Transparency. Responsibility. Security.

Data protection

• We operate a comprehensive data protection compliance regime managed by our dedicated Information Security team and under the direction of our formally assigned and highly experienced Data Protection Officer (DPO).
• Data Processing Agreements are established with all customers that clearly stipulate all parties’ responsibilities and obligations. No processing takes place on behalf of a controller without an Article 28-compliant instruction as a legally binding agreement which includes adherence to all data protection principles and all applicable articles under the EU GDPR and UK GDPR.
• We have processes in place to manage and respond to data subjects’ requests to exercise their rights under data protection law, including the GDPR.
• We will inform data controllers of any sub-processors we use and ensure transparency in the engagement of such sub-processors.
• We have processes in place to notify data controllers of a personal data breach, including documenting any facts relating to the data breach, its effects, and the remedial action taken, and preserving digital evidence for forensic investigation.
• All customer data is held in UK or EEA data centres.

Policies and governance

• We maintain a comprehensive set of information security, privacy, and compliance policies aligned with international standards such as ISO 27001 and the GDPR. Policies cover topics such as (but not limited to) data classification and handling, data retention, access control, encryption, incident response, and supplier risk assessment, review, and management.
• Policies are reviewed at least annually and updated as necessary to reflect changes in regulation, risk, and best practice.

People safeguards

• We follow the HMG Baseline Personnel Security Standard for all onboarded staff. Due to the sensitive nature of the data we collect and process, all staff must undergo a Disclosure and Barring Service (DBS) check, with additional checks conducted when appropriate for the role. Appropriate assurances are also obtained from subcontractors in respect of their own staff.
• Staff contracts include confidentiality clauses, and all staff are required to read and accept our security policies during their induction with the company.
• We use a combination of eLearning and face-to-face workshops to continually deliver awareness training to all staff in Information Security and Data Protection. This training is conducted on a regular basis with frequent tests, including simulated phishing attacks, to ensure that staff can identify threats and follow the correct procedures. Role-specific training is also delivered, tailored to responsibilities.
• We have a dedicated information security team including Security Analysts, a Security Engineer, an Internal Pen Tester, and Security Managers. The team ensures that all business units comply with applicable legislation and standards such as ISO 27001, PCI DSS, and the DPA/GDPR, manages security controls, and answers queries from staff or customers. Our Managed Detection and Response (MDR) provider supplies incident response capabilities on a 24×7 basis.

Physical safeguards

• Office locations can only be accessed via secure access control. All staff are required to always wear staff ID badges when on premises. Visitors are recorded and identified. CCTV and intruder alarms are installed.
• Our datacentres can only be accessed on a by appointment basis and full ID must be presented to onsite security before being allowed access to the server room. The highest levels of security are applied including perimeter security, security guards, CCTV, access controls, visitor management, power redundancy, cooling systems, and fire suppression.
• Clear desk policy, minimisation of hard-copy data, and secure disposal facilities.

Resilience and reliability

• We implement a comprehensive capacity management strategy to ensure the stability and performance of our services.
• Enterprise monitoring systems proactively track capacity against pre-defined thresholds, generating alerts for the IT team to address before service disruption can occur.
• We maintain disaster recovery and business continuity plans, which are tested regularly to ensure readiness.
• Secondary datacentres are operated for use in disaster scenarios, with all critical systems frequently backed up and replicated to the secondary site.
• Critical backups are encrypted, tested, and monitored to safeguard data and ensure recovery capability.

Risk management and supply chain

• Risk management is fundamental and underpins our overall information security programme.
• Risks are assessed regularly using industry-standard frameworks. We continuously manage risk through regular security reviews and audits of new and existing technologies, systems, suppliers, processes, and controls.
• Risks, threats, and vulnerabilities are tracked, evaluated, and mitigated through formalised governance processes.
• We operate a supplier and third-party management policy that defines strict security requirements for all suppliers and partners. Before any processing activities can begin, third parties undergo due diligence checks to confirm they meet our security and compliance standards. This includes reviewing their policies, technical controls, and relevant certifications. Approved suppliers are also subject to ongoing monitoring and periodic reviews to ensure continued compliance.

Network security

• Detailed network diagrams are maintained for all infrastructure.
• All systems are built in accordance with a defined system build standard, which incorporates hardening processes to minimise vulnerabilities and reduce attack surface.
• Firewall rules and access control lists are reviewed regularly.
• Physical and logical segregation is in place across networks.
• The network is monitored for anomalies such as bandwidth usage, request counts, endpoint counts, timing of activity, and geolocation analysis.
• Intrusion detection mechanisms are deployed across the infrastructures.
• A complete suite of penetration tests is completed at least annually, conducted by both internal testers and specialist third parties. These include internal and external penetration testing, web application and API testing, firewall and build reviews, and wireless penetration testing.
• Leading firewall review tooling is used to assess firewall and router configurations across the enterprise. Independent reviews are also carried out annually by specialist third parties.

Architecture overview

May be adapted depending on product:

• Cloud-based WAF, DDoS, and CDN services provided by leading vendors.
• Perimeter firewalls on our infrastructure.
• Load balancers.
• Backend servers using network segregation to keep products and application tiers separate.
• Host-based security systems, including host-based firewalls, next-generation anti-malware, monitoring, log collection, and configuration management.

Data encryption

• HTTPS is used for transmitting all data between client machines and our servers, with TLS 1.2 implemented to ensure secure encryption in transit.
• Server storage arrays are protected with full disk encryption.
• Data backups are immutable and fully encrypted.
• Employee laptops are also subject to full disk encryption.

Intrusion detection & vulnerability management

• Firewalls are installed with integrated Intrusion Detection and Prevention System (IDS/IPS) capabilities.
• Multiple intrusion detection engines are deployed to monitor suspicious activity across the network.
• Endpoint security suites are used to detect suspicious events and behaviour.
• Best of breed Endpoint Detection and Response (EDR) and XDR tooling is deployed and monitored by specialist third party Managed Detection and Response (MDR) team from a world leading Security Operations Centre (SOC), with expert incident response capabilities on retainer.
• Advanced host-based IDS and user-behaviour analytics (UBA) are operated to identify malicious activity across infrastructure.
• Industry-leading vulnerability scanners are used to continuously scan internal and external infrastructure.
• A dedicated Patch and Vulnerability Group (PVG) manages patching and remediation, supported by a detailed asset inventory, threat monitoring, and automated update processes.
• Vulnerabilities are prioritised using industry-standard tools, with remediation tracked through a formal treatment plan. Effectiveness is measured and reported regularly.
• File Integrity Monitoring (FIM) is deployed at multiple layers.
• An enterprise SIEM platform spans infrastructure and cloud environments, alerting on suspicious changes or activity.
• Package management systems regularly scan for unauthorised installations.
• Vulnerability scanners are also used to identify and remediate insecure configuration changes.

Access control

• Operational staff are provided with the access necessary to maintain continuity of services. Support staff may require access to customer environments to investigate and resolve issues. In limited cases, development staff may be granted access to customer data to help diagnose and fix faults identified during the support process.
• Access levels are granted according to the principle of least privilege and reviewed on a regular basis.
• Administrative accounts are kept separate from users’ day-to-day accounts.
• Records of access are maintained, and permissions are reviewed regularly.
• All accounts are named, attributable, and uniquely identifiable to individuals. Any exceptions are reviewed by the Security team.
• Failed logins are recorded, and accounts are locked after a defined number of attempts (typically 3–5), enforcing lockouts to prevent brute-force attacks.
• All employee accounts are protected with multi-factor authentication (MFA).
• Our password policy forbids the storage of passwords in plaintext.
• Employees are required to use authorised password manager applications to safely store and share credentials.
• Passwords are audited regularly to ensure compliance.
• Staff accounts are disabled immediately when employment ends.
• All accounts are automatically disabled after 90 days of inactivity.
• Servers and workstation sessions are set to lock after a period of inactivity.
• The Acceptable Use and Clear Desk Policies require staff to lock their workstations when unattended; automatic lockouts are enforced after inactivity.
• Supplier and vendor default passwords are changed as part of documented build standards.

Secure software development

• We adopt a ‘privacy by design and by default’ approach to application development.
• Developers are trained regularly in secure coding methods and practices.
• Code reviews are conducted for all new developments and software changes, independent of the original developer.
• Internally developed applications are subject to regular penetration testing.
• Development and test environments are kept separate from production environments.
• Live data is not used in development or testing; only anonymised test data is permitted.
• Source code and applications are analysed for security posture using SAST and DAST technologies.
• All internally developed applications are subject to penetration testing at least annually.

Incident response

• We maintain a comprehensive incident response program designed to protect our customers and our services. This includes specialised tools for investigation and evidence collection, supported by regular training and testing of our response processes.
• We employ a world leading Managed Detection and Response (MDR) provider, which supplies incident response capabilities on a 24×7 basis.
• We have cyber insurance in place, which includes incident response capacity should it be required.
• All security incidents, regardless of size, are tracked and logged. If an incident occurs, we declare it transparently and notify affected customers and relevant authorities without undue delay.