Security Policy
Last updated: 1 May 2025
Our Security Practices
- All data in transit is encrypted using TLS 1.2+
- Passwords are hashed using bcrypt with a minimum cost factor of 12
- Payment data is handled entirely by Stripe (PCI DSS Level 1 certified)
- Two-factor authentication is available and recommended for admin accounts
- Database access is restricted by IP allowlist and uses encrypted connections
- Regular security reviews and penetration testing
- Incident response plan in line with NIS2 and ICO requirements
Vulnerability Disclosure
If you discover a security vulnerability on our website or in our products, please report it responsibly to [email protected] with subject line "Security Disclosure".
Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate. We aim to acknowledge all reports within 48 hours and provide a resolution timeline within 5 business days.
Scope
Our responsible disclosure programme covers:
- summitbridgehorizon.co.uk and all subdomains
- Customer portal and API endpoints
- Our SaaS products and digital tools
NIS2 Compliance
As an IT and cybersecurity consultancy, we adhere to NIS2 security requirements including risk management, supply chain security, and incident reporting obligations.