We are a US-based Disabled Veteran Owned Small Business and recently picked up a chance to provide our services to a UK company. Our primary questions are:
1) We only keep employee name and employee email, and vendor name and email and IP address for same. Currently, we do not encrypt any of that data but only use it within our software.
2) We use Rackspace's standard security setup for our servers and biometric physical access.
Where are the gaps?