Download PDF (Requires composer install on the server if the download does not start.)
1. Purpose and scope
This policy sets out how bizsuite.management (“we”) governs information security for the Your Brand platform, supporting systems, and subprocessors we rely on to deliver the service. It applies to anyone with access to production systems, credentials, or customer data on our behalf.
2. Roles and responsibilities
- Data controller / operator: bizsuite.management is responsible for decisions about how customer and end-user data is processed in the product.
- Security contact: Security questions and partner questionnaires should be directed to .
- Everyone with production access must follow this policy, use unique accounts, enable multi-factor authentication where offered, and report suspected incidents without delay.
3. Asset and access management
- Least privilege: Administrative access to hosting, DNS, databases, source control, and payment or bank-feed dashboards is limited to people who need it for their role.
- Authentication: Strong passwords (or passphrases) and a password manager are required for privileged accounts. Multi-factor authentication is required on cloud, registrar, hosting control panels, and version control where the provider supports it.
- Application access: End-user access is enforced by application login and role-based permissions; designated platform administrators are recorded separately.
- Change in staff: When someone leaves or changes role, we revoke or rotate credentials they held within a commercially reasonable timeframe.
4. Secure development and change management
- Production changes follow a controlled path (review, testing where feasible, and deployment records).
- Secrets (API keys, webhooks, encryption keys for integrations) are not committed to public repositories and are stored in secure configuration or managed settings.
- We review security-relevant dependency advisories as part of releases; an automated Composer Audit run may be recorded in administration tools for evidence.
5. Operations: backups, logging, and availability
- Backups: We maintain backups appropriate to our hosting arrangement and test restoration periodically.
- Logging: We use hosting and application logs where available to investigate faults and suspected abuse.
- Patching: Operating system, runtime (e.g. PHP), and application updates are applied on a risk-based schedule.
6. Cryptography and communications
- Browser traffic to the production service is intended to use TLS (HTTPS).
- Sensitive integration tokens (for example bank-feed access tokens) are stored encrypted when the platform encryption key is configured.
- User passwords are stored using strong one-way hashing; we do not store raw bank login credentials for Open Banking flows.
7. Subprocessors and vendor management
We use vetted third parties (for example hosting, email delivery, payments, and optional Open Banking) as described in our Privacy Policy. Before onboarding a new vendor that processes personal or financial data, we check that contractual and technical safeguards are appropriate and update public disclosures.
8. Incident management
- Anyone who suspects unauthorised access, data loss, or malware must notify the security contact immediately.
- We will contain the incident, preserve evidence, notify affected users or regulators when the law requires, and work with subprocessors as needed.
9. Business continuity
We maintain continuity plans proportionate to our size, including backup recovery and communication paths if primary systems are unavailable.
10. Training and policy review
- Personnel with access to production or customer data receive orientation on this policy and phishing awareness.
- This policy is reviewed at least annually and after material changes to the product, hosting, or legal environment.
11. Contact
General support: . Security: .
Consumer rights and legal bases for processing are described in the Privacy Policy. Trust overview: Trust & data security.