Data Security Policy

Swipe & Tap Ltd is committed to maintaining the security of all data entrusted to us. As a UK-based software development company, we understand that our clients rely on us to protect sensitive information throughout the development lifecycle and beyond.

Our Information Security Management System (ISMS) is aligned with ISO 27001:2022 standards, providing a systematic approach to managing sensitive company and client information. This framework ensures that security is embedded into every aspect of our operations, from project inception to delivery and ongoing support.

Our security governance structure includes:

Leadership Commitment: Senior management actively participates in security decisions and provides the necessary resources to maintain our security posture.

Security Policies: We maintain comprehensive security policies that are regularly reviewed and updated to address emerging threats and regulatory requirements.

Risk Assessment: We conduct regular risk assessments to identify, evaluate, and treat information security risks. Our risk management process follows a structured methodology aligned with ISO 27001 requirements.

Continuous Improvement: We operate a cycle of continuous improvement, regularly reviewing and enhancing our security controls based on audit findings, incident learnings, and industry best practices.

We implement strict access control measures to ensure that only authorised personnel can access sensitive information:

Principle of Least Privilege: Access rights are granted based on job function and business need, with users receiving only the minimum permissions required to perform their duties.

Authentication: We enforce strong authentication mechanisms, including multi-factor authentication (MFA) for all critical systems and remote access.

Access Reviews: Regular access reviews are conducted to ensure that permissions remain appropriate and that access is promptly revoked when no longer required.

Privileged Access Management: Administrative and privileged accounts are subject to enhanced controls, monitoring, and regular auditing.

All information assets are classified according to their sensitivity and criticality:

Classification Levels:
• Confidential: Highly sensitive information requiring the strictest controls
• Internal: Information for internal use with restricted external sharing
• Public: Information approved for public disclosure

Handling Requirements: Each classification level has defined handling, storage, transmission, and disposal requirements that all staff must follow.

Data Minimisation: We collect and retain only the data necessary for specified purposes, in accordance with UK GDPR principles.

We employ robust encryption to protect data at rest and in transit:

Data in Transit: All data transmitted over networks is encrypted using TLS 1.2 or higher. We enforce HTTPS across all web services and secure protocols for all data transfers.

Data at Rest: Sensitive data stored on our systems is encrypted using AES-256 or equivalent industry-standard encryption algorithms.

Key Management: Cryptographic keys are managed securely with appropriate access controls, rotation schedules, and secure storage mechanisms.

Client Data: Client source code, credentials, and sensitive project information are stored in encrypted repositories with access limited to assigned project team members.

Our infrastructure is protected by multiple layers of security controls:

Firewalls and Network Segmentation: We maintain properly configured firewalls and segment networks to isolate sensitive systems and limit the potential impact of security incidents.

Intrusion Detection: We deploy monitoring tools to detect and alert on suspicious network activity and potential security threats.

Vulnerability Management: Regular vulnerability scans and penetration testing are conducted to identify and remediate security weaknesses. Critical vulnerabilities are addressed within defined SLAs.

Patch Management: We maintain a rigorous patch management process to ensure all systems are updated with the latest security patches in a timely manner.

Security is integrated throughout our software development lifecycle:

Secure Coding Standards: Our developers follow secure coding guidelines aligned with OWASP best practices to prevent common vulnerabilities such as injection attacks, cross-site scripting, and authentication flaws.

Code Review: All code undergoes peer review with security considerations as a key evaluation criterion.

Security Testing: We conduct security testing including static application security testing (SAST) and dynamic application security testing (DAST) as part of our development process.

Dependency Management: Third-party libraries and dependencies are regularly scanned for known vulnerabilities and updated accordingly.

Our physical premises and equipment are protected through appropriate controls:

Office Security: Our premises are secured with access control systems, with entry restricted to authorised personnel and registered visitors.

Equipment Security: Company devices are encrypted, password-protected, and configured with remote wipe capabilities. Lost or stolen devices are reported immediately and remotely disabled.

Clear Desk Policy: Staff are required to secure sensitive documents and lock workstations when unattended.

Secure Disposal: Hardware and physical media containing sensitive data are securely disposed of using certified destruction methods.

We maintain a comprehensive incident response capability:

Incident Response Plan: We have documented procedures for identifying, containing, eradicating, and recovering from security incidents.

Reporting: All staff are trained to recognise and report security incidents promptly through defined channels.

Investigation: Security incidents are investigated thoroughly to determine root cause and prevent recurrence.

Notification: In the event of a data breach affecting personal data, we will notify the Information Commissioner's Office (ICO) within 72 hours where required, and affected individuals without undue delay as mandated by UK GDPR.

Lessons Learned: Post-incident reviews are conducted to identify improvements to our security controls and procedures.

We maintain business continuity and disaster recovery capabilities to ensure service resilience:

Backup Strategy: Critical data is backed up regularly with backups stored securely in geographically separate locations. Backup restoration is tested periodically.

Recovery Planning: We maintain documented recovery procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO).

Redundancy: Critical systems are designed with appropriate redundancy to minimise single points of failure.

Testing: Business continuity plans are tested regularly to ensure effectiveness and staff readiness.

We carefully manage security risks associated with third-party relationships:

Due Diligence: Suppliers and partners with access to our systems or data undergo security assessment before engagement.

Contractual Requirements: Security requirements are incorporated into supplier contracts, including data protection obligations and incident notification requirements.

Ongoing Monitoring: Third-party security posture is monitored throughout the relationship, with regular reviews for critical suppliers.

Cloud Services: Cloud service providers are selected based on their security certifications, compliance with relevant standards, and data residency options.

Our people are our first line of defence:

Background Checks: Appropriate pre-employment screening is conducted for all staff, commensurate with the sensitivity of their role.

Security Training: All employees receive security awareness training upon joining and annual refresher training thereafter. Role-specific training is provided for staff with elevated security responsibilities.

Acceptable Use: Staff are required to comply with our acceptable use policies governing the use of company systems and data.

Confidentiality: All employees sign confidentiality agreements and are bound by contractual obligations to protect sensitive information.

We maintain compliance with applicable laws, regulations, and standards:

Regulatory Compliance: We comply with UK GDPR, the Data Protection Act 2018, and other applicable data protection legislation.

Internal Audits: Regular internal audits are conducted to assess compliance with our security policies and identify areas for improvement.

External Assessments: We engage independent third parties to conduct security assessments and penetration testing.

Certification: Our ISMS is aligned with ISO 27001 requirements, demonstrating our commitment to internationally recognised security standards.

If you have any questions about our data security practices or wish to report a security concern, please contact us:

Email: hello@swipeandtap.co.uk
Address: Dock 206, 75 Exploration Drive, Leicester, LE4 5NU

For urgent security matters, please mark your communication as "Security - Urgent" to ensure prompt attention.