NCSC Cloud Security Principles

DataPress architecture and operations align with the UK National Cyber Security Centre's Cloud Security Principles framework. This page demonstrates how our platform meets each of the 14 principles established by the NCSC for secure cloud service provision.

For additional technical details, see our Infrastructure Overview and Security Certification pages.

Principle 1: Data in Transit Protection

Data should be adequately protected against tampering and eavesdropping as it transits networks.

All data communications are protected using TLS 1.2+ encryption with industry-standard cipher suites. Cloudflare provides additional transport security and ensures encrypted connections between users and our platform. Internal communications between application components use secure protocols within our hardened infrastructure.

Principle 2: Asset Protection and Resilience

Data and assets should be protected against physical tampering, loss, damage or seizure.

Our infrastructure operates on enterprise-grade cloud hosting with physical security controls managed by our hosting provider. Data resilience is ensured through automated hourly backup systems with secure off-site storage. All backups are encrypted and regularly tested for restoration capability. Service resilience includes automated monitoring and rapid recovery procedures.

Principle 3: Separation Between Customers

Malicious or compromised customers should not be able to access or affect the service or data of others.

Each customer deployment operates with strict logical separation through dedicated database schemas and application-level access controls. Customer data isolation is enforced through our authentication and authorization framework, preventing cross-customer data access. Network-level separation ensures no customer can affect others' service availability.

Principle 4: Governance Framework

The service provider should have a security governance framework coordinating management of the service.

Security governance is integrated into our operational framework through documented policies covering data protection, security incident response, and service management. Regular security assessments and policy reviews ensure continued effectiveness. Our Security Policy outlines the governance structure and responsibilities.

Principle 5: Operational Security

Services must be operated and managed securely to impede, detect or prevent attacks.

Operational security includes automated vulnerability scanning using industry-standard tools, protective monitoring through system and application logging, and configuration management following security best practices. Incident response procedures are documented and tested. System updates and security patches are applied following a structured change management process.

Principle 6: Personnel Security

Service provider personnel with access to customer data and systems require high trustworthiness.

Personnel with system access undergo background verification appropriate to their role. Technical measures include audit logging of all administrative actions, principle of least privilege access controls, and separation of duties where applicable. Administrative access is logged and monitored for unusual activity.

Principle 7: Secure Development

Services should be designed, developed and deployed to minimize and mitigate security threats.

Development follows secure coding practices with regular code review processes. Automated vulnerability scanning is integrated into our deployment pipeline. Security considerations are embedded throughout the development lifecycle, from design through deployment and maintenance.

Principle 8: Supply Chain Security

Supply chain should meet the same security standards as the organization sets for itself.

Third-party dependencies are evaluated for security and maintained through regular updates. Our hosting infrastructure provider maintains industry-standard security certifications. Software dependencies are monitored for known vulnerabilities and updated according to security best practices.

Principle 9: Secure User Management

Tools should be available for secure management of service use, preventing unauthorized access.

Role-based access controls allow administrators to manage user permissions across teams and datasets. User account management includes secure authentication, session management, and the capability to implement multi-factor authentication when required. Administrative functions provide granular control over user access to data and features.

Principle 10: Identity and Authentication

All access to service interfaces should be constrained to authenticated and authorized identities.

User authentication is required for all system access with secure session management. Multi-factor authentication capability is available when required by customer security policies. Administrative interfaces require additional authentication controls and are restricted to authorized personnel only.

Principle 11: External Interface Protection

External interfaces should be identified and defended appropriately.

All external interfaces are protected through Cloudflare's security layer, providing DDoS protection, traffic filtering, and Web Application Firewall capabilities. API endpoints implement authentication and rate limiting. Administrative interfaces are restricted and monitored for unauthorized access attempts.

Principle 12: Secure Service Administration

Administration systems should follow enterprise good practice, recognizing their high value to attackers.

Administrative access follows principle of least privilege with comprehensive audit logging. Administrative actions are logged and monitored through our security monitoring framework. Privileged access is time-limited and requires additional authentication where appropriate.

Principle 13: Audit Information and Alerting

Customers should be able to identify security incidents and understand how they occurred.

Comprehensive audit logging captures user actions, data changes, and system events. The platform provides detailed audit trails through User Login History, content revision tracking, and field-level change logs for datasets. Security monitoring generates alerts for suspicious activities, with incident information available to authorized users.

Principle 14: Secure Use of the Service

Cloud providers should help customers meet their data protection responsibilities through secure by design services.

The platform implements security by design through default secure configurations, comprehensive access controls, and built-in data protection features. Customers receive guidance on secure configuration options and best practices. Data protection controls align with GDPR requirements and UK data protection legislation.

Additional information

For specific technical implementation details or additional compliance documentation, please contact our team at [email protected].