1. Purpose and Scope

This Information Security Policy sets out the framework within which Hillmorton Design and Development Ltd manages information security across its operations. It applies to all directors, employees, contractors, and third parties with access to our systems, data, or client information.

The purpose of this policy is to protect the confidentiality, integrity, and availability of information assets — both our own and those belonging to our clients — and to ensure compliance with applicable legislation, including the UK GDPR, Data Protection Act 2018, and Computer Misuse Act 1990.

2. Information Assets

Our key information assets include:

• Client project files, source code, and deliverables.
• Client and staff personal data.
• Support ticket communications and attachments.
• Authentication credentials and session data.
• Business financial and contractual records.
• Infrastructure configuration and access credentials.

3. Access Control

Access to systems and data is governed by the principle of least privilege: individuals are granted only the access necessary to perform their role.

• All user accounts are individual; shared credentials are not permitted.
• Our client and staff portal enforces role-based access control (RBAC), ensuring staff and clients can only access data relevant to their permissions.
• Multi-factor authentication (MFA) is mandatory for all portal access. Supported methods include TOTP (authenticator apps), hardware passkeys, and backup codes.
• Passwords are never stored in plaintext; all credentials are hashed using bcrypt.
• Access for leavers or terminated contractors is revoked immediately upon departure.
• Access logs are maintained and reviewed periodically.

4. Data Storage and Infrastructure

Our primary infrastructure is hosted by Netcup GmbH in Germany, operating within the EU's robust data protection and security regulatory environment. Data in transit is protected by TLS encryption. Data at rest is stored on secured server infrastructure with access restricted to authorised personnel.

• Client files and attachments are stored in a private, S3-compatible object store (MinIO), segregated from public access.
• Database backups are performed regularly and stored securely.
• DNS management and CDN services are provided by Cloudflare, which applies its own industry-leading security controls. Where Cloudflare accounts are created for clients, those accounts are established in the client's name and email, ensuring client ownership and control.

5. Secure Development

Security is considered throughout the development lifecycle. Our development practices include:

• Input validation and sanitisation to prevent injection attacks (SQL injection, XSS, etc.).
• Use of parameterised queries and ORM frameworks (Prisma) to prevent direct database manipulation.
• HTML sanitisation (DOMPurify) for user-generated content.
• JWT-based session management with appropriate expiry and rotation policies.
• CAPTCHA (Cloudflare Turnstile) on public-facing forms to prevent automated abuse.
• Dependency management: regular review and update of third-party packages to address known vulnerabilities.
• Separation of production and development environments; no real client data in development environments.

6. Email and Communication Security

Our support system processes client emails via IMAP/SMTP integration. We apply the following controls:

• Email attachments are stored in the secure object store, not on the mail server.
• HTML content in emails is sanitised before display to prevent XSS via email bodies.
• Staff email credentials for system integration are stored encrypted and rotated periodically.
• We never request sensitive credentials from clients via email.

7. Incident Response

In the event of a suspected or confirmed information security incident, the following process applies:

1. Identification: The incident is identified and reported to the lead Director immediately.
2. Containment: Immediate steps are taken to contain the incident and limit further exposure.
3. Assessment: The scope and impact of the incident are assessed, including whether personal data is involved.
4. Notification: If a personal data breach is involved, the ICO is notified within 72 hours where required. Affected individuals are notified without undue delay where there is a high risk to their rights and freedoms. Affected clients are notified promptly.
5. Remediation: Root cause analysis is conducted and remediation measures implemented.
6. Review: Lessons learned are documented and policies updated as appropriate.

8. Third-Party Security

When engaging third-party suppliers or subcontractors who will have access to our systems or client data, we require:

• Execution of a confidentiality or data processing agreement before access is granted.
• Confirmation that appropriate security measures are in place.
• Access limited to what is strictly necessary for the engagement.
• Revocation of access immediately upon completion of the engagement.

9. Business Continuity

We maintain regular backups of all critical data and systems. Recovery procedures are documented and tested periodically to ensure we can restore services within an acceptable timeframe following a disruptive incident. Critical service dependencies (Netcup, Cloudflare) have their own business continuity arrangements which we factor into our planning.