Let's go tilt at windmills

Compliance and policies

At Quix IS Ltd (‘QUIXIS’) , we are committed to upholding the highest standards of ethical behaviour, integrity, and professionalism in all our activities. Whether contracting us on a Consulting basis, or sending your child on a Creativity workshop we run as MonkQuixote, we recognise the importance of operating with honesty, transparency, and fairness.

The Code of Conduct below sets out our commitment to ethical practices.
Further policies below provide more detail on specific aspects of sustainability, information security and privacy.

Code of Conduct

1. Integrity and Professionalism

  • We conduct all aspects of our business with honesty, fairness, and transparency.
  • We are committed to delivering high-quality services to clients, maintaining professionalism in all interactions, and providing clear and accurate analysis and advice.
  • We respect confidentiality and ensure all client information is treated with discretion and care.

2. Compliance with Laws and Regulations

  • We comply with all applicable laws and regulations, including those governing business practices, data protection, and information security.
  • We specifically adhere to the UK Bribery Act 2010 and commit to preventing any form of bribery or corruption in our operations.

3. Anti-Bribery and Corruption

  • We have a zero-tolerance approach to bribery and corruption. We do not, under any circumstances, offer, give, request, or accept bribes, either directly or indirectly.
  • We ensure that all gifts, hospitality, or other business courtesies are reasonable, transparent, and aligned with the law and best practices, and are not intended to influence business decisions unfairly.
  • Any suspicions of bribery or corruption will be reported immediately, and appropriate action will be taken to investigate and address such issues.

4. Conflict of Interest

  • We will avoid situations where personal interests could conflict with the best interests of our clients or business.
  • Should any potential conflicts of interest arise, they will be disclosed, and steps will be taken to manage them in a transparent manner.

5. Respect and Inclusion

  • We are committed to treating all individuals with dignity and respect, fostering an inclusive and diverse environment. Discrimination, harassment, or any form of unethical behaviour will not be tolerated.
  • We ensure that all participants in workshops, reports, and consultancy services feel valued and respected.

6. Client and Stakeholder Relationships

  • We maintain open, honest, and respectful communication with clients, partners, and stakeholders.
  • We aim to provide unbiased, independent advice that serves the best interests of our clients.

7. Continuous Improvement and Accountability

  • We regularly review and update our business practices to ensure they reflect the highest ethical standards and legal requirements.
  • We are accountable for our actions and are committed to continuous learning and improvement.

By adhering to this Code of Conduct, we aim to maintain the trust of our clients, partners, and the wider community while fostering an ethical and responsible business environment.

This Code of Conduct will be reviewed periodically to ensure it reflects current laws, best practices, and our commitment to ethical business conduct.
Last reviewed September 2024

Corporate and Social Responsibility

1. Sustainability Commitment

  • We strive to minimise our environmental impact by adopting sustainable practices, including reducing waste, conserving energy, and using digital solutions to decrease paper usage.
  • We prioritise virtual meetings and communication methods to reduce unnecessary travel and lower our carbon footprint.
  • When travel is necessary, we aim to use environmentally responsible modes of transport wherever possible.
  • Wherever possible we will favour trading with B Corps certified businesses.

2. Ethical Business Practices

  • We are committed to conducting business with integrity, transparency, and fairness.
  • Our consultancy services are delivered with respect for human rights and a focus on positive social outcomes for clients and stakeholders.
  • We only work with organisations which share similar values to our own.
  • We maintain high standards of professionalism and adhere to legal and ethical guidelines in every aspect of our work.

3. Community and Social Impact

  • We aim to contribute positively to the communities we serve by offering insights and solutions that support long-term social and economic development.
  • We actively support diversity, equity, and inclusion within our work, ensuring that all voices are heard and respected in our workshops and consultancy projects.

4. Continuous Improvement

  • We regularly evaluate our sustainability and CSR practices, seeking opportunities for continuous improvement and adapting to evolving best practices.
  • We are committed to staying informed about current sustainability issues and incorporating responsible practices into our business.

Together, we are dedicated to creating lasting value for our clients, communities, and the planet by integrating sustainability and social responsibility into everything we do.

This policy will be reviewed periodically to ensure it reflects our ongoing commitment to responsible business practices.
Last reviewed September 2024.

Information Security Policy

Purpose

Information that’s collected, analysed, stored, communicated and reported upon may be subject to theft, misuse, loss and corruption. Information may be put at risk by poor education and training, and the breach of security controls.

Information security incidents can give rise to embarrassment, financial loss, non-compliance with standards and legislation, as well as possible judgements being made against Quix Innovation Services Ltd. (‘Quix IS’).

This high level Information Security Policy sits alongside the ‘Information Risk Management Policy’ and ‘Data Protection Policy’. This is to provide the high-level outline of, and justification for, Quix IS’s risk-based information security controls.

Objectives

Quix IS’s security objectives are that:

  • our information risks are identified, managed and treated according to an agreed risk tolerance
  • our authorised users can securely access and share information in order to perform their roles
  • our physical, procedural and technical controls balance user experience and security
  • our contractual and legal obligations relating to information security are met
  • our teaching, research and administrative activity considers information security
  • individuals accessing our information are aware of their information security responsibilities
  • incidents affecting our information assets are resolved and learnt from to improve our controls

Scope

The Information Security Policy and its supporting controls, processes and procedures apply to all information used at Quix IS, in all formats. This includes information processed by other organisations in their dealings with Quix IS.

The Information Security Policy and its supporting controls, processes and procedures apply to all individuals who have access to Quix IS information and technologies. This includes external parties that provide information processing services to Quix IS.

Compliance monitoring

Compliance with the controls in this policy will be monitored by the Information Security Team, and reported to the Information Governance Board.

Review

A review of this policy will be undertaken by the Founder. This will be annually or as required, and will be approved by the Founder.

Policy Statement

It is Quix IS’s policy to ensure that information is protected from a loss of:

  • confidentiality – information will be accessible only to authorised individuals
  • integrity – the accuracy and completeness of information will be maintained
  • availability – information will be accessible to authorised users and processes when required

Quix IS will implement an Information Security Management System based on certified standards as required. Quix IS will be mindful of the approaches adopted by its stakeholders, including research partners.

Quix IS will adopt a risk-based approach to the application of the following controls:

1.   Information security policies

A set of lower-level controls, processes and procedures for information security will be defined, in support of the high-level Information Security Policy and its stated objectives. This suite of supporting documentation will be approved by the Founder, published and communicated to Quix IS users and relevant external parties.

2.   Organisation of information security

Quix IS will define and implement suitable governance arrangements for the management of information security. This will include identification and allocation of security responsibilities, to initiate and control the implementation and operation of information security within Quix IS.

Quix IS will appoint:

  • an Executive (the Founder) to chair the Information Governance Board and take accountability for information risk.

3.   Human resources security

Quix IS’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities. Information security education and training will be made available to all staff. Poor or inappropriate behaviour will be addressed.

Where practical, security responsibilities will be included in role descriptions, person specifications and personal development plans.

4.   Asset management

All assets will be documented and accounted for. This includes:

  • information
  • software
  • electronic information processing equipment
  • service utilities
  • people

Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets.

All information assets will be classified according to their legal requirements, business value, criticality and sensitivity. Classification will indicate appropriate handling requirements. All information assets will have a defined retention and disposal schedule.

5.   Access control

Access to all information will be controlled and will be driven by business requirements. Access will be granted or arrangements made for users according to their role and the classification of information, only to a level that will allow them to carry out their duties.

A formal user registration and de-registration procedure will be maintained for access to all information systems and services. This will include mandatory authentication methods based on the sensitivity of the information being accessed, and will include consideration of multiple factors as appropriate.

Specific controls will be implemented for users with elevated privileges, to reduce the risk of negligent or deliberate system misuse. The separation of duties will be implemented, where practical.

6.   Cryptography

Quix IS will provide guidance and tools to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and integrity of information and systems, as required.

7.   Physical and environmental security

Information processing facilities are housed in secure areas, physically protected from unauthorised access, damage and interference by defined security perimeters. Layered internal and external security controls will be in place to deter or prevent unauthorised access and protect assets. This includes those that are critical or sensitive, against forcible or hidden attacks.

8.   Operations security

Quix IS  will ensure the correct and secure operations of information processing systems. This will include:

  • documented operating procedures
  • the use of formal change and capacity management
  • controls against malware
  • defined use of logging
  • vulnerability management

9.   Communications security

Quix IS will maintain network security controls to ensure the protection of information within its networks. Quix IS will also provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities. This is in line with the classification and handling requirements associated with that information.

10.                 System acquisition, development and maintenance

Information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems.

Controls to reduce any risks identified will be implemented where appropriate.

Systems development will be subject to change control and separation of test, development and operational environments.

11.                 Supplier relationships

Quix IS’s information security requirements will be considered when establishing relationships with suppliers, to ensure that assets accessible to suppliers are protected.

Supplier activity will be monitored and audited according to the value of the assets and the associated risks.

12.                 Information security incident management

Guidance will be available on what constitutes an information security incident and how this should be reported. Actual or suspected breaches of information security must be reported and will be investigated. The appropriate action to correct the breach will be taken, and any learning built into controls.

13.                 Information security aspects of business continuity management

Quix IS will have in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters. This is to ensure their timely recovery in line with documented business needs. This will include appropriate backup routines and built-in resilience.

Business continuity plans must be maintained and tested in support of this policy. Business impact analysis will be undertaken, detailing the consequences of: 

  • disasters
  • security failures
  • loss of service
  • lack of service availability

14.                 Compliance

The design, operation, use and management of information systems must comply with all statutory, regulatory and contractual security requirements.

Currently this includes: 

  • data protection legislation
  • the payment card industry standard (PCI-DSS)
  • the government’s Prevent strategy
  • Quix IS’s contractual commitments

Quix IS will use a combination of internal and external audits to demonstrate compliance against chosen standards and best practice, including against internal policies and procedures. This will include: 

  • IT health checks
  • gap analyses against documented standards

Review of this document: annually by Founder.

Next review date: 01 September 2025.

Occupational Health, Safety, and Environmental (OHSE) Policy

1. Health & Safety Commitment

  • Ensure that all work activities, including workshops and on-site visits, are conducted in environments that meet health and safety standards.
  • Assess and mitigate risks, including ergonomic hazards during computer use and potential travel-related risks.
  • Take regular breaks to avoid fatigue and reduce stress, ensuring personal well-being.
  • Carry out all tasks with a focus on preventing injuries and minimizing any health risks.

2. Environmental Responsibility

  • Minimize environmental impact by reducing waste, conserving resources, and using sustainable practices in business operations.
  • Opt for digital solutions over printed materials where possible to reduce paper usage.
  • Utilize virtual meetings and communication tools to minimize travel and carbon footprint.

3. Continuous Improvement

  • Regularly review OHSE practices to identify opportunities for improvement.
  • Stay informed about evolving OHSE regulations and integrate best practices into daily operations.

We are fully committed to maintaining high standards of health, safety, and environmental stewardship in all aspects of our consultancy work.

This policy will be reviewed periodically to ensure it remains relevant and effective.
Last reviewed September 2024.

Privacy Policy

Introduction

Quix IS Ltd (‘Quix IS’) takes your privacy very seriously. This Privacy Notice is intended to set out your rights and answer any queries you may have about your personal data. If you need more information, please contact: office@quixis.co.uk

If you have entered into a contract with Quix IS, the controller of your data will be Quix IS Ltd (ICO reference 00017779197).

Our personal data handling policy and procedures have been developed in line with the data protection laws that apply to us in the countries in which we offer our goods and services, in particular the EU General Data Protection Regulation ((EU) 2016/679) (the “EU GDPR”) and the UK General Data Protection Regulation which reflects the retained and amended provisions of the EU GDPR that are incorporated into UK law under the UK European Union (Withdrawal) Act 2018 as amended (the “UK GDPR”), as these laws establish the most expansive data protection obligations.

1. What personal data do we collect?

We collect and process personal data about you when you interact with us or in purchasing services from us. The personal data we process includes:

  • name;
  • home or work address, email address and/or phone number;
  • job title;
  • payment and delivery details, including billing and delivery addresses and credit card details, where you make purchases from us;
  • personal data related to the browser or device you use to access our website;
  • internet browser and operating system;
  • recordings of meetings and/or workshops; and
  • any other personal data you provide.

2. How do we use this personal data and what is the legal basis for this use?

We process the personal data listed in paragraph 1 above for the following purposes:

  • to establish and fulfil a contract with you, for example, if you make a purchase from us or enter into an agreement to provide or receive services. This may include verifying your identity, taking payments, communicating with you, providing customer services and arranging the delivery or other provision of products or services. We require this information in order to enter into a contract with you and are unable to do so without it;
  • to comply with applicable laws and regulations;
  • in accordance with our legitimate interests in protecting Quix IS’s legitimate business interests and legal rights, including but not limited to, use in connection with legal claims, compliance, regulatory and investigative purposes (including disclosure of such information in connection with legal process or litigation);
  • with your express consent to respond to any comments or complaints we may receive from you, or to investigate any complaints received from you or from others, about our website or our services;
  • we may use the information you provide to personalise (i) our communications to you; (ii) our website; and (iii) products or services for you, in accordance with our legitimate interests;
  • to monitor use of our websites and online services. We may use your information to help us check, improve and protect our products, content, services and websites, both online and offline, in accordance with our legitimate interests;
  • if you provide a credit or debit card, we may also use third parties (such as POS payment providers) to check the validity of the sort code, account number and card number you submit in order to prevent fraud, in accordance with our legitimate interests and those of third parties;
  • we may monitor any customer account to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law and our legitimate interests;
  • in circumstances where you contact us by audio service, these may be recorded for quality, training and security purposes, in accordance with our legitimate interests; and
  • we may use your information to invite you to take part in market research or surveys.

We may also send you direct marketing in relation to Quix IS’ relevant products and services. E-mail marketing will only be sent where you have given your consent to receive it, or (where this is allowed) you have been given an opportunity to opt out. We will not send you direct marketing of third-party products or services although our own products or services may on occasion include cooperation with third parties. You will continue to be able to opt out of electronic direct marketing at any time by following the instructions in the relevant communication.

3. With whom and where will we share your personal data?

We may share your personal data with third parties to process it for the purpose to deliver products or services where elements of these are provided by parties other than those with which you have directly contracted.

We may also share your personal data with the below third parties:

  • our suppliers, business partners and sub-contractors; and/or
  • search engine and web analytics.

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if needed for the legal protection of our legitimate interests in compliance with applicable laws. Personal data may also be shared with third-party service providers who will process it on behalf of Quix IS for the purposes above. Such third parties include but are not limited to, providers of website hosting, maintenance, call centre operation and identity checking.

In the event that our business or any part of it is sold or integrated with another business, your details will be disclosed to our advisers and those of any prospective purchaser and will be passed to the new owners of the business.

4. How long will you keep my personal data?

We will not keep your personal data for any purpose longer than necessary to fulfil the original or a compatible purpose. In some instances, we are required to retain certain information by law, and for as long as reasonably necessary to meet regulatory or accreditation requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions. Where this is the case, your personal data will only be processed for the relevant legitimate purpose and not used for marketing.

Where you are a customer, we will keep your personal data for the length of any contractual relationship you have with us and after that for a period of up to 3 years.

Where you are a prospective customer and you have expressly consented to us contacting you, we will only retain your personal data for this purpose (a) until you unsubscribe from our communications; or, if you have not unsubscribed, (b) while you interact with us and our content; or (c) for 2 years from when you last interacted with us or our content.

We may retain your personal data for a time beyond the specified retention period, to allow for information to be reviewed and any deletion to take place. After it is no longer necessary for us to retain your personal data, we dispose of it securely.

5. Where is my data stored?

The personal data that we collect from you may be transferred to, and stored outside, the United Kingdom or the European Economic Area (“EEA”). Further information may be obtained from the main Office email address.

6. What are my rights in relation to my personal data?

You have the right to ask us not to process your personal data for marketing purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data, clicking the unsubscribe button on any communication we have sent to you or by contacting us.

Where you have consented to us using your personal data, you can withdraw that consent at any time.

If the information we hold about you is inaccurate or incomplete, you can notify us and ask us to correct or supplement it.

You also have the right, with some exceptions and qualifications, to ask us to provide a copy of any personal data we hold about you.

Where you have provided your data to us and it is processed by automated means, you may be able to request that we provide it to you in a structured, machine-readable format.

If you have a complaint about how we have handled your personal data, you may be able to ask us to restrict how we use your personal data while your complaint is resolved. In some circumstances you can ask us to erase your personal data (a) by withdrawing your consent for us to use it; (b) if it is no longer necessary for us to use your personal data; (c) if you object to the use of your personal data and we don’t have a good reason to continue to use it; or (d) if we haven’t handled your personal data in accordance with our obligations.

7. Where can I find more information about Quix IS’s handling of my data?

Should you have any queries regarding this Privacy Notice, about Quix IS’s processing of your personal data or wish to exercise your rights you can contact Quix IS using this email address: office@quixis.co.uk.

If you are not happy with our response, if you are based:

in the United Kingdom, you can contact the Information Commissioner’s Office https://ico.org.uk/;

anywhere else, you have the right to lodge your complaint with the relevant data protection regulator in the country where you are located.

Last reviewed September 2024.

Quality Management

At our consultancy, we are committed to delivering high-quality services in management, innovation consulting, research, analysis, and facilitation. Although we do not have formal Quality Management certification, we strive to meet the highest professional standards through continuous improvement, client-focused solutions, and attention to detail. This Quality Management Policy outlines our dedication to providing excellent services and ensuring client satisfaction.

1. Commitment to Quality

  • We are dedicated to understanding and meeting the needs of our clients by delivering insightful, actionable, and tailored solutions.
  • All consultancy, research, analysis, and facilitation work is performed with the highest level of accuracy, thoroughness, and professionalism.

2. Client-Centric Approach

  • We prioritise clear and open communication with clients to ensure their objectives are fully understood from the outset.
  • We collaborate closely with clients throughout the project lifecycle to ensure that their expectations are met or exceeded.
  • Feedback from clients is actively sought and used as a tool for continuous improvement.

3. Continuous Improvement

  • We regularly review our work processes and outcomes to identify areas for improvement, applying lessons learned from each project to enhance future performance.
  • We stay informed about the latest industry trends, research methods, and facilitation techniques to ensure our services remain relevant, innovative, and effective.

4. Attention to Detail

  • All research, analysis, and reports are subject to rigorous checks to ensure accuracy and reliability.
  • We are committed to delivering work on time and within scope, ensuring that all deliverables meet agreed-upon quality standards and deadlines.

5. Professional Development

  • We continuously seek to develop our skills and expertise through ongoing learning and professional development.
  • We stay up to date with best practices, tools, and methodologies in consulting, research, and facilitation to ensure the highest quality of service delivery.

6. Risk Management

  • We identify potential risks early in the project process and take proactive steps to mitigate them, ensuring the delivery of high-quality results with minimal disruption.
  • We consistently review project performance to ensure all quality objectives are being met and to address any issues promptly.

7. Accountability and Responsibility

  • We take full responsibility for the quality of our work and hold ourselves accountable for delivering services that meet the agreed-upon standards.
  • Any concerns related to the quality of our services are addressed promptly and transparently to ensure client satisfaction.

By adhering to this Quality Management Policy, we aim to provide exceptional services that consistently deliver value to our clients, ensuring long-term trust and partnership.

This policy will be reviewed periodically to ensure that our commitment to quality remains aligned with best practices and client expectations.

Last reviewed September 2024.

Working with children

Safeguarding Policy

QUIXIS is committed to providing a safe, inclusive, and creative environment for all children and young people participating in our creativity workshops. We believe every child has the right to express themselves artistically in a space free from harm, abuse, or neglect.

Scope

This policy applies to all staff, facilitators, volunteers, and anyone acting on behalf of QUIXIS – in particular workshops delivered under the Monk Quixote brand. It covers all activities involving individuals under 18 years of age.

Our Commitment

  • Ensure the safety and well-being of all children and young people in our care.
  • Promote a culture where safeguarding is everyone’s responsibility.
  • Respond promptly and appropriately to any concerns or allegations.
  • Maintain clear procedures for reporting and managing safeguarding issues.
  • Regularly review and update our safeguarding practices. 
  • Workshop leaders will as a minimum hold an Enhanced DBS check and First Aid certificate.
  • Risk assessing all activities which involve children and young people

Key Safeguarding Principles

  • All children have equal rights to protection from harm.
  • The best interests of the child are paramount.
  • All concerns and allegations of abuse will be taken seriously and responded to appropriately.
  • We will work in partnership with children, parents, carers, and other agencies. 

Photography and Video Recording

Monk Quixote may occasionally take photographs or record videos during creativity workshops for the purposes of marketing and promotion. We will always seek written consent from parents, guardians, or participants (where appropriate) before capturing any images or recordings. Additionally, separate consent will be requested before any photographs or videos are published on our website, social media, or in printed materials. No child will be identified by name unless explicit permission has been granted.

Safeguarding Officer

Any safeguarding concerns should be directed to our designated Safeguarding Officer: 

Name: Ivan Salcedo
Email: safeguarding@quixis.co.uk
Phone: 07961 425751

Responding to Concerns

  • If a child is in immediate danger, call 999.
  • Report any non-immediate concerns to the Safeguarding Officer as soon as possible.
  • Document all concerns factually and confidentially. 

Review

This policy will be reviewed annually or in response to significant changes in legislation or our operations. 

Last reviewed April 2025.