Security and Data Protection you can trust
Protecting your data is fundamental to how we design, build, and operate our platform. We apply industry-recognised standards, robust technical controls, and strict internal processes to ensure your information remains secure, private, and available when you need it.
Key highlights:
- ISO 27001 certified
- GDPR & UK Data Protection Act compliant
- Encryption in transit and at rest
- 24/7/365 system monitoring
Our Approach
We take a security first approach with privacy by design and by default. Security is embedded into every stage of our product lifecycle, from development through to deployment and ongoing operations.
Our goal is simple: to protect your data while providing a reliable, resilient service you can trust.
Compliance & Certifications
We maintain a comprehensive Information Security Management System (ISMS).
- ISO 27001 certification – our security controls are independently audited annually by Tempo (UKAS registered) to ensure we’re meeting the criteria.
- UK Data Protection Act and GDPR – We process personal data in accordance with applicable data protection laws, ensuring transparency and accountability.
Data Protection & Privacy
We apply strict data protection principles to ensure your information is handled responsibly:
- Data minimisation: We only collect and process what is necessary
- Purpose limitation: Data is used solely for defined purposes
- Data retention controls: Information is retained only as long as needed
Encryption
Data is encrypted in transit using industry-standard protocols such as TLS 1.2 and HTTPS. Data is encrypted at rest using strong encryption mechanisms.
Infrastructure and Hosting Security
CF Suite is built on secure, resilient cloud infrastructure designed for high availability and fault tolerance.
- Highly available architecture with redundancy
- Infrastructure located in UK regions
- Secure, certified data centre environments
- Network segmentation and perimeter protection
- Web Application Firewall
- Built-in resilience and disaster recovery capabilities
- 24/7/365 system monitoring on production
We utilise a leading global cloud hosting provider with internationally recognised security and compliance standards. The hosting infrastructure includes physical security controls, continuous monitoring, resilient networking, and independently audited security practices designed to support enterprise-grade reliability and protection.
Access Control
Access to systems and data is tightly controlled and reviewed regularly.
- Role Based Access Controls (RBAC)
- Principle of Least Privilege
- Multi factor authentication required to access infrastructure and customer data
- Documented access reviews at periodic intervals
Security Testing & Vulnerability Management
We proactively identify and address potential vulnerabilities.
- Weekly network scanning
- Ongoing patching process
- Testing during software development where appropriate
- Annual independent penetration testing by a CREST-accredited provider
Business Continuity
We are committed to maintaining service availability, even during unexpected events.
- Regular backups of all servers and databases
- Business Continuity and Disaster Recovery planning
- Annual testing
Policies
Our security practices are supported by comprehensive policies and processes, including:
- Information Security Policy
- Acceptable Use Policy
- Data Handling
- Secure Software Development Lifecycle
Our policies ensure a consistent, companywide adherence to security and compliance requirements.
Staff Training
All our team play a vital role in maintaining security.
- Regular security awareness training
- Annual security policy sign off
- Confidentiality agreements in all staff contracts
- Role specific training where needed