Security Policy
Updated: 14th July 2024
DataPress is committed to maintaining the security and privacy of our customers' data. This Security Policy outlines the measures we have in place to protect our systems and data from unauthorized access, use, or disclosure. We regularly review and update our security measures to ensure that they are aligned with industry standards and best practices.
1. Introduction
1.1 Purpose of the Policy
The purpose of this Security Policy is to establish guidelines and procedures for the protection of information assets and resources at DataPress. This policy outlines the security standards that must be followed by all employees, contractors, and third-party vendors who access or handle information assets, and it serves as the foundation for all other security-related policies and procedures.
The policy's primary objective is to protect the confidentiality, integrity, and availability of information assets, including but not limited to, customer data, business processes, and intellectual property.
1.2 Scope of the Policy
This Security Policy applies to all employees, contractors, and third-party vendors who access or handle information assets owned, maintained, or operated by DataPress. It applies to all information, regardless of whether it is stored electronically or in paper format.
This policy covers all systems and networks owned or operated by DataPress, including but not limited to computers, servers, mobile devices, and cloud services.
1.3 Policy Owner
The policy owner is the Chief Information Officer (CIO) at DataPress. The CIO is responsible for the creation, maintenance, and enforcement of this Security Policy. All questions regarding this policy should be directed to the CIO or their designated representative.
2. Security Standards
2.1 Snyk for Code Scanning
DataPress will use Snyk to scan all deployed code commits for vulnerabilities. We will prioritize and work to resolve issues ranked Critical, High or Medium by Snyk. Snyk scans will be performed on a regular basis as part of our Secure Software Development Lifecycle.
2.2 Burp Suite for API Scanning
DataPress will use Burp Suite to perform automated vulnerability scans of our API surface. These scans will be performed on a periodic basis to identify vulnerabilities in our API.
2.3 Vulnerability Management
DataPress will have a documented process for managing vulnerabilities that includes identification, prioritization, mitigation and tracking. Vulnerabilities will be assigned a severity level and prioritized accordingly. The severity level will be based on industry standards, such as the Common Vulnerability Scoring System (CVSS).
2.4 Data Encryption and Access Control
DataPress will use industry-standard encryption protocols to protect sensitive data in transit and at rest. Access to data will be restricted based on the principle of least privilege, and will be granted only to authorized personnel with a legitimate business need.
2.5 Secure Software Development Lifecycle
DataPress will follow a Secure Software Development Lifecycle (SSDLC) that includes secure coding practices, regular code reviews, and vulnerability scanning. The SSDLC will be integrated into our development process and will be followed by all development personnel.
2.6 Security Awareness and Training
DataPress will provide security awareness and training to all employees, including training on secure coding practices, data protection, and incident response. Employees will be required to complete security training on a regular basis, and their knowledge will be assessed to ensure they understand the importance of security in their roles.
3. Roles and Responsibilities
3.1 Management
The management team is responsible for ensuring that security policies and procedures are developed, implemented, and maintained effectively. They will also ensure that all employees and contractors are trained in security awareness and follow security policies and procedures.
3.2 Development and Operations Teams
The development and operations teams are responsible for implementing security measures within the systems they develop and maintain. This includes adhering to secure coding practices, performing security testing, and responding to security incidents. They will work closely with the management team to ensure that security policies and procedures are being followed and that any security risks are identified and addressed promptly.
3.3 Employees
All employees have a responsibility to follow security policies and procedures, report any security incidents, and participate in security awareness training. They should also report any security vulnerabilities or concerns to the appropriate personnel.
DataPress personnel who violate this Security Policy or related procedures may be subject to disciplinary action, up to and including termination of employment or contract.
4. Compliance
4.1 Legal and Regulatory Requirements
DataPress is committed to complying with all relevant legal and regulatory requirements related to information security and data protection. This includes, but is not limited to, GDPR, CCPA, and any other applicable data protection laws and regulations.
DataPress will regularly monitor changes to relevant laws and regulations to ensure that our security practices are always in compliance with the latest requirements.
4.2 Audit and Assessment
DataPress will regularly review and assess the effectiveness of our security policies and practices to ensure compliance with applicable laws and regulations, industry best practices, and any other relevant standards.
External audits and assessments may be conducted periodically to validate DataPress's compliance with applicable laws and regulations, and to ensure that our security practices are effective and up-to-date.
Any identified vulnerabilities or weaknesses in our security practices will be promptly addressed and remediated to ensure ongoing compliance with legal and regulatory requirements.
5. Policy Review and Modification
5.1 Policy Review
This Security Policy will be reviewed on an annual basis, or more frequently if necessary, to ensure that it remains up-to-date and relevant to the needs of the business. Any changes to the policy will be communicated to all employees and contractors.
5.2 Policy Modification
Any modifications to this Security Policy will be made by the Policy Owner in consultation with the relevant stakeholders. The modified policy will be reviewed and approved by management before being communicated to all employees and contractors.
6. Contact Information
6.1 Reporting Security Incidents
All security incidents or suspected incidents related to Datapress systems or data must be reported immediately. Incidents can be reported to the Datapress Security Team by sending an email to [email protected] or directly to the CEO at [email protected]. Employees must cooperate with the Datapress Security Team during the investigation of a security incident.
6.2 Contact Information
If you have any questions, comments, or concerns about this security policy, please contact us at [email protected] or write to us at:
Datapress Ltd.Suite 111
94 London Road
Oxford, UK
OX3 9FN
Any inquiries regarding security or privacy should also be directed to this address.