Privacy Policy

Effective Date: 01-01-2025

Last Updated: 01-01-2025

Website: https://bmi.army/

1. Controller Identity

Beyond Mission & Impossible Ltd.

3rd Floor | 207 Regent Street

W1B 3HH | London | United Kingdom

Companies House: 11495287

Dun & Bradstreet: 224272001

NATO NGAGE Code: U2FX7

Beyond Mission & Impossible Ltd. (“BMI”, “we”, “us”, “our”) operates in business-to-business (B2B) and business-to-government (B2G) environments, including defence, national security, emergency services, and strategic infrastructure sectors.

We act as a Data Controller or Data Processor depending on contractual context.

2. Scope of This Policy

This Policy applies to:

  • Website visitors
  • Government procurement officers
  • Defence personnel and contractors
  • Commercial partners and subcontractors
  • Strategic alliance partners
  • Event and demonstration participants
  • Tender participants
  • Security-vetted stakeholders

This Policy does not override specific contractual Data Processing Agreements (DPAs), classified handling procedures, or government framework requirements.

3. Categories of Personal Data Processed

In defence and procurement contexts, BMI may process:

3.1 Identity & Professional Information

  • Full name
  • Rank / Title
  • Service number (where contractually required)
  • Employer / Ministry / Agency
  • Role and clearance designation

3.2 Contact Information

  • Official email addresses
  • Secure communications channels
  • Government-issued phone numbers
  • Business addresses

3.3 Security & Vetting Data (where contractually required)

  • Security clearance confirmation (not full clearance files)
  • Vetting status verification
  • Access control credentials
  • Audit logs of access events

BMI does not conduct independent security clearance investigations unless contractually mandated.

3.4 Procurement & Contractual Data

  • RFP / ITT submissions
  • Due diligence documentation
  • Compliance declarations
  • Financial verification data

3.5 Technical & Cybersecurity Data

  • IP addresses
  • Secure session logs
  • Authentication records
  • System access logs
  • Encrypted communication metadata

4. Lawful Basis for Processing

Processing is conducted under:

  • Article 6(1)(b) – Contract performance
  • Article 6(1)(c) – Legal obligation
  • Article 6(1)(f) – Legitimate interests (enterprise security & operational integrity)
  • Article 6(1)(a) – Consent (where applicable)
  • Article 9(2)(g) – Substantial public interest (where applicable in defence contexts)

5. Defence & NATO Data Handling Standards

BMI operates in accordance with:

  • NATO security principles applicable to suppliers
  • UK MoD and allied procurement handling requirements
  • Controlled Unclassified Information (CUI) principles
  • Need-to-Know access enforcement
  • Role-based access controls (RBAC)
  • Zero Trust architecture principles (where implemented)

BMI does not publish or process classified information via its public website.

Classified materials are handled only within approved secure environments as contractually required.

6. Data Sharing & Disclosure in Defence Contexts

Personal data may be shared strictly on a need-to-know basis with:

  • Prime contractors
  • Government contracting authorities
  • NATO procurement bodies
  • Subcontractors under flow-down contractual obligations
  • Legal and audit authorities
  • Cybersecurity monitoring authorities where legally mandated

All subcontractors are subject to:

  • Written Data Processing Agreements
  • Confidentiality clauses
  • Security flow-down clauses
  • Audit rights

7. International Transfers

Given multinational defence operations, data transfers may occur between allied jurisdictions.

Transfers are safeguarded through:

  • UK International Data Transfer Agreements (IDTA)
  • EU Standard Contractual Clauses (SCC)
  • Government-to-government frameworks
  • NATO contractual security arrangements
  • Adequacy decisions where applicable

No transfer occurs without lawful mechanism.

8. Information Security & Cyber Resilience

BMI implements technical and organisational safeguards proportionate to defence-sector expectations, including:

  • Encryption in transit (TLS 1.2+ or successor standards)
  • Encryption at rest (where applicable)
  • Multi-factor authentication
  • Access logging and monitoring
  • Endpoint security controls
  • Periodic vulnerability assessment
  • Incident response procedures
  • Supply chain security assessments

Security controls are continuously reviewed in alignment with emerging threat landscapes.

9. Incident & Breach Management

In the event of a personal data breach:

  • Internal incident response procedures are activated
  • Impact assessments are conducted
  • Relevant contracting authorities are notified where required
  • Regulatory reporting obligations are fulfilled within statutory timeframes

Defence-related incident notifications follow contractual escalation frameworks.

10. Data Retention in Procurement & Defence Contracts

Retention is determined by:

  • Contractual requirements
  • Defence procurement record-keeping obligations
  • National archiving regulations
  • Audit and accountability frameworks

Where retention obligations expire, data is securely deleted or anonymised.

11. Data Subject Rights

Subject to national security limitations and legal exemptions, individuals may exercise:

  • Right of access
  • Right to rectification
  • Right to erasure (where lawful)
  • Right to restriction
  • Right to objection
  • Right to data portability

Certain rights may be restricted under defence or public security exemptions permitted by law.

Requests may require identity verification.

12. Security Clearances & Sensitive Environments

BMI acknowledges that defence environments may impose:

  • Export control restrictions
  • ITAR / EAR considerations (where applicable)
  • Official Secrets obligations
  • National security restrictions

This Privacy Policy does not supersede national security law.

13. Export Control & Compliance

Where personal data intersects with export-controlled environments, BMI ensures compliance with:

  • UK Export Control Order
  • EU Dual Use Regulation
  • Applicable allied export regimes

14. Website-Specific Data Collection

The public website (https://bmi.army/) collects limited technical data for:

  • Operational security
  • Anti-intrusion monitoring
  • Performance optimisation

No classified or restricted data should be submitted via the public website.

15. Governing Law

This Privacy Policy is governed by the laws of England and Wales, without prejudice to mandatory international defence frameworks.

16. Contact – Data Protection & Compliance

Beyond Mission & Impossible Ltd.

3rd Floor | 207 Regent Street

London | W1B 3HH | United Kingdom

For privacy and compliance inquiries: LEGAL@BMI.ARMY