Security Overview

Protecting the confidentiality, integrity and availability of customer data is central to our organisation. Our security practices are built on robust technical controls, clear governance processes and a commitment to continual improvement. This overview explains how we safeguard information throughout its lifecycle and maintain a secure, reliable service.

Infrastructure & Network Security

Our infrastructure uses modern, resilient cloud architecture and strict access controls to protect data.

  • Environment Segregation: Production and non-production systems remain separate to reduce risk. 
  • Firewalls & Threat Monitoring: Traffic is monitored continuously, supported by firewalls and automated detection tools to prevent unauthorised access. 
  • Regular Patching: Systems and applications are updated frequently to address vulnerabilities. 

Data Encryption

We apply strong encryption standards to safeguard information in transit and at rest.

  • In-Transit Encryption: All communications use TLS to secure data during transfer.
  • At-Rest Encryption: Sensitive data is encrypted using industry-standard algorithms to prevent unauthorised access.

Access Control & Identity Management

We follow the principle of least privilege, ensuring access is restricted to what is strictly necessary.

  • Multi-Factor Authentication (MFA) for all administrative and internal accounts. 
  • Role-Based Access Control (RBAC) to align permissions with job responsibilities. 
  • Centralised Identity Management for consistent oversight and rapid access revocation. 

Secure Development Practices

Security is embedded into our development lifecycle to minimise vulnerabilities.

  • Code Reviews & Static Analysis: All code undergoes peer review and automated scanning.
  • Dependency Monitoring: Third-party libraries are monitored and updated as required to remove known security issues.
  • Penetration Testing: Independent testing is conducted regularly to validate the security of our platform.

Monitoring, Logging & Incident Response

Continuous monitoring allows us to detect anomalies quickly and respond effectively.

  • Real-Time Monitoring of infrastructure and application activity.
  • Detailed Logging to support investigation and forensic analysis.
  • Incident Response Plan outlining coordinated steps to contain, resolve and communicate any security incidents.

Business Continuity & Resilience

We maintain comprehensive plans to ensure our services remain reliable and available.

Backups: Regular, secure backups of critical data.

Disaster Recovery: Procedures for restoring systems in the event of disruption.

Resilient Architecture designed to withstand component failures without significant service impact.

Shape 

Employee Security & Training 

Security culture is embedded throughout the organisation. 

  • Mandatory Training: Staff complete regular training covering security awareness and UK GDPR.
  • Background Checks: Pre-employment screening is conducted in line with UK best practice.
  • Acceptable Use Policies: Employees must follow strict guidelines governing system usage and data handling.

Governance & Risk Management

Our security governance framework provides clear oversight, responsibility and accountability across the business.

Policies & Procedures: Security and data protection policies are reviewed regularly and made available to all staff to ensure consistent understanding and application.

Vendor Management: Third-party suppliers undergo due diligence to confirm they meet our required security, privacy and UK GDPR standards.

Data Protection & Privacy

We comply fully with the UK GDPR and the Data Protection Act 2018, ensuring personal data is handled lawfully, fairly and transparently.

  • Data Minimisation: Only the information necessary to deliver and improve our services is processed.
  • Privacy by Design: Security and privacy considerations are integrated into products and features from the earliest stages of development.
  • Data Subject Rights: We support access, rectification, erasure, portability and restriction rights, as defined under UK GDPR.

Further details are set out in our Privacy Notice.

Our Commitment

We continuously improve our security posture, informed by evolving threats, regulatory developments and best practice guidance from organisations such as the ICO. Safeguarding your data remains one of our highest priorities, and we are committed to operating a secure, transparent and trustworthy service.

V1 Jan 2026