Skip to main content

Information Security Policy

Effective: 21 April 2026|
v2.0
Download PDF
Also available in:Turkish (TR)

Information Security Policy

Effective date: 12 March 2026  |  Version: 1.0  |  Classification: Public

This policy sets out SummitBridge Horizon Ltd's approach to information security, aligned with ISO 27001:2022 Annex A controls and NIS2 Directive requirements.

Policy owner: Director (acting CISO — Umut Dede)
Review cycle: Annual, or following any significant security incident or material change

1. Scope and Objectives

This policy applies to all information assets owned or processed by SummitBridge, including the SBH platform, customer data, employee data, and supplier systems. Objectives: protect confidentiality, integrity, and availability of information; comply with UK GDPR, NIS2, and applicable data protection law; maintain customer trust.

2. Asset Management

An information asset register is maintained and reviewed quarterly. All information assets are classified as Public, Internal, Confidential, or Restricted. Confidential and Restricted data requires encryption at rest and in transit.

3. Access Control

  • Role-based access control (RBAC) applied to all platform components
  • Multi-factor authentication (MFA) mandatory for all administrative accounts and all staff
  • Principle of least privilege enforced; access reviewed quarterly
  • Privileged access monitored with full audit logging
  • Remote access via encrypted channels only (TLS 1.3 minimum)

4. Cryptography

  • Encryption at rest: AES-256 for all databases, file stores, and backups
  • Encryption in transit: TLS 1.3 minimum; HSTS enforced; no TLS 1.0/1.1
  • Sensitive field encryption: AES-256-GCM for TOTP secrets, agent tokens, and PII fields
  • Passwords: bcrypt with minimum cost factor 12
  • Key management: Platform encryption keys stored in environment variables with secrets management; rotated annually

5. Physical Security

SummitBridge operates on cloud infrastructure only (Hostinger International Ltd, Germany). Physical security is delegated to Hostinger, which holds ISO 27001 certification and operates SOC 2-aligned controls. No on-premises server infrastructure is maintained.

6. Operations Security

  • Change management: All platform changes go through code review and CI/CD pipeline before deployment; no direct production access
  • Vulnerability management: Automated SAST scanning in CI pipeline; dependency scanning (npm audit / Dependabot); quarterly external vulnerability scans; critical findings patched within 72 hours, high within 7 days
  • Logging: All admin actions, authentication events, and API calls logged; logs retained for 7 years; tamper-evident storage
  • Monitoring: Real-time alerting for failed authentication, privilege escalation, and anomalous API usage
  • Malware protection: Dependencies scanned for known malicious packages; container images scanned before deployment

7. Business Continuity

  • Daily automated database backups retained for 30 days; monthly backups for 12 months
  • Recovery Time Objective (RTO): <4 hours for full platform restoration
  • Recovery Point Objective (RPO): <24 hours
  • Disaster recovery test: Quarterly tabletop; annual full restore test
  • Business continuity plan maintained and reviewed annually

8. Supplier Relationships

All sub-processors must: (a) sign a Data Processing Agreement; (b) undergo security due diligence before engagement; (c) be re-assessed annually. A current sub-processor register is maintained (see DPA Schedule A).

9. Incident Management

All security incidents are managed per the Incident Response Policy. Significant incidents are reported to affected customers and to the NCSC/ICO per NIS2 and UK GDPR timelines.

10. Compliance

Annual internal compliance review conducted against this policy. External penetration test commissioned annually or before major platform releases. Results are reviewed by the Director and used to update security controls.

11. Non-Compliance

Violation of this policy by employees or contractors may result in disciplinary action up to and including termination of employment or contract. Violations by customers are handled per the Acceptable Use Policy.

This document is maintained by SummitBridge Horizon Ltd (Companies House: 16419201). For questions, contact [email protected].