1. Purpose

This top-level Data Protection Policy is a key component of RiverArk Limited’s (“RiverArk”) overall data protection management framework and should be considered alongside more detailed information security documentation including, Annexures to this policy, system level security policies, security guidance and protocols or procedures. 

This Policy sets out the obligations of RiverArk regarding data protection and the rights of the individuals (in this context “data subjects”) in respect of their personal data under the UK Data Protection Act 2018, Privacy and Electronic Communications Regulations (PECR) and EU Regulation 2016/679 General Data Protection Regulation (“GDPR”). The GDPR is interpreted and regulated in the UK by the Information Commissioners Office under the UK GDPR as supplemented by the Data Protection Act 2018. 

RiverArk receives and processes confidential and sensitive information on behalf of its customers. All such information is subject to any data protection requirements, in addition to this Policy, that may have been agreed with the customers.

The procedures and principles set out herein must be always followed by the Company, its employees, agents, contractors, or other parties working on behalf of RiverArk.

References in this policy to “we,” “our” and “us” shall be a reference to the RiverArk. 

2. Responsibilities

  1. All IT support tasks and functions are exclusively outsourced to our trusted 3rd party service provider. They possess the expertise and knowledge to handle technical issues efficiently and effectively.
  2. The responsibilities related to IT support have been contractually assigned to the designated service provider. Their engagement is governed by a formal agreement to ensure adherence to the agreed-upon terms and conditions.
  3. The 3rd party service provider is authorised to perform all necessary technical activities essential for ensuring a smooth IT infrastructure. This includes troubleshooting, system maintenance, software installations, network management, and user support.
  4. Procedural Activities for RiverArk Personnel: While IT support tasks are outsourced, RiverArk personnel have distinct procedural responsibilities as indicated in the procedure itself.

3. Procedures

3.1 Identifying and recording uses of personal data.

3.1.1 Data review and register

  1. RiverArk will establish and maintain a Personal Data Register and data flow analysis that includes identification of:

     

    • Key business processes that utilise personal data
    • Sources of personal data
    • Categories of personal data processed, including identification of high risk and special category personal data.
    • The purpose for which each category of personal data is used, including subsequent secondary purposes over and above the initial purpose collected.
    • Potential recipients of personal data, key systems and repositories of personal data, offshore transfer, retention, and disposal requirements.
    • Whether RiverArk is acting as data controller, processor, or joint data controller.

       

  2. Regular data reviews to manage and mitigate risks will be conducted regularly through updates to the information assets register. This includes information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

3.1.2 Data Protection Impact Assessments (DPIA)

  1. The CTO shall carry out DPIA for all new projects and/or new uses of personal data which involve the use of modern technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the Data Protection Legislation.
  2. DPIAs shall be overseen by the Data Protection Compliance Manager/IT Administrator and shall address the following:
    • The type(s) of personal data that will be collected, held, and processed.
    • The purpose(s) for which personal data is to be used.
    • RiverArk’s objectives
    • How personal data is to be used.
    • The parties (internal and/or external) who are to be consulted.
    • The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed.
    • Risks posed to data subjects.
    • Risks posed both within and to RiverArk; and
    • Proposed measures to minimise and handle identified risks.

3.1.3 Privacy by Design and Default

  1. When designing or making significant changes to systems for use within RiverArk or by its data processors, the IT Administrator shall ensure that compliance to privacy and data protection regulations is identified and managed from the start of such projects. The Data Protection Compliance Manager will be responsible for ensuring that all IT projects commence with a privacy plan.
  2. When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

3.1.4 Consent

  1. If the data that is collected is subject to consent by the data subject, RiverArk will obtain such consent in a clear and transparent manner. This consent can be revoked at any time. RiverArk will ensure that the revocation of consent is easy for the data subjects.
  2. Any criminal record checks must be justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.

3.2 Collection and Processing of Personal Data

3.2.1 Fair, lawful, and transparent processing

RiverArk will ensure that. 

  1. It processes personal data only based on the legal basis (Annexure 1.5) which is recorded in the data register.
  2. It provides information to the data subjects in appropriate format which clearly communicates.
    • the purpose for which their personal data can be processed.
    • legitimate interest of RiverArk 
    • types of personal data collected.
    • information about disclosure to third parties
    • transfer of such personal data outside the EU and safeguards in place
    • rights of the data subject
    • retention period for their personal information
    • other information to make the processing fair and transparent.
  1. RiverArk shall ensure how an individual can object is clearly explained in circumstances:
    • Where the personal data is collected for marketing purposes or might be so used in future
    • Where profiling by automated means is used for marketing purposes
  1. RiverArk will also ensure that any information presented to any individual is in a format easily accessible and understood by the intended audience.

3.2.2 Processing for Specific Legitimate Purposes

  1. RiverArk will ensure any use of personal data is justified using at least one of the conditions for processing (Annexure 1.3). All staff who are responsible for processing personal data will be aware of the conditions for processing.  
  2. RiverArk will not use personal data obtained for one purpose, for any unconnected purpose unless the individual concerned has explicitly agreed to this or a relevant exemption applies.

3.2.3 Adequate, Relevant and in line with data minimisation principles

  1. RiverArk will ensure that any personal data collected is adequate for its purpose. Regular reviews of its technology and processes will be conducted to ensure that the personal data continues to be adequate for its purposes.
  2. RiverArk will ensure its systems and processes are reviewed to ensure the personal data being processed is relevant and not excessive.

3.2.4 Accuracy of Data and Keeping Data up to date

  1. RiverArk shall ensure integrity and accuracy of personal data being processed.
  2. Any request by the individual to correct their personal data is promptly acted upon.
  3. If any personal data is found to be inaccurate or out of date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

3.2.5 Secure Processing

  1. RiverArk shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
  2. RiverArk can get all the details from ITA solutions and other specific   descriptions of all technical and organisational measures taken by it to ensure the security of personal data.
  3. Where RiverArk shares personal data with a third party, the responsibilities of both parties about personal data will be formally documented in a written agreement or contract as appropriate. 

3.2.6 Processing in accordance with the Individual’s Rights

  1. RiverArk will ensure that personal data is collected and processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. 
  2. RiverArk will abide by any request from an individual not to use their personal data for direct marketing purposes and notify the Data Protection Compliance Manager about any such request.
  3. RiverArk will not send direct marketing material to someone electronically (e.g., via email) unless RiverArk has an existing business relationship with them in relation to the services being marketed or a valid consent has been obtained from the subjects who are recipients of such marketing material.
  4. Please contact the Data Protection Compliance Manager for advice on direct marketing before starting any new direct marketing activity.
  5. A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

3.2.7 Subject Access Requests

  1. A data subject may make a subject access request (SAR) at any time to find out more about the personal data which RiverArk holds about them. RiverArk will respond to such request within one month of receipt (this can be extended by up to two months in the case of complex and/or numerous requests, and in such cases the data subject shall be informed of the need for the extension).
  2. All subject access requests received must be forwarded to RiverArk’s Data Protection Compliance Manager.
  3. RiverArk does not charge a fee for the handling of normal SARs. RiverArk reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

3.3 Data Retention

  1. RiverArk shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed.
  2. When the data is no longer required, all reasonable steps will be taken to erase it without delay in accordance with Data Destruction Procedures according to ITA solutions policies and in line with the level of security appropriate to the sensitivity of the personal data.
  3. RiverArk’s Data Retention Schedule will identify the retention period for personal data. Such schedule will:
    • Include any minimum retention period required by law, as well as retention period set by RiverArk
    • Include justification and basis for the retention periods. 

3.4 Transferring Data Internationally

  1. Where personal data is transferred outside the UK by RiverArk, it shall ensure that the rights of the data subjects are protected. 
  2. The Data Protection Compliance Manager shall review all new initiatives involving transfer of personal data:
    • between the UK and the EEA
    • outside the EEA
    • The review shall establish that adequate protection can be provided to such transfers.
  3. The transfer of personal data to a country outside of the EEA shall take place only:
    • If the European Commission have assessed the country or territory as providing adequate protection
    • By including within contracts specific and legally binding conditions which ensure protection of personal information and the processing
    • By complying with an approved code of conduct or approved certification mechanism along with binding and enforceable commitments on the destination organisation
    • For public bodies by complying with a legally binding and enforceable instrument or administrative arrangement

3.5 Security Issues

  1. The Information Security Policy will also ensure that. 
    • Personal data is stored and handled securely, with precautions appropriate to its confidentiality and sensitivity.
    • Special attention is paid to storage of personal data on removable media, portable devices, and third-party storage systems (e.g., Cloud storage) 
    • Electronic or manual transmission of personal data is secured by appropriate means.
  2. The Data Protection Compliance Manager will ensure that regular security assessments are routinely undertaken to establish whether existing security controls around personal data are adequate and make recommendations for improvements if necessary. 

3.5.1 Reporting Breaches

  1. All members of staff have an obligation to report actual or potential data protection compliance failures. This allows RiverArk to:
    • investigate the failure and take remedial steps if necessary.
    • maintain a register of compliance failures.
    • notify the ICO (Information Commissioner’s Office) of any compliance failures that are material either or as part of a pattern of failures.
  2. If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Compliance Manager must ensure that the ICO is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. Such notification shall include:
    • A description of personal data involved.
    • Details of categories of personal data and approximate number of records involved.
    • Contact details of RiverArk’s Data Protection Compliance Manager (or other contact point where more information can be obtained)
    • A description of likely consequences of the breach
    • Details of the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
    • If a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Compliance Manager must ensure that all affected data subjects are informed of the breach directly and without undue delay.

3.6 Training

  1. All staff will receive training on this Policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
  2. Training can be provided through an in-house seminar or via online learning portals or any other means which are considered reasonable for this purpose on a regular basis. Completion of training is compulsory. Or Training will be completed and documented in accordance with SOP/GEN/003 – Training Management. It will cover:
    1. The law relating to data protection.
    2. RiverArk’s data protection and related policies and procedures

3.7 Consequences of failing to comply.

  1. We take compliance with this Policy very seriously. Failure to comply puts both you and RiverArk at risk.
  2. The importance of this Policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal. 
  3. If you have any questions or concerns about anything in this Policy, do not hesitate to contact the Data Protection Compliance Manager.

Annexure 1: Legal Provisions

1.1 Personal Data

Any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject.

1.2 Data subject

A living, identified, or identifiable individual about whom RiverArk holds personal data.

1.3 The Data Protection Principles

  1. The Data Protection Legislation sets out the following principles which any party handling personal data must comply. All personal data must be:
  1. Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, 
  4. Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods as far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the data protection legislation in order to safeguard the rights and freedoms of the data subject.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

1.3 The Data Protection Principles

  1. The Data Protection Legislation sets out the following principles which any party handling personal data must comply. All personal data must be:
    • Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
    • Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
    • Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, 
    • Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
    • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods as far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the data protection legislation in order to safeguard the rights and freedoms of the data subject.
    • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

1.4 The Rights of Data Subjects

  1.   The Data Protection Legislation sets out the following key rights applicable to data subjects:
    • The right to be informed.
    • The right of access.
    • The right to rectification.
    • The right to erasure (also known as the ‘right to be forgotten’)
    • The right to restrict processing.
    • The right to data portability.
    • The right to object
    • Rights with respect to automated decision-making and profiling.

1.5 Legal Basis

  1.   The Data Protection Legislation seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The Data Protection Legislation states that processing of personal data shall be lawful if at least one of the following applies:
    • The data subject has given consent to the processing of their personal data for one or more specific purposes.
    • The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract with them.
    • The processing is necessary for compliance with a legal obligation to which the data controller is subject.
    • The processing is necessary to protect the vital interests of the data subject or of another natural person.
    • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
    • The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

1.6 Special Category Data

  1. If the personal data in question is “special category data” (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data), at least one of the following conditions must be met:
    • The data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless prohibited by law).
    • The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (if authorised by UK law).
    • The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
    • The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;
    • The processing relates to personal data which is clearly made public by the data subject.
    • The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity.
    • The processing is necessary for substantial public interest reasons, with a basis in law, which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
    • The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of UK and/or EU law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;
    • The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or
    • The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on UK and/or EU law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

1.7 Rules on International Transfers of Personal Data

  1.   The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies: 
    • The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data. 
    • The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. The Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority 
    • The transfer is made with the informed consent of the relevant data subject(s) 
    • The transfer is necessary for the performance of a contract between the data subject and the Firm (or for pre-contractual steps taken at the request of the data subject) 
    • The transfer is necessary for important public interest reasons. 
    • The transfer is necessary for the conduct of legal claims. 
    • The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or 
    • The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who can show a legitimate interest in accessing the register. 

Annexure 2 : Privacy Notice General

Purpose

This Privacy Notice (“Notice”) – together with any other privacy information we may provide on specific occasions – applies to the processing of personal data by us while providing our quality assurance services and carrying out our business operations. The Notice sets out the types of personal data we collect, explains how we collect and process that data, who it shares it with and certain rights and options that you have in this respect.

We recognise that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

When we refer to “RiverArk” or “we” in this Notice we mean RiverArk Ltd, a company incorporated in England & Wales with registered number 7815952 and registered address at 85 Great Portland Street London W1W 7LT.

How we collect and use (process) personal information

  1. We collect and process personal data for the following categories of data subjects: 
    • Job applicants
    • Clients
    • Business contacts which include suppliers, consultants, advisors
    • Visitors to our website
    • Recipients of our marketing activities

1 Job applicants

  1. All the information you provide during the application process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
  2. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role for which you have applied.
  3. We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. 

1.1 Application Stage

  1. At the application stage, we ask you for
    • Contact details- name, address, phone number and email address.
    • Your previous experience- details of your education, work history, referees, and answers to questions relevant to the role you have applied for.
    • Financial- Previous salary/salary expectation, conflict of interest
    • Health and safety-Disability/Special needs. This information will only be used to ensure a comfortable experience during interview process. This is not mandatory information – if you do not provide it, it will not affect your application.
    • Ability to drive in the UK if relevant for the role.

1.2 Selection Stage

  1. We might ask you to complete tests, online assessments, complete a psychometric questionnaire and/or attend an interview. Information will be generated by you and by us. For example, we might take interview notes. We hold this information.
  2. We will also ask you to provide contact details of two references, their details, and their answers and/ or opinions will be retained by us. We will also conduct an ID verification and check your right to work in the UK before any offer letters are issued. 

1.3 How long is the information retained?

  1. If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign. Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
  2. If you are successful in your application, we will retain your information in accordance with our Privacy Notice for Employees, Workers, and Contractors. A copy of this Notice will be provided to you with your offer letter.

2 Clients and Business Contacts 

  1. We collect personal information about our clients to provide them with our audit and consulting services. We hold the following information about customers:
    • Contact details- name, business address, business email address, business phone numbers including mobile numbers. 
    • Personal information contained in business communications.
    • Transaction data including details about services you have purchased from us.
  2. We may receive personal information from our clients about other individuals, e.g., their employees, while providing our services. Any such information provided to us is used solely for providing our services and is handled strictly as per client instructions.

3 Business Contacts

  1. If you are a supplier, service provider, advisor, or consultant, we may process the following personal data about you:
    • Contact details – name, work email address, contact numbers.
    • Professional details- the name of employer, job role, educational or professional background, any professional disqualifications
    • Verification of identity details- Passport or any other government-issued document, proof of address, professional indemnity insurance
    • Financial and Transactional details- invoices, bank account numbers for payment
    • If you have access to any of our internal platforms- username and password
  1. We use this information to enter and fulfil a contract with you, to administer and manage our relationship with you including accounting, payment processing activities. 

4 Visitors to our Website 

  1. When you visit our website, we use third-party services (‘cookies’) to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to various parts of the website. The information is only processed in a way which does not identify any individual. 
  2. When you complete the contact form on our website or use the email for enquiries, we will use the information provided by you only for the purpose of providing you with an appropriate response.

5 Marketing Data 

We hold name and contact details of individuals who have expressed interest in hearing from us about our services or have engaged with us for supply of our services in the past. All direct marketing activities to such individuals shall comply with relevant privacy and regulatory requirements.

5.1 How is your personal data collected?

  1. You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
    • engage us to provide services.
    • subscribe to our publications.
    • request marketing material to be sent to you.
    • complete one of our enquiry forms or
    • provide us with feedback.
  2. We may also receive personal information from third parties including other customers, partners, or third parties that we run partnerships, competitions, and events with. Any such information provided to us is used solely for providing our services and is handled strictly as per our data protection procedures.

When and how do we share your personal data

  1. We may share your personal data in the following circumstances:
    1. internally with staff members who require your information to provide our services and who have received training in data protection.
    2. our accreditation bodies where this is a requirement for delivering our services.
    3. with our professional advisors, including our legal advisors, financial advisors, insurers, accountants, auditors, or other consultants to the extent they require this information to provide their services to us.
    4. with sub-contracts, consultants or associates who are asked by RiverArk to deliver all or some of the services.
    5. with courts, law enforcement authorities, regulators, or government officials where it is legally required.
    6. with third parties providing IT support and maintenance services, marketing and client support services, data storage services, and checks for credit risk reduction and other fraud and crime prevention purposes; and other financial institutions and credit reference agencies providing services to us.
    7. any third parties with whom you require or permit us to correspond.
  1.  We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services and communications.

Transfers of personal data outside the EEA 

There may be occasions where we will need to share your data with entities in third countries, such as when we are using cloud software providers or outsourced contractors which enable us to provide you with the services. We verify that any data transfer outside of EEA is subject to EU adequacy requirements, Standard Contractual Clauses or other transfer tools which comply with data protection legislation.

Automated decision-making

We do not use automated decision-making in relation to your personal data. 

Security of your personal information

  1. To help protect the privacy of data and personally identifiable information you provide to us, we maintain physical, technical, and administrative safeguards. We update and test our security technology and controls on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities.
  2. We are certified to Cyber Essentials Plus and IASME standards which demonstrates our commitment to security and privacy of your personal information.

Date storage and retention

  1. Your personal data is stored by RiverArk on its servers, and on the servers of the cloud-based services and IT service providers we engage, as well as in physical forms in our office and at backup and archival facilities. We retain data as per our data retention policy and regulatory data retention requirements.
  2. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at privacy@RiverArk.com.

Data Subject Rights 

  1. This Privacy Notice is intended to provide you with information about what personal data the Firm collects about you and how it is used. If you have any questions, please contact us at privacy@RiverArk.com. 
  2. If you wish to confirm that the RiverArk is processing your personal data, or to have access to the personal data we may have about you, please contact us at privacy@RiverArk.com. 
  3. You have a right to request correction of inaccurate information, deletion of information, and to instruct us to stop processing your information. We are obliged to honour such requests as per the regulatory requirements. If you would like more information or would like to make such a request, please contact us at privacy@RiverArk.com.

Annexure 3: Privacy Notice Employees

Purpose

RiverArk is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulations (GDPR). 

This notice applies to current and former employees, workers, contractors, and associates. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time. 

It is mandatory for all employees to familiarise themselves with the Data Protection Policy. This document highlights specific provisions applicable for processing of employee personal data (including data of other workers and sub-contractors) and must always be read in the context of our Data Protection Policy.

We recognise that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Statement as we undertake new personal data practices or adopt new privacy policies.

Responsibilities

 

Role/Title

Activity

Data Protection Compliance Manager

oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the Data Protection Compliance Manager. 

If you are concerned about an alleged breach of privacy law or any other regulation by us, please email the Data Protection Compliance Manager at yogesh.agarwal@riverark.co.uk who will ensure that your complaint is investigated.

The Kind of information we hold about you

 

Personal data, or personal information, means any information about an individual from which that person can be identified. We may collect, hold, and process the following categories of personal information about you: 

 

Identification information

Financial details

Health records (Special category information)

Employment records

  1. Title 
  2. Forename 
  3. Surname (may include previous names)
  4. Gender
  5. Date of Birth 
  6. Address, including previous addresses.
  7. Personal Email Address 
  8. NI Number and similar social security numbers for employees outside the UK
  9. Photographs
  10. Copy of your passport and any work, tourist, or business visa (including application forms)
  11. Copy of driving licence or DVLA check code.
  12. Start Date and location of employment.
  13. Next of kin and emergency contact information
  14. Educational and Professional qualifications
  15. References from previous employers/ colleagues
  16. Security clearance
    1. Hours Worked 
    2. If Part Time; days of the week worked. 
    3. Student Loan 
    4. P45 from previous employer
    5. Bank account details, payroll records and tax status information
    6. Details of remuneration including salaries, pay increases, bonuses, commission, overtime, benefits, and expenses.
    7. Leave records.
    8. Compensation history
  • Performance information
    1. Details of sick leave
    2. Medical conditions
    3. Disabilities and special needs
    4. Prescribed medication
    5. Sickness records
  • Maternity / Paternity / other statutory leave information (for statutory purpose only)
    1. Interview notes
    2. CVs, application forms, covering letters, and similar documents.
    3. Job title and job descriptions
    4. Assessments, performance reviews and similar documents
    5. Employee monitoring information
    6. Records of disciplinary matters including reports and warnings, both formal and informal
    7. Details of grievances including documentary evidence, notes from interviews, procedures followed, and outcomes.
    8. Details of internal and external training modules taken
  • IT equipment use including telephones and internet access.

How is your personal information collected?

We collect personal information about employees, workers and contractors through the application, recruitment, and on-boarding process, either directly from you or from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies, personal references, or other background check agencies. 

We will collect additional personal information in the course of job-related activities throughout the period of you working for us. 

How we use (process) your personal information?

  1. We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances: 
    • Where we need to perform the contract, we have entered into with you. 
    • Where we need to comply with a legal obligation 
    • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests 
  2. We may also use your personal information in the following situations, which are likely to be rare: 
    • Where we need to protect your interests (or someone else’s interests) 
    • Where it is needed in the public interest or for official purposes 
  3. The information below categorises the types of data processing, appropriate to your status, we undertake and the lawful basis we rely on.

Personal Information

Lawful basis of processing

Legitimate interest

Your CVs, professional qualifications, professional experience,  

To ensure that we hire in accordance with our requirements and policies

Disciplinary or grievance evidence

To ensure that employment law and best practice is followed in our business

Performance, qualifications, training records and experience, professional memberships

To ensure that you have the skills and ability necessary to perform your role, to assist you with performance and manage any performance concerns, to ensure our clients are satisfied regarding your ability to provide services to them.

Monitoring your use of our information and communication systems, any information relating to your conduct 

To protect our business, ensure that the law and our policies are followed, investigate fraud, theft, or improper conduct.

Monitoring both your conduct, including timekeeping and attendance, and your performance and to undertake procedures where necessary

To enable us to make decisions relevant to our relationship including promotion, termination, business planning and restructuring

Personal email and mobile number

To invoke BCP in case of emergency. Only Directors have this information

Performance of a contract

Details of remuneration including salaries, pay increases, bonuses, commission, overtime, benefits, and expenses, performance reviews, leave records, your Bank details 

To ensure the proper management of remuneration and other reimbursements to you, to pay your earnings

Education, training and development requirements and records

To help us develop your skills and ensure that you remain able to perform your duties

Your employment and other contracts, policy compliance records

Administering the contract that we have entered into

Compliance with a legal obligation

Your Passport and other ID details

Checking you are legally entitled to work in the UK

Tax information- e.g., Tax codes, NI number, student loan

If you are an employee, deducting tax and National Insurance contributions or liaising with your pension provider

Providing employment references to prospective employers, when our name has been put forward by the employee/ ex-employee, to assist with their effective recruitment decisions

Legitimate interest of the prospective employer

Information relating to leaves of absence, which may include sickness absence or family related leaves 

Employment and other laws, proper management of our business

Information about your physical or mental health, or disability status, other medical information, next of kin details

Complying with health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits 

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information. 

1 Consent

  1. Where no other lawful basis applies, we may seek to rely on your consent to process data. Where consent is to be sought, we will do so on a specific and individual basis where appropriate. You will be given clear instructions on the desired processing activity, informed of the consequences of your consent and of your clear right to withdraw consent at any time.
  2. We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

2 Health Records and other special category personal information

“Special categories” of particularly sensitive personal information require higher levels of protection. 

Health records other special category personal information will only be collected, held, and processed to the extent required to ensure that employees are able to perform their work correctly, legally, safely, and without unlawful or unfair impediments or discrimination.

3 Employee Monitoring

  1. We may from time to time monitor your activities. Such monitoring may include, but will not necessarily be limited to, internet and email monitoring. If monitoring of any kind is to take place (unless exceptional circumstances, such as the investigation of criminal activity or a matter of equal severity, justify covert monitoring), your will be informed of the exact nature of the monitoring in advance.
  2. Personal data collected during any such monitoring will only be collected, held, and processed for reasons directly related to (and necessary for) achieving the intended result and, at all times, in accordance with your rights and our obligations under the GDPR.

4 Criminal Conviction Data

We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment. We use criminal conviction data to determine your suitability or your continued suitability for the role. We rely on our legitimate interests and legitimate interests of our clients to process this data.

5 Failure to Provide Data

Your failure to provide us with required data may mean that we are unable to fulfil our requirements for entering a contract of employment with you. This could include being unable to offer you employment or administer contractual benefits.

Your Rights in relations to your personal data

1.  Right to be Informed.

This policy sets out clearly the type of personal data we process and the basis for processing your data. This policy also sets out your rights as a data subject and our data retention and data security principles. 

2. Right to Access

Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

3. Right to Rectification

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. 

4. Right to Erasure

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

5. Right to Restrict Personal Data Processing

Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. If any affected personal data has been disclosed to third parties, those parties will be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

6. Right to Object to Processing

  1. You have the right to object to our processing of your personal data based on legitimate interests, direct marketing (including profiling) and processing for scientific and/or historical research and statistics purposes.
  2. Where you object to our processing your personal data based on its legitimate interests, we will cease such processing immediately, unless it can be demonstrated that our legitimate interests for such processing override your interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
  3. Where you object to our processing of personal data for direct marketing purposes, we will cease such processing immediately.

7. Right to Data Portability

Request the transfer of your personal information to another party. 

8. Right to Object to Automated Decision Making

You have the right not to have decisions made about you solely based on automated decision-making processes where there is no human intervention, where such decisions will have a significant effect on you. We do not make any decisions based on such processes. We will inform you if we decide to implement such processes.

9. Right to withdraw consent.

In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Compliance Manager or Human Resources. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. 

10. How to enforce your rights?

  1. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Compliance Manager. 
  2. You will not have to pay a fee to access your personal information (or to exercise any of the other rights), however we may charge a reasonable fee if your request for access is clearly unfounded or excessive; alternatively, we may refuse to comply with the request in such circumstances. 
  3. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. 

Sharing your information 

  1. Employees within RiverArk who have responsibility for recruitment, administration of payment and contractual benefits and the carrying out performance related procedures will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processed in line with GDPR.
  2. We may also share your data with third parties as part of a company sale or restructure, or for other reasons to comply with legal obligations upon us. We will ensure that the third parties implement appropriate technical and organisational measures to ensure the security of your data.
  3. We may be required to disclose your personal data for following reasons:
    • Any employee benefits operated by third parties.
    • Disability and special needs information – when any reasonable adjustments are required to assist you at work.
    • Your health data – to comply with health and safety or occupational health obligations towards you.
    • For statutory sick pay purposes
    • Hr management and administration – to consider how your health affects your ability to do the job.
    • For operation of employee insurance policies or pension plans
  4. To assist law enforcement or a relevant authority to prevent or detect crime or prosecute offenders or to assess or collect any tax or duty.
  5. These kinds of disclosures will only be made when strictly necessary for the purpose.
  6. Prior to the collection of such data, you will be fully informed of the personal data that is to be collected, the reasons for its collection, and the way(s) in which it will be processed, as per the information requirements set out in the RiverArk Data Protection Policy.

Transfer of information outside the UK/EU

We or our third-party service providers may transfer the personal information we collect about you outside the UK/EU in order to perform our contract with you. More information is provided in our Data Protection Policy.

Security of your data

We will ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage in accordance with our Data Protection Policy and Information Security Policy. 

Accuracy of Data and Keeping Data Up-to-Date

  1. We will ensure that all personal data collected, processed, and held by RiverArk is kept accurate and up to date. This includes, but is not limited to, the rectification of personal data at your request.
  2. We will not keep personal data for any longer than is necessary considering the purpose or purposes for which that personal data was originally collected, held, and processed.
  3. When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.

Retention Period

We only keep your data for as long as needed, which will be at least for the duration of your employment with us though in some cases we will keep your data for a period of up to 6 years after your employment has ended. The retention periods for some data are set by the law and we will abide by such retention requirements.

Making a Complaint

If you think your data rights have been breached, and if we have failed to address your concerns to your satisfaction, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 or 01625 545 745.

Madhavi Nadgouda
Co-Founder and CEO
Madhavi is a Co-founder and the CEO of RiverArk. As an entrepreneur, to date Madhavi has worked on two successful start-ups including RiverArk. Madhavi spearheads legal & commercial aspects and client relations within RiverArk. Dedicated and results-oriented chief executive with a wealth of experience in leading a growing and highly successful quality assurance consultancy. Proven track record of implementing robust quality management systems, driving operational excellence, and fostering client relationships. A strategic thinker with a hands-on approach, committed to delivering top-tier services and maintaining the highest standards of quality in all business operations. Combines strategic vision, operational expertise, and a passion for quality assurance to drive the success of RiverArk. With a focus on excellence and client satisfaction, continues to lead the company towards new heights, solidifying its position as a trusted partner in the quality assurance landscape.
Madhavi Nadgouda
Co-Founder and CEO
Madhavi is a Co-founder and the CEO of RiverArk. As an entrepreneur, to date Madhavi has worked on two successful start-ups including RiverArk. Madhavi spearheads legal & commercial aspects and client relations within RiverArk. Dedicated and results-oriented chief executive with a wealth of experience in leading a growing and highly successful quality assurance consultancy. Proven track record of implementing robust quality management systems, driving operational excellence, and fostering client relationships. A strategic thinker with a hands-on approach, committed to delivering top-tier services and maintaining the highest standards of quality in all business operations. Combines strategic vision, operational expertise, and a passion for quality assurance to drive the success of RiverArk. With a focus on excellence and client satisfaction, continues to lead the company towards new heights, solidifying its position as a trusted partner in the quality assurance landscape.
Milind Nadgouda
Co-Founder and Director Operations
Milind is a Quality Assurance professional, with more than 25 years of strategy experience as well as hands on expertise in operational oversight. He is the Co-founder and Director of operations at RiverArk Limited. His core competencies include inspection readiness, audit strategy, risk strategy and management, gap assessment and quality assurance. His expertise on quality strategy and regulatory compliance has been derived from hands-on real-world experience. So far in his career, Milind has been in the frontline during GxP inspections and has on several occasions been in the back room supporting the teams at high-ranking pharmaceutical companies for inspections. He sees himself as a problem solver and a solution provider.
Milind Nadgouda
Co-Founder and Director Operations
Milind is a Quality Assurance professional, with more than 25 years of strategy experience as well as hands on expertise in operational oversight. He is the Co-founder and Director of operations at RiverArk Limited. His core competencies include inspection readiness, audit strategy, risk strategy and management, gap assessment and quality assurance. His expertise on quality strategy and regulatory compliance has been derived from hands-on real-world experience. So far in his career, Milind has been in the frontline during GxP inspections and has on several occasions been in the back room supporting the teams at high-ranking pharmaceutical companies for inspections. He sees himself as a problem solver and a solution provider.
Ryan Schön
Project Manager
With over a decade of extensive experience in the pharmaceutical industry, I bring a wealth of knowledge and a proven track record in Project Management. Holding Prince2 certifications, I have demonstrated my capability to manage and deliver projects effectively and efficiently, ensuring high standards and successful outcomes. Throughout my career, I have gained valuable expertise across various facets of the pharmaceutical sector, including production planning and buying, document control, training coordination, logistics planning, and pharmacy dispensing. This diverse background has equipped me with a comprehensive understanding of the industry's complexities and the ability to navigate through them accordingly. My journey in this field has been marked by a continuous drive to learn and develop. I take pride in my ability to focus on clients and patients, ensuring that their needs are always at the forefront of my work. My attention to detail and easy-going nature allow me to build strong working relationships, fostering a collaborative environment where projects thrive. I firmly believe that the effort you invest directly influences the results you achieve. This principle guides my work ethic and dedication to every project I undertake. I look forward to continuing to contribute to the pharmaceutical industry with my project management expertise, always striving for excellence and client satisfaction.
Ryan Schön
Project Manager
With over a decade of extensive experience in the pharmaceutical industry, I bring a wealth of knowledge and a proven track record in Project Management. Holding Prince2 certifications, I have demonstrated my capability to manage and deliver projects effectively and efficiently, ensuring high standards and successful outcomes. Throughout my career, I have gained valuable expertise across various facets of the pharmaceutical sector, including production planning and buying, document control, training coordination, logistics planning, and pharmacy dispensing. This diverse background has equipped me with a comprehensive understanding of the industry's complexities and the ability to navigate through them accordingly. My journey in this field has been marked by a continuous drive to learn and develop. I take pride in my ability to focus on clients and patients, ensuring that their needs are always at the forefront of my work. My attention to detail and easy-going nature allow me to build strong working relationships, fostering a collaborative environment where projects thrive. I firmly believe that the effort you invest directly influences the results you achieve. This principle guides my work ethic and dedication to every project I undertake. I look forward to continuing to contribute to the pharmaceutical industry with my project management expertise, always striving for excellence and client satisfaction.
Mariam Hussain
Project Manager
Mariam began her career in the pharmaceutical industry after completing her Bachelors in English, initially joining a pharmacovigilance company where she played a key role in ensuring drug safety and regulatory compliance. Building upon her experience, Mariam transitioned into a Project Manager at RiverArk where she oversees successful execution of projects, coordinates project activities and collaborates with clients and consultants to ensure timely achievement of objectives. As a Prince2 and Agile certified Project Manager, Mariam’s aim is to deliver projects in line with RiverArk’s values of excellence, professionalism, integrity, communication.
Mariam Hussain
Project Manager
Mariam began her career in the pharmaceutical industry after completing her Bachelors in English, initially joining a pharmacovigilance company where she played a key role in ensuring drug safety and regulatory compliance. Building upon her experience, Mariam transitioned into a Project Manager at RiverArk where she oversees successful execution of projects, coordinates project activities and collaborates with clients and consultants to ensure timely achievement of objectives. As a Prince2 and Agile certified Project Manager, Mariam’s aim is to deliver projects in line with RiverArk’s values of excellence, professionalism, integrity, communication.
Tiffany Swift
Project Administrator
Tiffany brings over 30 years of experience in business development, administration, and project coordination to their current role at RiverArk. As a Project Administrator, they enjoy a varied and interesting position that allows them to oversee seamless operations and ensure exceptional service to clients and colleagues. She is currently studying for her Prince2 7 Foundation & Practitioner qualification to further her knowledge and utilise her many skills in this area. Tiffany is proud to contribute to the success and excellence of RiverArk.
Tiffany Swift
Project Administrator
Tiffany brings over 30 years of experience in business development, administration, and project coordination to their current role at RiverArk. As a Project Administrator, they enjoy a varied and interesting position that allows them to oversee seamless operations and ensure exceptional service to clients and colleagues. She is currently studying for her Prince2 7 Foundation & Practitioner qualification to further her knowledge and utilise her many skills in this area. Tiffany is proud to contribute to the success and excellence of RiverArk.
Amy King
Project Administrator
As a Project Administrator, I am responsible for assisting the Project Manager in ensuring all projects run smoothly and all timelines are met. I have been at RiverArk for almost a year now and since joining, have learnt some incredibly valuable skills that have helped me develop my understanding of the industry and enhance my ability to deliver projects to a high standard. I have a strong background in administration, and I am now completing my Prince 2 Foundation and Practitioner certification to further develop my project management skills – I hope to continue to build on these throughout my time at RiverArk.
Amy King
Project Administrator
As a Project Administrator, I am responsible for assisting the Project Manager in ensuring all projects run smoothly and all timelines are met. I have been at RiverArk for almost a year now and since joining, have learnt some incredibly valuable skills that have helped me develop my understanding of the industry and enhance my ability to deliver projects to a high standard. I have a strong background in administration, and I am now completing my Prince 2 Foundation and Practitioner certification to further develop my project management skills – I hope to continue to build on these throughout my time at RiverArk.
Kim Ritchie 
Senior Quality Assurance Auditor
A Forensic Sciences graduate who started of their graduate career working in the laboratory, learning the importance of working to regulations. This appreciation led to a switch in career to pharmaceutical auditing within a large CRO and now being a Senior QA Auditor, with over 5 years of experience in GxP auditing specialising in GCP, GCLP and GLP. Experienced in vendor audits, investigator site audits, TMF audits, process audits and internal audits. Knowledgeable with training, process improvement projects, inspection readiness projects and QMS projects.
Kim Ritchie 
Senior Quality Assurance Auditor
A Forensic Sciences graduate who started of their graduate career working in the laboratory, learning the importance of working to regulations. This appreciation led to a switch in career to pharmaceutical auditing within a large CRO and now being a Senior QA Auditor, with over 5 years of experience in GxP auditing specialising in GCP, GCLP and GLP. Experienced in vendor audits, investigator site audits, TMF audits, process audits and internal audits. Knowledgeable with training, process improvement projects, inspection readiness projects and QMS projects.
Loveleen Kukreja
Principal QA Auditor
A post graduate life scientist with 10 years of Quality Assurance and Quality Systems experience in Clinical Research. Extensive experience of conducting GCP, GVP and GCLP audits in multiple geographies. Hands on expertise in Vendor audits, Investigator site audits, process audits and systems audits. Adroit at imparting conventional GCP training and inspection readiness training. Firsthand experience in hosting competent authority inspections. Deep knowledge on systems improvements and continuous improvements and tactful at using multiple methodologies. Assisted in QA review of Computer Systems Validation documentation.
Loveleen Kukreja
Principal QA Auditor
A post graduate life scientist with 10 years of Quality Assurance and Quality Systems experience in Clinical Research. Extensive experience of conducting GCP, GVP and GCLP audits in multiple geographies. Hands on expertise in Vendor audits, Investigator site audits, process audits and systems audits. Adroit at imparting conventional GCP training and inspection readiness training. Firsthand experience in hosting competent authority inspections. Deep knowledge on systems improvements and continuous improvements and tactful at using multiple methodologies. Assisted in QA review of Computer Systems Validation documentation.
Ashok Kumar
Principle GXP QA Auditor
Ashok Kumar G is a distinguished professional with a wealth of experience in Pharmacovigilance, clinical trials, and Quality Assurance. With a career spanning over 17 years, Ashok has honed his expertise in ensuring the safety, efficacy, and quality of pharmaceutical products. His unwavering commitment to upholding the highest standards has made him a trusted leader in the industry. Beyond his professional achievements, Ashok is an avid reader who finds joy and inspiration between the pages of a good book. Whether it's diving into the latest medical research or exploring works of fiction, he believes in the power of literature to broaden the mind and ignite the imagination. His journey in Pharmacovigilance, clinical trials, and Quality Assurance is marked by a relentless pursuit of excellence. His meticulous attention to detail and strategic approach have led to the successful execution of numerous complex projects, earning him accolades from colleagues and clients alike.
Ashok Kumar
Principle GXP QA Auditor
Ashok Kumar G is a distinguished professional with a wealth of experience in Pharmacovigilance, clinical trials, and Quality Assurance. With a career spanning over 17 years, Ashok has honed his expertise in ensuring the safety, efficacy, and quality of pharmaceutical products. His unwavering commitment to upholding the highest standards has made him a trusted leader in the industry. Beyond his professional achievements, Ashok is an avid reader who finds joy and inspiration between the pages of a good book. Whether it's diving into the latest medical research or exploring works of fiction, he believes in the power of literature to broaden the mind and ignite the imagination. His journey in Pharmacovigilance, clinical trials, and Quality Assurance is marked by a relentless pursuit of excellence. His meticulous attention to detail and strategic approach have led to the successful execution of numerous complex projects, earning him accolades from colleagues and clients alike.
Bala Bhargav Podduturi
Quality Officer
A double postgraduate in Chemistry and Drug design and Discovery from the University of Salford. With two years of experience in Quality and data research analysis in the Pharma, I am currently working as a Trainee Auditor and Quality Officer at RiverArk. Involved in audits across all GxPs, primarily within the GMP/GLP QA. Assisted in a few GCP and GVP audits as well. I am also the training coordinator responsible for the induction training of new hires. As a Quality officer I am responsible for the tracking and coordinating of of CAPAs and CAPA closures, Change controls, Internal audit schedules, ISO 9001 certification audits, Deviations and other QMS related activities.
Bala Bhargav Podduturi
Quality Officer
A double postgraduate in Chemistry and Drug design and Discovery from the University of Salford. With two years of experience in Quality and data research analysis in the Pharma, I am currently working as a Trainee Auditor and Quality Officer at RiverArk. Involved in audits across all GxPs, primarily within the GMP/GLP QA. Assisted in a few GCP and GVP audits as well. I am also the training coordinator responsible for the induction training of new hires. As a Quality officer I am responsible for the tracking and coordinating of of CAPAs and CAPA closures, Change controls, Internal audit schedules, ISO 9001 certification audits, Deviations and other QMS related activities.
Anip Damle
Interim Project Coordinator
Anip, an engineer by education, transitioned into the Pharma industry driven by his dedication to quality. With a master’s degree in mechanical engineering from Northumbria University, his passion for quality led him into the Pharma-Biotech sector, focusing on GxP compliance. Anip specializes in ISO 13485 for Medical Devices and ISO 9001. He is also a Green Belt in Lean Six Sigma. he is working as an interim project coordinator for the RA team at RiverArk also As a trainee auditor at RiverArk, he is involved in GxP audits, primarily within the GCP QA arena, while also training in GVP QA areas. His career at RiverArk includes working in cross-functional teams. Anip started with several quality initiatives using Six Sigma, Kaizen, and Lean techniques. Anip’s commitment to success is evident through his track record of academic and project achievements. He is dedicated to finding innovative solutions and continuously striving for excellence in all his endeavours.
Anip Damle
Interim Project Coordinator
Anip, an engineer by education, transitioned into the Pharma industry driven by his dedication to quality. With a master’s degree in mechanical engineering from Northumbria University, his passion for quality led him into the Pharma-Biotech sector, focusing on GxP compliance. Anip specializes in ISO 13485 for Medical Devices and ISO 9001. He is also a Green Belt in Lean Six Sigma. he is working as an interim project coordinator for the RA team at RiverArk also As a trainee auditor at RiverArk, he is involved in GxP audits, primarily within the GCP QA arena, while also training in GVP QA areas. His career at RiverArk includes working in cross-functional teams. Anip started with several quality initiatives using Six Sigma, Kaizen, and Lean techniques. Anip’s commitment to success is evident through his track record of academic and project achievements. He is dedicated to finding innovative solutions and continuously striving for excellence in all his endeavours.
Daniel Bennett
Sr. Quality Consultant
Daniel Bennett is a seasoned professional known for his leadership and expertise in Trial Master File (TMF) management, likening the TMF to the fruit growing from the GCP quality system tree. With a robust background in analytics and a rigorous approach to continuous process improvement, Daniel has contributed to the development of many company procedures to improve GXP compliance. His career includes working in cross-functional teams at small and medium-sized biotechs, major pharmaceutical companies, as well as for CROs, and specialist vendors. An industry speaker on metrics, quality control, continuous improvement, and team culture, Daniel is an experienced trainer. He brings a passion for clear and concise communication to each project. He is a passionate believer that complex system are built out of small interconnected parts, and is rarely happier than when he gets to tinker with standard operating procedure documents.
Daniel Bennett
Sr. Quality Consultant
Daniel Bennett is a seasoned professional known for his leadership and expertise in Trial Master File (TMF) management, likening the TMF to the fruit growing from the GCP quality system tree. With a robust background in analytics and a rigorous approach to continuous process improvement, Daniel has contributed to the development of many company procedures to improve GXP compliance. His career includes working in cross-functional teams at small and medium-sized biotechs, major pharmaceutical companies, as well as for CROs, and specialist vendors. An industry speaker on metrics, quality control, continuous improvement, and team culture, Daniel is an experienced trainer. He brings a passion for clear and concise communication to each project. He is a passionate believer that complex system are built out of small interconnected parts, and is rarely happier than when he gets to tinker with standard operating procedure documents.
Joshua Marsh
Senior QA Auditor
Joshua Marsh is an experienced auditor with a background in Good Clinical Practice (GCP), Good Laboratory Practice (GLP), Good Clinical Laboratory Practice (GCLP), and ISO 15189. He has experience of performing external auditors including Contract Research Organisations (CROs), Investigator Sites, and sample storage facilities to GCP; bioanalytical laboratories to GLP and GCLP; and central laboratories to ISO 15189. Joshua has worked as an internal auditor at laboratories that perform bioanalysis on behalf of clinical trials and preclinical trials and has experience of developing and maintaining Quality Management Systems (QMS); performing study-based inspections, process-based inspections, and facility-based inspections; and leading Corrective and Preventative Action (CAPA) investigations. Joshua holds a Bachelor of Science degree in Biomedical Sciences from the University of Hull and is a member of the Research Quality Association (RQA). He remains up to date with GCP, GLP, GCLP and ISO 15189 regulations. Joshua is committed to delivering the best possible quality of audit by working closely with clients to ensure the scope of audits are understood and fulfilled, and communicating clearly with auditees to ensure the audit is of value to all involved.
Joshua Marsh
Senior QA Auditor
Joshua Marsh is an experienced auditor with a background in Good Clinical Practice (GCP), Good Laboratory Practice (GLP), Good Clinical Laboratory Practice (GCLP), and ISO 15189. He has experience of performing external auditors including Contract Research Organisations (CROs), Investigator Sites, and sample storage facilities to GCP; bioanalytical laboratories to GLP and GCLP; and central laboratories to ISO 15189. Joshua has worked as an internal auditor at laboratories that perform bioanalysis on behalf of clinical trials and preclinical trials and has experience of developing and maintaining Quality Management Systems (QMS); performing study-based inspections, process-based inspections, and facility-based inspections; and leading Corrective and Preventative Action (CAPA) investigations. Joshua holds a Bachelor of Science degree in Biomedical Sciences from the University of Hull and is a member of the Research Quality Association (RQA). He remains up to date with GCP, GLP, GCLP and ISO 15189 regulations. Joshua is committed to delivering the best possible quality of audit by working closely with clients to ensure the scope of audits are understood and fulfilled, and communicating clearly with auditees to ensure the audit is of value to all involved.
Aleksandra Rickman
Business Development Manager
Aleksandra Rickman is a commercially focused professional with a strategic and analytical mindset, excelling in defining challenges and crafting profitable solutions. In business development and sales within the biotech industry, her passion lies in bridging the gap between science and business. Awarded a 40 Under 40 by XODUS in Life Sciences prize, Aleksandra is also the founder of Life Sciences SheNetwork, an initiative dedicated to empowering women in the Life Science industry and facilitating fundraising for women-owned ventures. Outside of her professional pursuits, she enjoys exploring art galleries, and swimming lengths in the pool.
Aleksandra Rickman
Business Development Manager
Aleksandra Rickman is a commercially focused professional with a strategic and analytical mindset, excelling in defining challenges and crafting profitable solutions. In business development and sales within the biotech industry, her passion lies in bridging the gap between science and business. Awarded a 40 Under 40 by XODUS in Life Sciences prize, Aleksandra is also the founder of Life Sciences SheNetwork, an initiative dedicated to empowering women in the Life Science industry and facilitating fundraising for women-owned ventures. Outside of her professional pursuits, she enjoys exploring art galleries, and swimming lengths in the pool.
Tina Huang
Business Development Manager
Tina Huang is a sales professional with a strong background in nursing, medical writing, and expertise in quality assurance, regulatory affairs, medical affairs, and business development within the biopharmaceutical sector. She excels at navigating complex regulatory frameworks and clinical trial processes, crafting strategies that drive growth and deliver results. With a keen eye for emerging market opportunities, Tina's approach ensures each client's needs are met with tailored solutions—ensuring compliance and fostering partnerships. Her experience working with international teams and global clients enables her to navigate cultural complexities and meet regulatory standards across diverse markets.
Tina Huang
Business Development Manager
Tina Huang is a sales professional with a strong background in nursing, medical writing, and expertise in quality assurance, regulatory affairs, medical affairs, and business development within the biopharmaceutical sector. She excels at navigating complex regulatory frameworks and clinical trial processes, crafting strategies that drive growth and deliver results. With a keen eye for emerging market opportunities, Tina's approach ensures each client's needs are met with tailored solutions—ensuring compliance and fostering partnerships. Her experience working with international teams and global clients enables her to navigate cultural complexities and meet regulatory standards across diverse markets.
Mariam Garelnabi
Brand Engagement Manager
Having completed my education in genetics, immunology and microbiology, I have a proven track record in GCP and GCLP in both research and industry roles. Following the completion of my doctoral studies and postdoctoral appointment, I transitioned into medical affairs and then into sales and marketing for the pharmaceutical and biotechnology industries. I recently joined RiverArk as a Sales Development Representative, and I am excited to leverage my knowledge, experience and collaboration skills to ensure that RiverArk’s services within GxP continue to bring value to its clients.
Mariam Garelnabi
Brand Engagement Manager
Having completed my education in genetics, immunology and microbiology, I have a proven track record in GCP and GCLP in both research and industry roles. Following the completion of my doctoral studies and postdoctoral appointment, I transitioned into medical affairs and then into sales and marketing for the pharmaceutical and biotechnology industries. I recently joined RiverArk as a Sales Development Representative, and I am excited to leverage my knowledge, experience and collaboration skills to ensure that RiverArk’s services within GxP continue to bring value to its clients.
Iram Iqbal
Associate Director
A Life Science postgraduate with 13 years' experience in Quality Assurance. Experience in conducting GCP, GLP and GCLP audits. Has expertise in conducting Vendor, Investigator site, process and systems audits, inspection readiness and performing gap analysis.
Iram Iqbal
Associate Director
A Life Science postgraduate with 13 years' experience in Quality Assurance. Experience in conducting GCP, GLP and GCLP audits. Has expertise in conducting Vendor, Investigator site, process and systems audits, inspection readiness and performing gap analysis.
CHECK Our CASE STUDIES
Stay Updated!

    CHECK Our CASE STUDIES
    Stay Updated!

      Scroll to Top