved and appropriately documented. It is recommended to follow the change management process for such a change.
- Clock synchronization configurations should be taken care of across all cloud infrastructure, cloud services, and endpoints. It is recommended to ensure they are synced depending on time zones to ensure that integrity and traceability of data are maintained.

Backups

- All original customer data on the infrastructure operated by Shoorah Ltd should be backed up.
- The frequency of such backups should be decided based on the risk considered to the organization and service level commitments made to customers and stakeholders.
- A backup restoration exercise must be performed to ensure that the backup data is readable and usable in case of any emergency or disaster.
- Backups must be stored at a redundant location outside the production environment itself. The number of such redundant locations should be decided based on perceived operational risks.
- In case Shoorah Ltd has any on-premise production servers and data, if required, appropriate procedures to take backups on physical media and a procedure to store it at offsite locations must be considered to minimize risks.
- Relevant documented processes/procedures shall be created and followed to meet the business requirements. The process/procedures shall define as follows:
  - Frequency for taking backup and testing of backup through a restoration process.
  - Data to be backed up.
  - Type of backup (incremental, differential, full).
  - The testing procedure for ensuring that the backup media can be relied upon in an emergency. Backup data shall be periodically restored, and the results be recorded. If the restoration test fails, the data owner should be notified regarding the same. Root cause analysis for such failure should be carried out.
  - Instructions to restore in case of an actual disaster.
  - The retention period for backup.

Logging and Monitoring

- Infrastructure elements and software used for Shoorah Ltd’s operations should be configured, where feasible, to capture security-relevant logs (e.g., use of privileged accounts like root and administrator accounts, system failures, policy violations, unauthorized access attempts, logging of firewall traffic).
- Such monitoring and logging activities shall also consider information requirements for logging prescribed under legal and contractual requirements, if any. Evidence shall be collected, retained, and presented where legal actions are required following an information security incident or regulatory information provision.
- Logs shall be securely maintained for a minimum period stipulated as per applicable laws and regulations to provide support for investigations of incidents.
- Logging facilities and log information shall be protected against tampering and unauthorized access.

Control of Operational Software
Shoorah Ltd does not allow the installation of any other software on our production infrastructure.

Technical Vulnerability Management

- There shall be a documented procedure for technical vulnerability management.
- Timely information about technical vulnerabilities in infrastructure elements and software(s) being used shall be obtained from trusted sources.
- Where possible, tool-based vulnerability scans shall be carried out for all critical infrastructure elements and software(s).
- Once every year, it is recommended to have a vulnerability assessment performed by a 3rd party vendor.
- Timelines shall be defined for responding to identified/reported technical vulnerabilities.
- Information obtained regarding vulnerability shall be evaluated to assess risk to Shoorah Ltd’s infrastructure. The evaluation shall take into consideration the following:
  - Vendor/tool reported criticality (e.g., high, medium, and low).
  - Likelihood of the vulnerability being exploited (e.g., the existence of a known exploit or other malicious code that uses the vulnerability as an attack vector).
- The identified risk shall be categorized as per the severity of the risk (e.g., High, Medium, and Low).
- If the vulnerability closure requires patch deployment, the patch must be tested in a test environment before deployment to the production environment.
- The system shall be checked to verify if the patch has not affected any of the existing functionality.
- For high-risk vulnerabilities, after applying the patch/solution, a check shall be performed to ensure that the vulnerability has been closed.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Operation Security Policy. For version history, please see the next page.

Organization of Information Security Policy

Objective

The objective of this document is to define an Information Security Management System (ISMS) governance framework within which the security organizational structure is identified, and information security roles, responsibilities, and authorities are assigned to ensure the segregation of duties. This policy is established to initiate and control the implementation of information security within the organization.

Scope

This document is applicable to all processes and operations within Shoorah Ltd that fall within the scope of the Information Security Management System (ISMS) (refer to the definition in Section 3 of the Information Security Policy).

Policy Statement

The responsibilities for information security at Shoorah Ltd will be clearly defined through job descriptions and task delegation. The Information Security Officer will approve the information security policy and standards. Responsibilities include identifying information assets, classifying them, implementing controls, and reviewing user access privileges. Segregation of duties and appropriate contact with authorities and special interest groups are emphasized. Information security will be integrated into project management, and precautions for mobile devices and teleworking shall be outlined.

Operations Security Policy

Information Security Roles and Responsibilities

All information security responsibilities related to the protection of Shoorah Ltd’s sensitive information, information systems, and information processing facilities shall be clearly defined through job descriptions, work allocation, and task delegation.
The Information Security Officer shall approve the information security policy.
The Information Security Officer shall approve the standards, procedures, templates, and guidelines. The defined information security responsibilities shall be formally allocated and accepted across the organization. These responsibilities shall include:
- Identifying the information assets and the security processes associated with each asset.
- Defining and documenting the asset ownership, level of responsibility, and authorization levels.
- Classifying, labeling, and handling information assets in accordance with Shoorah Ltd Data Classification Policy.
- Identifying and Implementing controls necessary to adequately protect assets.
- Reviewing and approving user access privileges in accordance with the Access Control Policy & Procedure.

Segregation of Duties

Segregation of duties should be considered before assigning roles to carry out business activities to reduce opportunities for deliberate or accidental misuse of infrastructure elements or software. For example, the ability to initiate, authorize, execute, and verify requests should be split so that no one person completes the entire request.
Where segregation of duties is not possible, appropriate compensatory controls such as activity monitoring, audit trails, and management supervision shall be developed to detect misuse of access rights.
When primary personnel is unavailable due to illness, being on vacation, or due to leave of absence and another person with a different role fills in, appropriate segregation or compensatory controls shall be considered.

Contact with Authorities
Appropriate contacts shall be established with law enforcement authorities, regulatory bodies, third-party vendors, hardware vendors, software vendors, and office security providers.

Contact with Special Interest Groups

The objective of this guideline is to ensure that Shoorah Ltd maintains appropriate contact with special interest groups and authorized information security forums to receive and distribute updates on new vulnerabilities, security threats, regulations, or risks pertaining to its business.
The Information Security Officer at Shoorah Ltd will ensure that contacts with Special Interest Groups are maintained in the interest of Shoorah Ltd’s security posture. The Information Security Officer shall consider maintaining contacts with the following types of special interest groups, but not limited to:
- Special Security Forums: These forums enhance the security of communications and information infrastructure through proactive action and effective collaboration with other security bodies. These forums issue security guidelines and advisories and share information relating to the latest changes in information security. These forums help in reporting local problems.
- Security Advisories: Security advisories provide objective, timely, and comprehensive information about security threats and vulnerabilities. An example could be certain security advisory websites.
- Application Vendors/suppliers: Contacts with vendors/suppliers for applications used within the Shoorah Ltd environment should be maintained to ensure that the latest threats and vulnerabilities applicable to these applications are addressed.
- Other institutions that can help in solving security issues.
The Information Security Officer shall be associated with the above companies/institutions with the objective to:
- Get updates on new vulnerabilities, security threats, and regulations pertaining to the telecom industry.
- Improve knowledge and keep up-to-date with relevant security information.
- Ensure that the understanding of the information security environment is current and complete.
- Receive early warnings of alerts, advisories, and patches pertaining to attacks and vulnerabilities.
- Gain access to specialist information security advice.
- Share and exchange information about new technologies, products, threats, or vulnerabilities.

Information Security in Project Management

Information security shall be integrated into Shoorah Ltd’ project management methods to ensure that information security risks are identified and addressed as part of projects.
Information security implications shall be taken care of regularly in all projects.

Mobile Devices & Teleworking

Mobile Device Policy

When traveling (in cars, hotels, conferences, meeting rooms, and public places), employees shall take reasonable precautions to protect their laptops as much as possible from damage, theft, and eavesdropping. If left unguarded, the laptop should be concealed as far as possible (e.g., locked in the trunk/boot of the car). Normally an unattended laptop should be in shutdown mode, and an unattended laptop should never be accessible without password protection.
The loss of a laptop/mobile device must be reported immediately to the HR Team or the Project Manager.
An employee may not make any alterations that circumvent the security mechanisms of Shoorah Ltd for their laptop. In addition to disciplinary measures, the employee may also be charged for the costs incurred by Shoorah Ltd if the laptop is damaged through unacceptable manipulation. Unacceptable manipulation includes, for example:
- Autonomous set-up of unauthorized Internet connections.
- Switching off the virus scanner, particularly with an open connection to the Internet.
- Misusing privileges granted to enable certain business functions.
Users are responsible for maintaining the confidentiality, integrity, and availability of the information on their mobile computing devices.
The Information Security Officer shall ensure that all endpoints with access to the production infrastructure have antivirus software installed.

Teleworking

Employees shall take all necessary precautions to secure information and equipment in their homes, prevent unauthorized access to any system or information and comply with the ‘Acceptable Usage of Assets’ policy.
Shoorah Ltd’s equipment must be protected against damage and unauthorized use. Employees need to designate a safe workspace at home that is free from hazards. Safeguards should be applied to protect records from unauthorized disclosure or damage. Wherever applicable, all records, papers, and correspondence should be safeguarded for their return to the office.
Revocation of authority, access rights, and return of equipment should occur when teleworking activities cease or when the employee exits from Shoorah Ltd.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Organization of Information Security Policy. For version history, please see the next page.

Physical & Environmental Security Policy

Objective

The purpose of this policy is to establish the guidelines by which physical and environmental security is managed for ISMS scope systems.

Scope

This document is applicable to all processes and operations in Shoorah Ltd within the scope of the ISMS.

Policy Statement

Shoorah Ltd is a cloud-native company, and all our production infrastructure, including data storage, should be secured and managed by our cloud infrastructure service provider. We must rely on the physical security measures adopted by cloud service providers to ensure the security, availability, and confidentiality of our production systems.
Further, no production servers or customer data should be hosted within our premises. As a result, the physical security of our office premises is not critical to ensure the security, availability, and confidentiality of customer data.
Hence the risk has been transferred to the infrastructure provider to ensure the security, availability, and confidentiality of Shoorah Ltd’s production systems and customer data.
Physical security of the premises where we work continues to be essential, and the following steps are taken to secure the same:
- Visitors: Shoorah Ltd staff may invite visitors to the office premises for business reasons or during pre-specified times for social reasons. In such cases, the staff members are responsible for the visitor’s actions and always need to escort their visitors. As a general principle, do not invite anyone you do not trust or know to the office. Shoorah Ltd Staff members who spot unauthorized visitors should either ask the unauthorized person to leave or refer the issue to management.
- Clean desk: Ensure that no classified customer data, security keys/passwords, etc., are written on whiteboards or unattended notepads, etc.
- Printing: Printing of customer classified data, security keys, passwords, etc., is prohibited. Removable media: Use of removable media to transfer sensitive customer data is not allowed on laptops used by Shoorah Ltd staff to perform their work.
- Shoulder surfing: Shoorah Ltd allows you to work outside the office premises. Should you find yourself working from a public place (like a coffee shop or airport), you should be aware of shoulder surfing.
- Local laws: We must abide by local laws regarding fire safety, display of licenses, etc.

Working Remotely

Shoorah Ltd Staff who work remotely should follow these rules:

When working remotely, the security of the device you use to perform your work is your responsibility.
For instance, your equipment should be in your presence, screen locked, or be stored securely.
Please follow the organization’s endpoint protection and encryption standards for any equipment (company provided or otherwise) used to perform your work.
Protect the confidentiality, security, and privacy of our customers’ data by ensuring that unauthorized people may not view, overhear, or otherwise have access to such data. For example, be aware of “shoulder surfing” when working in public places like coffee shops or airports.

All remote work must be performed in a manner consistent with Shoorah Ltd’s information security policies.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Responsibilities

Schedule

This document is to be reviewed annually and whenever significant changes occur in the organization.

End of Physical & Environmental Security Policy. For version history, please see the next page.

Safeguarding Policy

Purpose

The purpose of this Safeguarding Policy is to ensure the safety, health, and well-being of all individuals associated with Shoorah Ltd, including employees, contractors, clients, and stakeholders. This policy aims to prevent harm and promote a culture of vigilance and responsibility.

Scope

This policy applies to all employees, contractors, volunteers, and stakeholders of Shoorah Ltd across all locations and activities.

Policy Statement

Shoorah Ltd is committed to safeguarding the welfare of all individuals and ensuring a safe environment free from abuse, exploitation, and neglect. We recognize our responsibility to promote the safety and well-being of everyone involved with our organization.

Definitions

Safeguarding: Protecting individuals from abuse, harm, and neglect, and ensuring their welfare.
Abuse: Any action that causes harm or distress, including physical, emotional, sexual abuse, and neglect.

Roles and Responsibilities

Management: Ensure the implementation of this policy and provide training and resources for safeguarding.
Designated Safeguarding Officer (DSO): A designated individual responsible for safeguarding matters, including reporting concerns and coordinating responses.
Employees and Contractors: All staff members are required to be aware of safeguarding practices and report any concerns regarding the safety of individuals.

Recognising Abuse and Harm

Employees should be aware of the signs of abuse and harm, which may include:

Unexplained injuries or changes in behavior.
Withdrawal from social interactions or activities.
Fear of certain individuals or situations.

Reporting Procedures

Reporting Concerns: Any employee who suspects abuse or harm must report their concerns immediately to the DSO or their manager.
Confidentiality: All reports will be treated with the utmost confidentiality, and the identity of the individual making the report will be protected.
Investigation: Reports will be investigated promptly and fairly, following appropriate procedures to ensure safety and well-being.

Reporting Procedures

Reporting Concerns: Any employee who suspects abuse or harm must report their concerns immediately to the DSO or their manager.
Confidentiality: All reports will be treated with the utmost confidentiality, and the identity of the individual making the report will be protected.
Investigation: Reports will be investigated promptly and fairly, following appropriate procedures to ensure safety and well-being.

Training and Awareness

Employee Training: Regular safeguarding training will be provided to all employees to ensure they understand their responsibilities and the procedures for reporting concerns.
Awareness Campaigns: Ongoing awareness initiatives will promote safeguarding practices and ensure that all stakeholders are informed.

Safe Recruitment Practices

Background Checks: All employees and volunteers working with vulnerable individuals will undergo background checks and vetting procedures to ensure their suitability for their roles.
Interviews and References: Thorough interviews and reference checks will be conducted as part of the recruitment process.

Monitoring and Review

Policy Review: This policy will be reviewed annually to ensure it remains relevant and effective in safeguarding individuals.
Feedback Mechanisms: Employees are encouraged to provide feedback on safeguarding practices and report any concerns regarding the policy’s implementation.

Approval and Implementation

This policy is approved by the Senior Management Team and is effective as of October 2024. All employees are expected to comply with this policy and contribute to a safe and secure environment.

Conclusion

Shoorah Ltd is dedicated to safeguarding the welfare of all individuals associated with the organization. This Safeguarding Policy serves as a framework for protecting individuals from harm and ensuring a safe environment for everyone.

SDLC Procedure

Objective

This procedure discusses the objectives, the roles, the process flow, and the artifacts required in a typical software development life cycle. It provides an overview of how the process is adopted throughout various stages of a product and provides guidelines for secure development activities within Shoorah Ltd.

Scope

This document focuses on the development process for the Shoorah Ltd products. This document is to be followed by all Shoorah Ltd staff members, sub-contractors, and partners involved in software product development.

Engineering Team Responsibilities

The Engineering Team shall be responsible for:
- Following the guidelines in this document.
- Tracking bugs/weaknesses/tools (as applicable).
- Assisting third-party vendors in conducting Vulnerability Assessments/Penetration Testing.
The Engineering Head shall be responsible for:
- Analyzing new technology for security risks and known attack patterns.

Ensuring all members of the Engineering Team read and understand the process flow and follow the guidelines.

Process Description

Security Requirements for Information Systems

1. Information Security Requirements Analysis & Specification
  The main objective of defining a standard process for product development is to ensure cost-effective and timely development, delivery, and deployment of a high-quality, differentiated product that brings tangible and sustained value for Shoorah Ltd customers. The following objectives are measured to ensure the effectiveness of the process:

- High Quality:
  - Software produced with less defect count in all development, testing, and delivery cycles.
  - Metrics: Measure and utilize information on defects/module, defects by severity, defects by priority, and defects by different phases of development.
- On-time delivery:
  - Ability to meet the specified delivery dates in every release.
  - Metrics: Measure the percentage of progress against planned task hours spent in every iterative phase of a product release.

Software Development Life Cycle
The Software development life cycle shall include all of the listed stages – Requirement Gathering, Design, Development, Testing, Implementation, Operations, and Maintenance.

1. Requirement Gathering Stage

- For each new feature being planned to any software or for changes to existing features, the high-level requirements should be documented by the Product team in consultation with business users. The output of the requirement gathering will form inputs for the Design team.
- Where required, it is the responsibility of the Product team to ensure the high-level requirements are detailed into low-level/functional requirements to better facilitate the subsequent tasks of design and development.

1. Design Stage

- The Design team is responsible to detail the UI and UX flows for the requirements shared by the Product team. These details are important inputs to the Engineering team to plan out their development activities.

1. Development Stage

- The inputs from the Product team and Design team for the basis for planning of the development stage.
- Team leads in the engineering team are responsible to break down the requirements into tasks and ensure all engineers are aware of the tasks assigned to them.
- The engineers are responsible to follow securing coding practices for development. They should also ensure to use the latest code libraries and fix any code-level vulnerabilities.
- All development activities should be facilitated by appropriate version control systems to ensure the latest version of code is used for development.
- It is the responsibility of the Engineering Head and Infosec officer to ensure the development environment is segregated from the staging and production environment

1. Testing Stage

- All features shall be tested after the development is done.
- The testing should be performed by any user apart from the developer to ensure segregation of duties. It is recommended to have the testing to ensure the software is working as intended.
- The Engineering Head and Information Security Officer must ensure that testing happens in a staging environment which is different from the development environment and production environment.
- Only after adequate testing is completed, the deployment process should commence.

1. Deployment Stage

- Any deployment should follow the change management process. It is essential that all deployments are tracked via a version control system or ticketing tool.
- All deployments/changes must be approved before merging with production code by an independent engineer who is different from the author to ensure segregation of duties.

1. Maintenance Stage

- The engineering team must facilitate the reporting of any errors or bugs identified by the end users. All such errors/bugs must be tracked.
- Any changes related to bug fixes must follow the change management process.

Security in Development & Support Processes

1. Implementing Change Management & Vulnerability Management Procedure

- Change management procedure shall be followed for changes to existing systems or the introduction of new systems. Any change made to the system is tested before implementing it. A list of changes made is recorded. Records of testing, updates, and results are documented.
- New releases/patches pertaining to the production server shall be tested before being implemented in the production environment to ensure that there is no adverse impact on operation, application controls, or security. In case of any exceptions due to technical limitations, approval shall be taken from the Engineering Head or respective team leads.
- Where feasible, automated scanners are used to identify code-level or network-level vulnerabilities, and fixing such vulnerabilities must follow the vulnerability management procedure.
- Pull requests/ change requests need to be reviewed by a peer or managers prior to merging the pull requests.
- The application functionalities shall be reviewed to ensure that they have not been compromised by the platform changes (as applicable).
- Previous version(s) of the software shall be retained as a contingency measure in case a rollback is required.

1. Restrictions on Changes to Software Packages
  Changes or modifications for vendor-supplied software packages shall be adequately controlled and limited to personnel involved in the implementation of the change/modification based on peer approvals.

Test Data
It is the responsibility of product, design, and engineering teams to avoid using any PII data to perform testing. Testing must always be performed using dummy data.

Document Security Classification

Company Internal (please refer to the Data Classification policy for details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Software Development Lifecycle Procedure. For version history, please see the next page.

Vendor Management Policy

Objective

Scope

This policy applies specifically to vendors whose services are critical to the operational integrity and availability of Shoorah Ltd’s services to its customers or with whom critical data is shared.

Policy Statement

Shoorah Ltd is committed to exercising caution when sharing critical data with third-party vendors. It is essential to recognize that each instance of data shared with a vendor expands the potential attack surface of that data. Given our reliance on multiple third-party services, there is a need to share specific data. This policy establishes a deliberate process for evaluating critical third-party vendors, ensuring we maintain the highest data security and risk assessment standards.

Vendor Management

nformation Security in Vendor Relationships

- Information security requirements for mitigating the risks associated with the vendor’s access to Shoorah Ltd’s assets shall be agreed upon with the supplier and documented in the form of agreements or contracts.
- Resilience and, if necessary, recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party shall be defined within these agreements or contracts.
- For third-party personnel who have access to Shoorah Ltd’s assets, it is essential that they acknowledge the latest version of Shoorah Ltd’s information security policies.
- Security controls and service levels specified in the contracts or agreements shall be implemented, operated, and maintained by the vendor.
- Contracts/Agreements shall include information security requirements to ensure compliance with Shoorah Ltd’s security policies and procedures.
- Non-Disclosure / Confidentiality agreements to protect Shoorah Ltd’s information assets shall be signed by vendors, third parties, contractors, and subcontractors of the vendors, as applicable.

Vendor Risk Assessments and Service Delivery Reviews

- A list of all vendors – critical to Shoorah Ltd’s services and vendors with whom critical data is shared – need to be maintained.
- For each vendor in the list, a vendor assessment shall be performed, and their risk/criticality to Shoorah Ltd’s services and sensitivity of data shared.
- Where required, Shoorah Ltd may also perform reviews of vendor’s services through periodic review calls or audits of vendors. Please note that this may only be required in extreme cases.

Review Vendors and Managing Changes to Vendor Services

- Periodic reviews of the list of vendors and their risk assessment shall be performed at least annually.
- It is the responsibility of the managers of business functions always to keep the Information Security officer informed of any changes in vendors or the level of service that a particular vendor is providing.
- All such changes shall be accompanied by a review or update of the list of vendors as applicable and a re-assessment of risks.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of Vendor Management Policy. For version history, please see the next page.

System Acquisition and Development Lifecycle Policy

Objective

The objective of this policy is to provide a framework to ensure that software development activities performed in Shoorah Ltd are aligned with integrated information security considerations throughout the development lifecycle. Shoorah Ltd is committed to developing robust systems which are reliable while ensuring that security is an integral part of information systems throughout all phases of acquisition, development, and maintenance.

Scope

This document focuses on the development process for the software products developed or acquired by Shoorah Ltd. This document is to be followed by all Shoorah Ltd employees, sub-contractors, and partners who participate, either wholly or partially, in the product development process.

Policy Statement

Shoorah Ltd shall ensure that security is integral to its information systems throughout all phases of the acquisition, development, and maintenance life cycle. Security should be considered at every stage of an information system’s life cycle (e.g., feasibility, planning, development, implementation, maintenance, retirement, and disposal) to:

Ensure conformance with all appropriate security requirements
Protect enterprise data throughout its life cycle of system
development Prevent the introduction of new risks when the
system is modified Ensure proper removal/disposal of data when the system is retired

System Acquisition, Development & Maintenance

System Development Life Cycle
Security shall be considered and included in all phases of the Software development lifecycle, including Requirement analysis, Design, Development, Testing, Implementation, Operations, and Maintenance.

Requirement Gathering

- Security and privacy requirements needed for the new product or application shall be defined at the requirements definition stage. Legal and regulatory implications and security requirements related to confidential data collection and usage done by the proposed system shall be considered.
- Shoorah Ltd shall consider requirements for ensuring the reliability and availability of information systems. Where availability cannot be guaranteed using existing architecture, redundant components or alternative architectures should be considered.

System Design

- It is important to identify threats and potential vulnerabilities early in the design phase of the software lifecycle. Areas of system misuse and ways in which protective measures could be bypassed shall be identified.
- The operating environment, internal and external interfaces of the system, sub-systems and components, data input and output from these sub-systems, and how the components of the software work together should be identified.
- Software shall be designed to operate with minimum privileges necessary.
- Application permissions, privileges, and access controls shall be designed to strictly adhere to the user roles defined.

System Development

- Shoorah Ltd shall establish a separate development environment, which is physically and logically isolated from the production environment and shall appropriately protect the development environment.
- During system development, developers shall be instructed to observe caution in the below areas: Check the validity of incoming data
  - Check the validity of outgoing data
  - Adhere to memory management best practices
  - Secure practices during authentication and session management Use best practices for errors and exception management
- Source code shall be protected from unauthorized access and source code version shall be controlled using automated mechanisms

Security in Development & Support Processes

Secure Application Development Principles
As a part of secure development principles, Shoorah Ltd shall consider:

- Best practices and latest libraries for each programming language used. Security in the application version control and code repository.
- Training developers on the secure coding aspects.
- Ensure developers’ capability of avoiding, finding, and fixing vulnerabilities wherever possible.

Security Requirements for Information Systems

Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.
The introduction of new systems and major changes to existing systems should follow a formal process of documentation, specification, testing, managed implementation, and quality control.
This process should include an analysis of the impacts of changes and the specification of security controls needed.
This process should also ensure that existing security procedures are not compromised, and that support programmers are given access only to those parts of the system necessary for their work, and that formal agreement and approval for any change is obtained. During change control procedures the following diligence is to be considered:
- Ensuring changes are submitted by authorized users.
- Reviewing controls and integrity procedures to ensure that they shall not be compromised by the changes. Identifying all software, information, database entities, and hardware that requires amendment.
- Identifying and checking critical code to minimize the likelihood of known security weaknesses. Ensuring authorized users approve changes prior to implementation.
- Ensuring that the system documentation is updated on the completion of each change, wherever applicable. Maintaining version control for all software updates.
- Maintaining a record of all change requests.
- Ensuring that Standard Operating Procedures and user manuals are changed as necessary to remain appropriate, as applicable.
- Ensuring that the implementation of changes takes place at the right time and does not disturb the business processes involved.
- Testing of new software should be done in an environment segregated from both the production and development environments. The tests should include patches, service packs, and other updates.
- Automated updates should not be used on critical systems as some updates can cause critical information systems to fail.
- Where automatic updates are considered, the risk to the integrity and availability of the system should be weighed against the benefit of speedy deployment of updates.
- Technical review of applications after operating platform changes.
- When underlying operating platforms are changed, business-critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

As far as possible and practicable, vendor-supplied software packages should be used without modification. Where a software package needs to be modified, the following points should be considered:
- The risk of built-in controls and integrity processes being compromised. Whether the consent of the vendor should be obtained.
- The possibility of obtaining the required changes from the vendor as standard program updates.
- The impact if the organization becomes responsible for the future maintenance of the software as a result of changes.
- Compatibility with other software in use. If changes are necessary, the original software should be retained, and the changes applied to a designated copy.
- A software update management process should be implemented to ensure the most up-to-date approved patches and application updates are installed for all authorized software.
- All changes should be fully tested, so that they can be reapplied, if necessary, to future software upgrades. If required, the modifications should be tested and validated by an independent evaluation body.

Secure Engineering

Security system engineering principles include security at all the architecture layers (business, data, applications, and technology), balancing the need for information security with the need for accessibility.
New technology should be analyzed for security risks and the design should be reviewed against known attack patterns.
Systems should be regularly reviewed to ensure that they remain up to date to address any new potential threats and be scalable. Security engineering principles should be applied, where applicable, to outsourced information systems through the contracts and other binding agreements between the organization and the third party to whom the organization outsources.

Establishing Secure Development Environments

The Engineering Team should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development life cycle.
A secure development environment includes people, processes, and technology associated with system development and integration. Engineering Team should assess risks associated with individual Information system development efforts and provide requirements for secure development environments for specific system development efforts, considering:
- Sensitivity of data to be processed, stored, and transmitted by the system.
- Applicable external and internal requirements, e.g., regulations or policies.
- Security controls already implemented by the Shoorah Ltd that supports information system development.
- Trustworthiness of personnel working in the environment.
- Degree of outsourcing associated with system development.
- The need for segregation between different development environments.
- Control of access to the development environment.
- Backups should be stored at secure offsite locations.

Control over the movement of data from and to the environment.

System Testing

New and updated systems require thorough testing and verification during the development processes, including the preparation of a detailed schedule of activities and test inputs and expected outputs under a range of conditions.
For in-house developments, such tests should initially be performed by the Engineering Team. Independent acceptance testing should then be undertaken (both for in-house and for outsourced developments) to ensure that the system works as expected and only as expected. This testing should be performed before making the change in the production environment.
The extent of testing should be decided by the Engineering Team in concurrence with business requirements considering the importance and nature of the system.
The testing should also be conducted on integrated systems. The Engineering team can leverage automated tools, such as code analysis tools or vulnerability scanners, and should verify the remediation of defects.
Testing should be performed in a test environment to ensure that the Information system shall not introduce vulnerabilities to the Shoorah Ltd environment and that the tests are reliable.

Test Data

The use of operational data containing personally identifiable information or any other confidential information for testing purposes should be avoided.
If personally identifiable information or otherwise confidential information is used for testing purposes, all sensitive details and content should be protected by removal or modification.
The following guidelines should be applied to protect operational data when used for testing purposes:
- The access control procedures, which apply to production application systems, should also apply to test application systems. Operational information should be erased from a test environment immediately after testing.
- The copying and use of operational information should be logged to provide an audit trail.

Document Security Classification

Company Internal (please refer to the Data Classification policy for more details).

Non-Compliance

Responsibilities

Schedule

This document shall be reviewed annually and whenever significant changes occur in the organization.

End of System Acquisition and Development Lifecycle Policy. For version history, please see the next page

Significant Events Policy

Purpose

This policy outlines the procedures for identifying, managing, and responding to significant events that may affect Shoorah Ltd’s operations, reputation, or stakeholder relationships.

Scope

This policy applies to all employees, departments, and operations of Shoorah Ltd. It covers events such as natural disasters, cyber incidents, regulatory changes, and any incidents affecting safety or security.

Definition of Significant Events

A significant event is defined as any occurrence that:

Disrupts business operations.
Impacts employee safety or well-being.
Affects customer satisfaction or service delivery.
Has the potential to harm the company’s reputation or financial standing.
Requires communication with stakeholders, including media, clients, and regulatory bodies.

Identification of Significant Events

Monitoring: Continuous monitoring of internal and external factors that may indicate potential significant events.
Reporting: Employees must report any incidents that could be classified as significant to their immediate supervisor or designated crisis management team member.

Response Procedures

Assessment: Upon identification of a significant event, a preliminary assessment will be conducted to evaluate the severity and potential impact.
Crisis Management Team Activation: If the event is deemed significant, the Crisis Management Team (CMT) will be activated. The CMT will consist of:
- Senior Management
- HR Representative
- Communications Officer
- IT Support (if applicable)
Action Plan Development: The CMT will develop a response plan, which may include:
- Communication strategy.
- Operational adjustments.
- Resource allocation.

Communication Protocols

Internal Communication:
- Inform all employees about the event, response actions, and any necessary changes in procedures.
External Communication:
- Designate a spokesperson to handle media inquiries.
- Prepare official statements for clients, stakeholders, and the public, as necessary.
Feedback Loop: Establish channels for ongoing communication with employees and stakeholders throughout the event.

Documentation and Review

Record Keeping: Document all significant events, responses, and outcomes for future reference.
Post-Incident Review: Conduct a review after the event to assess the response effectiveness and identify areas for improvement.

Training and Awareness

Employee Training: Provide training on recognizing and reporting significant events.
Drills: Conduct regular drills to practice response procedures.

Policy Review

This policy will be reviewed annually or as needed based on changes in the business environment or operational needs.

Approval and Implementation

This policy is approved by [Approving Authority] and is effective as of [Effective Date]. All employees are expected to comply with this policy.

Conclusion

Shoorah Ltd is committed to effectively managing significant events to minimize their impact and ensure a swift return to normal operations. This policy serves as a framework for preparedness and response.

Training and Development Policy

Purpose

The purpose of this policy is to establish a framework for the training and development of employees at Shoorah Ltd. It aims to enhance skills, improve performance, and support career growth while aligning individual development with the company’s strategic objectives.

Scope

This policy applies to all employees of Shoorah Ltd across all departments and levels.

Policy Statement

Shoorah Ltd is committed to fostering a culture of continuous learning and professional development. We believe that investing in our employees’ skills and knowledge is essential for personal growth and the overall success of the organization.

Training and Development Objectives

Enhance employee competencies and job performance.
Foster a culture of continuous learning and improvement.
Support career advancement and succession planning.
Ensure compliance with legal and regulatory requirements.
Encourage innovation and adaptability to change.

Types of Training and Development

Orientation and Onboarding: Comprehensive introduction for new employees to familiarize them with company policies, culture, and job responsibilities.
Technical Skills Training: Job-specific training to enhance employees’ technical competencies.
Soft Skills Development: Training on communication, teamwork, leadership, and problem-solving skills.
Compliance Training: Programs to ensure understanding of legal, ethical, and regulatory standards relevant to the industry.
Leadership Development: Initiatives to prepare employees for management and leadership roles.

Training Needs Assessment

Performance Reviews: Annual performance evaluations will identify individual training needs and career aspirations.
Feedback Mechanisms: Employee feedback and management input will be used to determine training priorities and gaps.

Training Delivery Methods

In-House Training: Workshops, seminars, and courses conducted by internal trainers or subject matter experts.
External Training: Participation in external workshops, conferences, and courses.
E-Learning: Access to online training platforms and resources for self-paced learning.
Mentorship Programs: Pairing employees with experienced mentors for guidance and support.

Budget and Resources

Shoorah Ltd will allocate a specific budget for training and development initiatives annually. Resources will be made available to ensure employees can access necessary training opportunities.

Employee Responsibilities

Employees are encouraged to take an active role in their own development by:

Identifying training needs and discussing them with their managers.
Participating in available training programs and applying learned skills on the job.
Seeking feedback to enhance performance and development.

Monitoring and Evaluation

Training Effectiveness: Regular assessments will be conducted to evaluate the effectiveness of training programs and their impact on employee performance.
Policy Review: This policy will be reviewed annually to ensure it remains relevant and effective in meeting the needs of employees and the organization.

Approval and Implementation

This policy is approved by the Senior Management Team and is effective as of October 2024. All employees are expected to adhere to this policy and participate in training and development initiatives.

Conclusion

Shoorah Ltd is dedicated to the continuous growth and development of its employees. This Training and Development Policy provides a structured approach to ensure that all employees have the opportunity to enhance their skills and advance their careers while contributing to the overall success of the organization.