/// Legal & compliance

Policies, statements and contractual templates published in line with UK procurement expectations. See also the trust centre.

/// Document ISP-1

Information Security Policy

The information security baseline that Sifotech UK Ltd applies to every system we operate. Aligned to ISO 27001 controls and the NCSC Cyber Assessment Framework, and pursuing Cyber Essentials certification.

Version 1.0 · Reviewed annually

1. Purpose

This policy defines how Sifotech UK Ltd protects the confidentiality, integrity and availability of information held in our systems and the systems we operate for customers. It supports our obligations under UK GDPR, the Data Protection Act 2018, the Computer Misuse Act 1990 and applicable contractual commitments.

2. Scope

This policy applies to all information assets we own or operate, all systems we deploy, all staff and contractors, and all third-party services that process information on our behalf. It covers production environments, internal tooling and end-user devices.

3. Information classification

Information is classified into four levels:

Public
Information intended for public consumption (marketing site, published policies, open-source code).
May be shared without restriction.
Internal
Routine internal communications and documentation not for public release.
Stored in approved systems with normal access controls.
Confidential
Customer data, contracts, commercial information, source code, security configurations.
Encrypted in transit and at rest; least-privilege access; audit-logged.
Restricted
Personal data falling within special categories under UK GDPR, payment card data, secrets and credentials.
As Confidential, plus mandatory MFA, hardware-backed keys where supported, and stricter retention.

4. Access control

  • Least privilege by default. Production access is granted only to roles that demonstrably require it.
  • Multi-factor authentication is mandatory for all production and administrative interfaces, including source control, hosting, database, payments and email.
  • Row-level security is applied to every multi-tenant database table.
  • Access is reviewed quarterly and revoked promptly on role change or departure.
  • Personal devices used for production access must have full-disk encryption, automatic lock and current OS patches.

5. Encryption

  • TLS 1.2 or higher (TLS 1.3 preferred) for all data in transit. HSTS is enabled on production domains.
  • AES-256 at rest on database volumes, object storage and backup targets, with key management performed by the hosting provider.
  • Secrets and credentials are stored in a managed secrets store and never committed to source control.

6. Logging and monitoring

All authentication events and data mutations are logged with actor, timestamp, source IP, user agent and payload diff. Logs are retained for a minimum of ninety (90) days. We monitor anomalous patterns (failed-login spikes, unusual data egress, permission escalation) and have on-call coverage for high-severity alerts during UK business hours, with paging for P1 alerts.

7. Vulnerability management

Dependencies are scanned on every build by automated tooling (GitHub-equivalent advisory feeds and our cloud providers’ own scanners). Findings are triaged by CVSS severity:

  • Critical (≥ 9.0): patched within 24 hours.
  • High (7.0–8.9): patched within 7 days.
  • Medium (4.0–6.9): patched within 30 days.
  • Low (< 4.0): patched in next scheduled release.

Security researchers may submit responsible-disclosure reports per our security.txt; we acknowledge within 24 hours and triage within 72.

8. Patch cadence

Underlying platform components (database engines, runtime images, edge runtime) are kept on a supported release line and patched on the cadence published by the provider. End-user workstations install operating-system security updates within seven (7) days of release.

9. Incident response

Our incident response playbook covers:

  • detection (alerts, user reports, security disclosures);
  • triage and severity classification;
  • containment, eradication and recovery;
  • customer notification within 72 hours of a confirmed personal data breach, as set out in our DPA;
  • statutory notification to the ICO where the threshold is met;
  • post-incident review and remedial actions.

10. Backup and recovery

Production data is backed up daily with point-in-time recovery available to a minimum of seven (7) days. Backups are encrypted at rest, stored in a region geographically separated from the primary database, and restore is exercised at least annually.

11. Third-party risk

Subprocessors are listed in our DPA and reviewed before onboarding for security posture, data residency, certifications and breach history. We re-review material providers annually and on any disclosed incident.

12. Awareness and training

All staff complete security-awareness training on joining and at least annually. Topics include phishing, credential hygiene, safe handling of customer data, and recognising and reporting incidents. Developers receive additional secure-coding briefings.

13. Certifications

Cyber Essentials: in progress. We will publish the certification number once awarded.

ISO/IEC 27001: planned for 2026. We design and operate to Annex A controls in the meantime.

14. NCSC CAF mapping

The controls in this policy map to the NCSC Cyber Assessment Framework objectives as follows:

  • A — Managing security risk: sections 1–3, 11.
  • B — Protecting against cyber attack: sections 4, 5, 7, 8, 12.
  • C — Detecting cyber security events: section 6.
  • D — Minimising the impact of incidents: sections 9, 10.

Detailed control mappings are available to procurement teams on request.

Last reviewed: 2026-05-17 · Next review: 2027-05-17 · v1.0 · Document owner: Navdeep Singh