LHA Logo

Data Protection & Technical Measures

LHA Housing Group Limited (LHA)
Company No. 13694292
Last updated: 17 Feb 2026

This document summarises the organisational and technical measures used by LHA Housing Group Limited (“we”, “us”, “our”) to protect personal data processed via our CRM, tenant portal and contractor portal (“the system”). It is intended for internal reference, auditors and partners.

1. Governance & Responsibilities

  • The Board / Senior Management are responsible for overall data protection governance.
  • Operational leads are responsible for ensuring staff use the system in line with this policy.
  • All users are required to follow our access, password and acceptable-use rules.

2. Hosting & Infrastructure

The application and database are hosted on infrastructure provided by Hostinger (web hosting plan). Hostinger provides:

  • Data centres with physical security, environmental controls and access restrictions
  • Network security controls, firewalls and separation between customer environments
  • HTTPS support and TLS certificates for encrypted connections
  • Regular platform patching and infrastructure monitoring

Application files and uploaded documents (e.g. tenant and contractor uploads) are stored on Hostinger’s servers in structured directories.

3. Application Security

3.1 Authentication & Access Control

  • Separate portals for staff, tenants and contractors with independent logins
  • Role-based access control (e.g. Administrator, Manager, Staff, Tenant, Contractor)
  • Tenant and contractor accounts are scoped so they only see data related to their own records
  • Administrative actions are restricted to authorised staff accounts only
  • Optional two-factor authentication is implemented for staff access
  • Session-based authentication with server-side checks on each request

3.2 Password & Credential Handling

  • Passwords are stored using modern one-way hashing; plain-text passwords are never stored
  • Contractor and tenant onboarding uses time-limited tokens for registration links
  • Configuration secrets (e.g. database credentials, mail credentials, app URL) are stored in environment variables via .env and are not committed to source control

3.3 Input Validation & Database Security

  • Database access is handled using prepared statements / parameterised queries to protect against SQL injection
  • Server-side validation is performed on key inputs such as IDs, dates, emails and numeric fields
  • Uploaded filenames are normalised and stored with unique hashes to prevent collisions and path injection
  • Data is separated by entity (properties, tenants, contractors, compliance etc.) to minimise cross-access

3.4 File & Document Handling

  • Uploads are stored in dedicated folders (e.g. /uploads/properties, /uploads/tenants, /uploads/contractors)
  • Files are only accessible via the system to authorised roles; sensitive locations are not exposed in navigation
  • PDF templates and signed PDFs are stored in predictable, structured locations per tenant or contractor

4. Data Segregation & Least Privilege

  • Tenants can only access their own profile, documents and tickets
  • Contractors only see jobs, documents and properties they are assigned to
  • Staff user permissions can be scoped by module (e.g. maintenance, compliance, inspections)
  • “All companies” contractors are a controlled configuration option; staff must only use it where appropriate
  • Internal vs external tenants and properties are tagged to assist accurate scoping and reporting

5. Logging, Monitoring & Audit Trails

  • Activity logs record key events such as tenant updates, room changes, ticket activity and contractor actions
  • Void properties, inspections and compliance records have dedicated tables for traceability
  • Contractor invitations and registration tokens are recorded with expiry times
  • System errors are logged server-side for investigation and improvement
Logs are used for security monitoring, safeguarding, and to assist with investigations in the event of an incident or complaint.

6. Backups & Recovery

Database and file-level backups are taken at regular intervals via the hosting platform. Backups are used solely for restoration and continuity purposes in the event of failure, data corruption or accidental deletion.

  • Backups are stored within the hosting provider’s infrastructure
  • Restoration procedures are tested periodically on non-production environments where possible
  • Only authorised staff have access to initiate or request a restore

7. Development & Change Control

  • Changes are developed and tested in a non-production environment before deployment
  • Database migrations and new features are reviewed to avoid exposing personal data unnecessarily
  • Security fixes and critical patches are prioritised in the development pipeline
  • Versioning is used to track releases of the CRM and portals

8. Data Breach & Incident Response

  • Potential incidents are investigated promptly by the relevant managers and technical staff
  • Access to affected accounts or systems can be suspended where misuse is suspected
  • Where a personal data breach is confirmed, the ICO and affected individuals will be notified in line with legal requirements and the organisation’s incident response procedure

9. Staff Training & Acceptable Use

  • Staff are expected to complete data protection and information security awareness training
  • Users must keep passwords confidential and must not share logins
  • Exported data (e.g. CSV/Excel reports) must be stored and shared securely
  • Access from shared or public devices should be avoided; users must log out after use

10. Review & Improvements

These technical and organisational measures are reviewed regularly and after any significant system change, incident or regulatory update. Improvements are prioritised based on risk and impact.

11. Contact

Questions about this Data Protection & Technical Measures document can be directed to:

LHA Housing Group Limited
80 Holloway Head, Birmingham B1 1QP
Email: admin@lhahousinggroup.co.uk
Phone: 01384 226441