Skip to main content

Security Policy

Last updated: 1 May 2025

Our Security Practices

  • All data in transit is encrypted using TLS 1.2+
  • Passwords are hashed using bcrypt with a minimum cost factor of 12
  • Payment data is handled entirely by Stripe (PCI DSS Level 1 certified)
  • Two-factor authentication is available and recommended for admin accounts
  • Database access is restricted by IP allowlist and uses encrypted connections
  • Regular security reviews and penetration testing
  • Incident response plan in line with NIS2 and ICO requirements

Vulnerability Disclosure

If you discover a security vulnerability on our website or in our products, please report it responsibly to [email protected] with subject line "Security Disclosure".

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate. We aim to acknowledge all reports within 48 hours and provide a resolution timeline within 5 business days.

Scope

Our responsible disclosure programme covers:

  • summitbridgehorizon.co.uk and all subdomains
  • Customer portal and API endpoints
  • Our SaaS products and digital tools

NIS2 Compliance

As an IT and cybersecurity consultancy, we adhere to NIS2 security requirements including risk management, supply chain security, and incident reporting obligations.