[{"data":1,"prerenderedAt":66},["ShallowReactive",2],{"policy-information-security-policy":3},{"html":4,"meta":5,"toc":24,"summary":64,"error":65},"\n\u003Ch2 id=\"1-purpose-and-scope\">1. Purpose and Scope\u003C\u002Fh2>\n\u003Cp>This Information Security Policy establishes the framework for protecting all information assets, systems and personnel associated with the Qualitect platform. This policy applies to Qualitect Ltd and all users of the Qualitect platform. All users and staff must comply with this policy as a condition of access.\u003C\u002Fp>\n\u003Ch2 id=\"2-information-security-objectives\">2. Information Security Objectives\u003C\u002Fh2>\n\u003Cp>Qualitect is committed to maintaining the confidentiality, integrity and availability of all information assets. These objectives support our regulatory compliance obligations under UK \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"gdpr\" data-glossary-term=\"GDPR\" aria-label=\"Definition: GDPR\">GDPR\u003C\u002Fbutton>, the Data Protection Act 2018 and the Network and Information Systems Regulations 2018 where applicable.\u003C\u002Fp>\n\u003Cp>Our information security framework is designed to align with the requirements of ISO 27001. Certification to ISO 27001 is a planned milestone in Qualitect's accreditation programme. Qualitect is working towards formal accreditation against ISO standards relevant to its operations. References to ISO alignment describe the framework adopted and do not indicate current certification.\u003C\u002Fp>\n\u003Ch2 id=\"3-organisational-security-structure\">3. Organisational Security Structure\u003C\u002Fh2>\n\u003Cp>The Chief Executive Officer holds ultimate responsibility for information security governance. The Lead Developer serves as the designated information security lead. Platform administrators maintain day-to-day operational security.\u003C\u002Fp>\n\u003Ch2 id=\"4-risk-assessment-and-management\">4. Risk Assessment and Management\u003C\u002Fh2>\n\u003Cp>Qualitect conducts formal information security risk assessments annually and following any significant changes. All identified risks must have documented treatment plans.\u003C\u002Fp>\n\u003Ch2 id=\"5-access-control\">5. Access Control\u003C\u002Fh2>\n\u003Ch3 id=\"5-1-role-based-access-control\">5.1 Role-Based Access Control\u003C\u002Fh3>\n\u003Cp>The platform uses \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"role-based-access-control\" data-glossary-term=\"Role-based access control\" aria-label=\"Definition: Role-based access control\">role-based access control\u003C\u002Fbutton> to manage user permissions. Each role has predefined permissions that cannot be exceeded without explicit administrative approval.\u003C\u002Fp>\n\u003Ch3 id=\"5-2-authentication-requirements\">5.2 Authentication Requirements\u003C\u002Fh3>\n\u003Cp>All platform access requires secure credentials. Administrative accounts require multi-factor authentication. The platform uses JWT bearer tokens via Laravel Sanctum.\u003C\u002Fp>\n\u003Ch3 id=\"5-3-session-management\">5.3 Session Management\u003C\u002Fh3>\n\u003Cp>Administrative sessions timeout after 30 minutes of inactivity. Standard user sessions timeout after 2 hours.\u003C\u002Fp>\n\u003Ch2 id=\"6-network-security\">6. Network Security\u003C\u002Fh2>\n\u003Cp>All data uses \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"tls\" data-glossary-term=\"TLS\" aria-label=\"Definition: TLS\">TLS\u003C\u002Fbutton> 1.3 encryption as the minimum standard. The platform operates within AWS UK regions using a VPC architecture. A web application firewall inspects HTTP requests.\u003C\u002Fp>\n\u003Ch2 id=\"7-data-security\">7. Data Security\u003C\u002Fh2>\n\u003Ch3 id=\"7-1-encryption-at-rest\">7.1 Encryption at Rest\u003C\u002Fh3>\n\u003Cp>All data uses AES-256 encryption. Keys are managed through AWS Key Management Service.\u003C\u002Fp>\n\u003Ch3 id=\"7-2-database-security\">7.2 Database Security\u003C\u002Fh3>\n\u003Cp>PostgreSQL with \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"row-level-security\" data-glossary-term=\"Row-level security\" aria-label=\"Definition: Row-level security\">row-level security\u003C\u002Fbutton> enforces data isolation. The \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"audit-trail\" data-glossary-term=\"Audit trail\" aria-label=\"Definition: Audit trail\">audit trail\u003C\u002Fbutton> uses a separate database role that can only INSERT and SELECT.\u003C\u002Fp>\n\u003Ch3 id=\"7-3-audit-trail-protection\">7.3 Audit Trail Protection\u003C\u002Fh3>\n\u003Cp>Audit records are retained for a minimum of seven years to support Platform Users' compliance with the documentation requirements of the relevant \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"educational-standards\" data-glossary-term=\"Educational standards\" aria-label=\"Definition: Educational standards\">educational standards\u003C\u002Fbutton> and regulatory frameworks and to meet Qualitect's own legal and contractual obligations.\u003C\u002Fp>\n\u003Ch3 id=\"7-4-file-access-controls\">7.4 File Access Controls\u003C\u002Fh3>\n\u003Cp>User-uploaded files use pre-signed URL access patterns with automatic expiry.\u003C\u002Fp>\n\u003Ch2 id=\"8-application-security\">8. Application Security\u003C\u002Fh2>\n\u003Cp>The development team follows secure coding practices. Automated security scanning tools analyse code for vulnerability patterns. The platform undergoes annual penetration testing.\u003C\u002Fp>\n\u003Ch2 id=\"9-incident-management\">9. Incident Management\u003C\u002Fh2>\n\u003Cp>Security incidents are detected through automated monitoring, user reports and routine assessments. Critical incidents trigger immediate response procedures.\u003C\u002Fp>\n\u003Ch2 id=\"10-business-continuity\">10. Business Continuity\u003C\u002Fh2>\n\u003Cp>Automated backup procedures create multiple recovery points daily. Critical services have a Recovery Time Objective of 4 hours.\u003C\u002Fp>\n\u003Ch2 id=\"11-supplier-security-management\">11. Supplier Security Management\u003C\u002Fh2>\n\u003Cp>Qualitect conducts due diligence assessments of all suppliers who process or store information on our behalf.\u003C\u002Fp>\n\u003Ch2 id=\"12-related-policies\">12. Related Policies\u003C\u002Fh2>\n\u003Cp>Data Protection Policy, Acceptable Use Policy.\u003C\u002Fp>\n\u003Ch2 id=\"13-contact-information\">13. Contact Information\u003C\u002Fh2>\n\u003Cp>\u003Cstrong>General:\u003C\u002Fstrong> hello@qualitect.co.uk\u003Cbr>\u003Cstrong>Data protection contact:\u003C\u002Fstrong> dataprotection@qualitect.co.uk\u003Cbr>\u003Cstrong>Registered office:\u003C\u002Fstrong> Qualitect Limited, 32 Willoughby Road, London, N8 0JG\u003Cbr>\u003Cstrong>Trading address:\u003C\u002Fstrong> 8a Stafford Street, London, W1S 4RU\u003Cbr>\u003Cstrong>Website:\u003C\u002Fstrong> qualitect.co.uk\u003C\u002Fp>",[6,9,12,15,18,21],{"k":7,"v":8},"Version","2.0",{"k":10,"v":11},"Status","Live",{"k":13,"v":14},"Effective Date","13 July 2026",{"k":16,"v":17},"Review Date","13 July 2027",{"k":19,"v":20},"Policy Owner","Compliance and Accreditation Lead",{"k":22,"v":23},"Approved By","Chief Executive Officer",[25,28,31,34,37,40,43,46,49,52,55,58,61],{"id":26,"text":27},"1-purpose-and-scope","1. Purpose and Scope",{"id":29,"text":30},"2-information-security-objectives","2. Information Security Objectives",{"id":32,"text":33},"3-organisational-security-structure","3. Organisational Security Structure",{"id":35,"text":36},"4-risk-assessment-and-management","4. Risk Assessment and Management",{"id":38,"text":39},"5-access-control","5. Access Control",{"id":41,"text":42},"6-network-security","6. Network Security",{"id":44,"text":45},"7-data-security","7. Data Security",{"id":47,"text":48},"8-application-security","8. Application Security",{"id":50,"text":51},"9-incident-management","9. Incident Management",{"id":53,"text":54},"10-business-continuity","10. Business Continuity",{"id":56,"text":57},"11-supplier-security-management","11. Supplier Security Management",{"id":59,"text":60},"12-related-policies","12. Related Policies",{"id":62,"text":63},"13-contact-information","13. Contact Information","This Information Security Policy establishes the framework for protecting all information assets, systems and personnel associated with the Qualitect",false,1784287572689]