Trust Centre

How we protect your data and earn your confidence.

This page explains our approach to data handling, security controls, compliance support and service governance. It is written for procurement, risk officers and auditors who need evidence, not marketing claims.

Data handling

Your data is yours. We only hold what we need, for as long as we need it.

We do not process customer data for any purpose other than delivering the agreed service. We do not train models on it, sell it, or share it beyond the contracted supply chain.

  • Customer data is processed only for the purposes defined in our service agreement — never repurposed, never sold.
  • We maintain separate, logical environments for each client. No co-mingling of telemetry, credentials or reporting outputs.
  • Access to customer systems and data is granted on a least-privilege basis, reviewed quarterly and revoked automatically on role change.
  • All staff handling customer data sign confidentiality undertakings and complete annual data protection training.
  • Retention is time-bound: data is held only for the period necessary to deliver the service and meet legal obligations, then securely destroyed.
Security controls

The controls that protect our operations and, by extension, yours.

We apply the same standards to our own infrastructure that we recommend for clients. These controls are tested, audited and reported on regularly.

Access control

  • Multi-factor authentication enforced across all systems — no exceptions.
  • Role-based access with quarterly recertification and automatic deprovisioning.
  • Privileged access is time-limited, logged and subject to dual authorisation.

Encryption in transit

  • TLS 1.3 minimum for all data in transit between customer environments and our SOC.
  • Client-to-SOC channels use mutually authenticated connections where supported.
  • No legacy cipher suites or unencrypted fallback paths.

Logging and monitoring

  • All administrative and system actions are logged with immutable timestamps.
  • SOC monitors its own infrastructure with the same rigour applied to customer estates.
  • Logs are retained for 12 months minimum and available for customer audit on request.

Vulnerability management

  • Internal systems are scanned weekly; external-facing assets scanned continuously.
  • Critical vulnerabilities are remediated within 72 hours; highs within 14 days.
  • Patching and hardening follow the same methodology we apply to customer environments.

Incident response

  • Defined response playbooks with clear escalation paths to senior engineers.
  • Customer notification within 24 hours of any confirmed incident affecting their data.
  • Post-incident reviews are documented, shared with affected clients and fed back into controls.
Compliance

We support your compliance programme — responsibility remains with you.

Our services are designed to produce evidence that maps to common standards. We do not certify you, but we make certification and audit defence significantly less burdensome.

Cyber Essentials / Cyber Essentials Plus

Our testing and remediation services map directly to the five technical controls. We can act as your assessor or provide the evidence pack for your chosen certifying body.

ISO 27001

We structure our reports — vulnerability assessments, pen test outputs, managed security reviews — to align with Annex A controls. This does not replace your own ISMS, but it reduces the effort to demonstrate control effectiveness.

Client audits

We participate in third-party security assessments and due diligence questionnaires. Evidence packs include methodology statements, sample reports, staff CVs and accreditation certificates.

Service governance

Formal, auditable, repeatable.

Governance is not a slide deck. It is a set of scheduled, documented processes that prove the service is working and risks are being managed.

Reporting cadence

Monthly operational reviews with metrics, incidents and coverage changes. Quarterly governance packs for boards, insurers and auditors. Ad-hoc reports within two working days of request.

Service review

A formal, scheduled review led by your named engineer. Agenda is shared 48 hours in advance. Minutes and actions are tracked in a shared register. Nothing is verbal-only.

Risk acceptance

Where a risk cannot be fully remediated, we document the residual risk, the mitigations in place, and obtain formal written acceptance from the client-side risk owner. This is auditable and reviewable.

Change control

Changes to your security posture — new coverage, rule changes, tool swaps — follow a lightweight but documented process: assess, approve, test, deploy, verify. Rollback plans are pre-agreed.

Disclaimers

What we promise — and what we do not.

We believe procurement and risk teams deserve clarity, not ambiguity. These statements define the limits of our service so you can plan accordingly.

Risk reduction, not elimination

No security service can guarantee the prevention of every incident. Our controls reduce likelihood and limit impact. Residual risk always remains, and we will tell you where it sits.

Shared responsibility

Compliance and data protection obligations remain with you as the data controller. We act as a processor or sub-processor under contract. Our role is to make your obligations easier to demonstrate — not to assume them.

Scope boundaries

Our assurances apply only to the services and environments explicitly covered by our agreement. Shadow IT, unsanctioned cloud tenants and unmanaged devices are outside scope unless specifically included.

Need a due diligence pack or a security questionnaire response?

We respond to procurement security assessments within two working days. Ask us for our standard assurance pack, or send your own questionnaire.

Request an Assurance Pack