Security & Compliance

Certifications and Compliance

We conform to NCSC C.E. requirements and our datacentres meet industry standards for information management systems and physical security.

National Cyber Security Centre C.E. standards
Required for UK Government contracts.

This certification is filled annually for review and covers the following broad topics and is a basic requirement for obtaining UK government contracts.

  • Firewalls
  • Secure configuration
    • Encryption policy
    • Enforcing security policy
  • User access control
    • Principle of least privilege
    • Password policy
  • Physical security
  • Malware protection
  • Security update management
  • Data logging and backup
GDPR, UK-GDPR, CCPA

Our security policies are designed to meet or exceed the requirements of the above data privacy laws and should be read in conjunction with our other privacy and data retention documents.

Suppliers are vetted to ensure they offer suitable levels of security.

Based in the United Kingdom

The company is based and registered in the UK, England, and is therefore legally required to implement the data protections for all users globally, not simply those within the UK/EU/California.

Core security

The most commonly requested information

Physical Security and Data hosting

Our primary and standby data centres (where our web application and database servers operate) are located in different parts of the United Kingdom.

All data centres will have the appropriate certifications including ISO 27001:2013, and provide physical security barriers, 24/7 security, access cards, and CCTV. Both have Backup generators and backup cooling. Other cloud services we use will meet these specifications (SOC type I/II is also acceptable).

Encryption

We use only strong encryption (minimum of TLS 1.2+, AES 128+) when transmitting data. Bitlocker (encryption at rest) is enforced by MDM policy for staff devices and flash drives.

Any sensitive data transferred from production servers for backup purposes will be encrypted before transfer as an additional security measure.

Next-Gen (NG) Firewalls & Antivirus

Our servers and office network is protected by Next Generation (NG) firewalls and enterprise-grade malware/security suites. NG firewalls include Deep Packet Inspection capabilities that allow us to detect and block malicious behaviours in the traffic which might be caused by malware or strange device activity such as attempts to contact Russian/Chinese servers, P2P connections, and more.

As expected all devices have antivirus/anti-malware installed.

Business continuity

In 2021 our primary datacentre (OVH) burnt to the ground after a backup generator exploded incinerating our equipment. This followed the New York floods a few years prior which also destroyed everything.

Neither event significantly affected our customers, as like Homer Simpson, we always have an emergency plan B (a spare datacentre, not Alaska.)

Geographic redundancy

A second hot-standby server is running 24/7, not just in a different data centre, but supplied by under an entirely different provider to ensure there is always a rapid alternative in the event of a fire, flood, data centre insolvency, or cloud provider major outage.

External backups

We take incremental database backups every 15 mins which are pre-encrypted and shipped to Amazon AWS in Ireland for storage. We automatically restore these backups to verify that they will work when needed – an important and often forgotten step!

DDOS protection

We use Cloudflare’s commercial offerings to protect our servers against the largest DDOS attacks.

Financial security

We have no debt and have traded profitably every year since incorporation.

Application security

Continuous integration, delivery and deployment are modern approaches to the building, testing and deployment of IT systems.

Application framework security

We use modern, well supported frameworks provided by Microsoft, Google and the open source community. These frameworks protect against common OWASP Top 10 security risks such as Cross Site Scripting (XSS), Buffer Overflows and Cross Site Request Forgery (CSRF), incorrect Authentication and Session handling and more.

Database access is via an ORM (Object Relational Mapper) which significantly limits, if not eliminates the risk of SQLi (SQL Injection).

Secure development environment

As per NCSC guidance, developers use a virtualised OS to separate their coding from their day-to-day environments. This means that email, browsing, and most security credentials can be accessed within the same restrictive environment as any other employee whilst still allowing them to access their coding IDE and toolchain from the isolated environment.

Separate environments

Our staging environments are always separated from production. Only anonymised data is used for testing and validation.

Web Application Firewalls

We leverage the Cloudflare WAP (Web Application Firewall) to help protect our service’s APIs. Some other uses include:

  • Core OWASP rules block familiar “Top 10” attack techniques.
  • Zero-day vulnerability protection.
  • API rate limiting.

Zero trust and network security

Trust nobody, authenticate everywhere.

What is zero trust?

Zero trust has become trendy in recent years, especially during COVID, but we’ve worked this way since 2001!

Zero Trust is a security framework requiring all users, whether in or outside the organisation’s network, to be authenticated, authorised, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.

Zero trust implementation is an ongoing process that will continue to evolve and change within the company for years to come.

VPNs (obsolete?)

Though Zero trust makes VPNs mostly redundant, we still use them as an additional layer of security where appropriate to protect against protocol-level vulnerabilities.

Separate environments

Our staging environments are always separated from production. Only anonymised data is used for testing and validation.

Single Sign-On (SSO)

Staff use a single 2-factor protected SSO account to access web-based resources where supported. This means that when a member of staff leaves the company we can disable access to all company resources from one place.

Principle of least privilege

Employees are allocated the lowest security level required to perform their jobs. Nobody, including administrators, accesses their day-to-day devices with admin-level access.

Hardware security keys (FIDO), biometrics and 2-Factor

As we work towards a passwordless future, employees are given a phishing-resistant FIDO hardware key for access to critical services that support it as well as Windows Hello, biometrics or TOTP 2FA.

Device health and conditional access

We use Microsoft Intune to monitor device health and when possible block access to company resources. This is an ongoing project.

Intrusion detection and prevention

Our network is protected by a combination of hardware and software Deep Packet Inspection/ IDS/IDP powered by next-gen hardware firewalls and enterprise-grade IDS software.

Patch management

OS and 3rd party updates are applied weekly either automatically or manually after patch testing. We use patch management software to verify this.

Security Baseline Policy – MDM Device Management

Our security posture is based on the recommended Microsoft Baseline Security Policies which are enforced via Microsoft Intune MDM.

Auditing and Logs

As a best practice and to meet compliance, important server logs are shipped in near real-time to an external storage provider to ensure that there is always a copy if the originals are destroyed.

We also maintain audit-level logs to record access to your application data. This is backed up as normal.

Organisational security

Continuous integration, delivery and deployment are modern approaches to the building, testing and deployment of IT systems.

Confidentiality

All employees sign a confidentiality agreement when onboarding.

Onboarding and training

All staff are required to complete the NCSC cyber security training and assessment.

Importantly as a technology company, our small team is highly technically proficient.

Anti-Email culture

We use secure team messaging services almost exclusively within the company.

Whilst not impossible this makes spear-phishing attempts much more difficult to launch as Emails or text messages imitating staff members would be unusual and therefore treated with maximum suspicion.

Policies and procedures

We maintain a set of policies, standards, procedures, and guidelines covering information security, GDPR and data protection, employee responsibilities, and more.

We believe these live and regularly updated documents show our commitment to competent business management at all levels of the organisation.