- Version
- 2.0
- Status
- Live
- Effective Date
- 13 July 2026
- Review Date
- 13 July 2027
- Policy Owner
- Compliance and Accreditation Lead
- Approved By
- Chief Executive Officer
1. Purpose and Scope
This Information Security Policy establishes the framework for protecting all information assets, systems and personnel associated with the Qualitect platform. This policy applies to Qualitect Ltd and all users of the Qualitect platform. All users and staff must comply with this policy as a condition of access.
2. Information Security Objectives
Qualitect is committed to maintaining the confidentiality, integrity and availability of all information assets. These objectives support our regulatory compliance obligations under UK , the Data Protection Act 2018 and the Network and Information Systems Regulations 2018 where applicable.
Our information security framework is designed to align with the requirements of ISO 27001. Certification to ISO 27001 is a planned milestone in Qualitect's accreditation programme. Qualitect is working towards formal accreditation against ISO standards relevant to its operations. References to ISO alignment describe the framework adopted and do not indicate current certification.
3. Organisational Security Structure
The Chief Executive Officer holds ultimate responsibility for information security governance. The Lead Developer serves as the designated information security lead. Platform administrators maintain day-to-day operational security.
4. Risk Assessment and Management
Qualitect conducts formal information security risk assessments annually and following any significant changes. All identified risks must have documented treatment plans.
5. Access Control
5.1 Role-Based Access Control
The platform uses to manage user permissions. Each role has predefined permissions that cannot be exceeded without explicit administrative approval.
5.2 Authentication Requirements
All platform access requires secure credentials. Administrative accounts require multi-factor authentication. The platform uses JWT bearer tokens via Laravel Sanctum.
5.3 Session Management
Administrative sessions timeout after 30 minutes of inactivity. Standard user sessions timeout after 2 hours.
6. Network Security
All data uses 1.3 encryption as the minimum standard. The platform operates within AWS UK regions using a VPC architecture. A web application firewall inspects HTTP requests.
7. Data Security
7.1 Encryption at Rest
All data uses AES-256 encryption. Keys are managed through AWS Key Management Service.
7.2 Database Security
PostgreSQL with enforces data isolation. The uses a separate database role that can only INSERT and SELECT.
7.3 Audit Trail Protection
Audit records are retained for a minimum of seven years to support Platform Users' compliance with the documentation requirements of the relevant and regulatory frameworks and to meet Qualitect's own legal and contractual obligations.
7.4 File Access Controls
User-uploaded files use pre-signed URL access patterns with automatic expiry.
8. Application Security
The development team follows secure coding practices. Automated security scanning tools analyse code for vulnerability patterns. The platform undergoes annual penetration testing.
9. Incident Management
Security incidents are detected through automated monitoring, user reports and routine assessments. Critical incidents trigger immediate response procedures.
10. Business Continuity
Automated backup procedures create multiple recovery points daily. Critical services have a Recovery Time Objective of 4 hours.
11. Supplier Security Management
Qualitect conducts due diligence assessments of all suppliers who process or store information on our behalf.
12. Related Policies
Data Protection Policy, Acceptable Use Policy.
13. Contact Information
General: hello@qualitect.co.uk
Data protection contact: dataprotection@qualitect.co.uk
Registered office: Qualitect Limited, 32 Willoughby Road, London, N8 0JG
Trading address: 8a Stafford Street, London, W1S 4RU
Website: qualitect.co.uk