This page summarises CFTS security practices for client understanding and due diligence. It does not replace the Privacy Notice, Data Processing Addendum, Terms of Service, or a service-specific agreement. ## Security Approach CFTS applies a layered security model across infrastructure, access, monitoring, backup, and operational processes. The aim is to reduce risk through practical controls rather than relying on a single security measure. ## Access Control CFTS restricts administrative access to authorised personnel. Controls may include: - multi-factor authentication - IP-restricted administrative access - role-based access where supported - limited privileged access - periodic access review - logging of administrative activity ## Infrastructure Protection Infrastructure security may include: - hardened operating environments - network segmentation - firewall controls - controlled management interfaces - monitoring and alerting - patching and vulnerability management - malware or exploit protection where supported by the platform ## Encryption CFTS uses encryption controls where appropriate to the service. Examples include: - TLS for data in transit - full disk encryption where implemented - encrypted backups where implemented - secure administrative protocols such as SSH Encryption scope depends on the service, platform, and application design. ## Monitoring and Logging CFTS uses monitoring and logging to support availability, security, and operational response. This may include: - uptime monitoring - infrastructure alerts - security event monitoring - service health checks - administrative logs - backup monitoring Log retention depends on service type, platform, and operational need. ## Physical Security CFTS infrastructure is operated in controlled environments. Physical controls may include: - controlled facility access - restricted infrastructure areas - CCTV or facility monitoring - environmental monitoring - power and cooling resilience Physical controls vary by site and service. ## Incident Response CFTS maintains procedures for investigating and responding to operational and security incidents. Response may include: - triage - containment - client notification where appropriate - remediation - monitoring - recovery assistance Confirmed personal data breaches are handled according to applicable law and the Data Processing Addendum. ## Certification Position CFTS does not claim ISO 27001 certification unless expressly stated in a formal document. The platform is operated using recognised security practices appropriate to managed hosting and infrastructure environments. ## Client Security Responsibilities Clients remain responsible for: - secure passwords - client-side MFA where available - application patching - user account management - secure application configuration - avoiding unnecessary exposed services - notifying CFTS of suspected compromise ## Related Documents - [Common Information and Cyber Security Q and A](/05_Our-Edge-Facilities/40_How-We-Protect-Your-Information/10_Common-Information-and-Cyber-Security-Q-and-A) - [Data Security Model](/05_Our-Edge-Facilities/30_Resilience-and-Security/09_Data-Security-Model) - [Security Model](/05_Our-Edge-Facilities/30_Resilience-and-Security/04_Security-Model) - [Data Processing Addendum](/15_Policies/01_Data-Privacy/10_Data-Processing-Addendum) - [Shared Responsibility Model](/01_Client-Guidance/15_Shared-Responsibility-Model)