Security Policy
Effective Date: 21 January 2025
At Creationist Digital (“we,” “our,” “us”), the security of our clients’ data and information is of utmost importance. This Security Policy outlines the measures we take to safeguard the confidentiality, integrity, and availability of information processed through our systems.
1. Purpose
This Security Policy aims to:
- Protect the information entrusted to us by our clients, employees, and partners.
- Mitigate security risks and unauthorised access to data.
- Comply with applicable laws and regulations, including GDPR.
2. Scope
This policy applies to all employees, contractors, and third parties who access or process data on behalf of Creationist Digital. It covers all information systems, including cloud-based services, local devices, and third-party platforms used in delivering our services.
3. Security Measures
3.1. Data Access and Authorisation
- Access to data is granted on a need-to-know basis and requires management approval.
- Multi-factor authentication (MFA) is implemented for all critical systems and accounts.
- User access levels are regularly reviewed and adjusted based on role changes.
3.2. Data Storage and Encryption
- All sensitive data is encrypted in transit using SSL/TLS protocols.
- Data stored on local devices and cloud systems is encrypted using industry-standard encryption protocols (e.g., AES-256).
3.3. Network Security
- Firewalls and intrusion detection/prevention systems (IDS/IPS) are in place to monitor and protect network traffic.
- Regular vulnerability scans and penetration tests are conducted to identify and address potential risks.
3.4. Device Security
- Devices are configured to require strong passwords and automatic lock after inactivity.
- Regular software updates and security patches are applied to all devices and systems.
3.5. Backup and Recovery
- Regular backups are performed for all critical data and systems.
- Backups are stored securely and tested periodically to ensure successful recovery.
3.6. Third-Party Providers
- Third-party providers (e.g., CRM, payment processors) are vetted for compliance with security and data protection standards.
4. Employee Responsibilities
4.1. Security Awareness Training
- All employees are made aware of the importance of data security and recommended best practices and potential threats, such as phishing and social engineering.
4.2. Incident Reporting
- Employees are required to report any suspected security incidents or breaches immediately.
4.3. Acceptable Use Policy
- Employees must adhere to the Acceptable Use Policy, ensuring responsible use of company systems and data.
5. Incident Management
5.1. Incident Response Plan
- A documented Incident Response Plan (IRP) is in place to handle security breaches effectively.
- The plan includes:
- Identification and containment of the incident.
- Notification of affected parties and regulatory authorities, if applicable.
- Remediation and prevention of future incidents.
5.2. Data Breach Notification
- In the event of a data breach, we will notify affected individuals and regulatory authorities (e.g., the ICO) within 72 hours, where required by law.
6. Compliance and Governance
6.1. Legal and Regulatory Compliance
- We comply with GDPR, the Data Protection Act 2018, and other relevant security regulations.
6.2. Policy Review and Updates
- This Security Policy is reviewed and updated annually or in response to significant changes in our operations or regulations.
7. Contact Us
If you have any questions about this Security Policy, please contact us at:
Creationist Digital Limited
support@creationistdigital.com
By using our website and services, you acknowledge that you have read, understood, and agree to this Security Policy.