Security & Trust

Last updated: 26 April 2026

Your data security and privacy are our top priorities. Here is how we protect your information.

Encryption

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database connections use SSL/TLS. Passwords are hashed using bcrypt with a minimum cost factor of 12.

Infrastructure

The platform runs on enterprise-grade cloud infrastructure. Application and database servers are isolated in separate network segments with strict firewall rules.

Access Control

Role-based access control (RBAC) with four permission levels: Admin, QHSE Manager, Team Member, and Read-Only. Every API endpoint enforces server-side authorisation checks.

Backup & Recovery

Automated daily backups with 30-day retention. Point-in-time recovery available. Recovery Time Objective (RTO) < 4 hours. Recovery Point Objective (RPO) < 24 hours.

Audit Trail

Every user action is logged with timestamp, user identity, IP address, and change detail. Audit logs are immutable and retained for 7 years.

Uptime SLA

99.9% uptime SLA for Professional and Enterprise plans, measured monthly. Planned maintenance announced 48 hours in advance.

Monitoring

24/7 automated monitoring of application health, error rates, and response times. Security events trigger immediate alerts. Intrusion detection is active on all servers.

Patch Management

Security patches are applied within 72 hours of release for critical vulnerabilities. Dependency updates are reviewed weekly. Penetration testing is conducted annually.

Data Residency

All customer data is stored on servers located within the European Economic Area (EEA) and the United Kingdom. We do not transfer personal data outside the UK/EEA without appropriate safeguards in place.

  • Application database: EU-hosted TiDB Cloud cluster
  • File storage: EU-region S3-compatible object storage
  • CDN edge nodes: Cloudflare (UK/EU PoPs prioritised)

Incident Response

We maintain a documented incident response plan. In the event of a security incident:

  • Critical incidents are triaged within 1 hour of detection
  • Affected customers are notified within 24 hours of confirmed impact
  • Personal data breaches are reported to the ICO within 72 hours as required by UK GDPR
  • Post-incident reviews are conducted and findings shared with affected customers on request

Responsible Disclosure

If you discover a potential security issue, please report it privately before public disclosure:

Email: [email protected]

Response time: We aim to acknowledge reports within 48 hours and provide an initial assessment within 5 business days.

Safe harbour: We will not take legal action against researchers who report vulnerabilities in good faith.

ISO 27001 Roadmap

360 QHSE is working toward ISO 27001 certification with a target completion date of Q4 2027. We are implementing industry-leading information security management practices aligned with the ISO 27001:2022 standard. We will notify all customers when certification is achieved.

Compliance

  • UK GDPR Compliant: We comply with all UK GDPR requirements for data protection and privacy.
  • ICO Registered: 360 QHSE Ltd is registered with the Information Commissioner's Office (ICO).
  • PECR Compliant: All marketing communications comply with the Privacy and Electronic Communications Regulations (PECR).
  • Cyber Essentials (Planned): We are working toward Cyber Essentials certification in 2026.

Security Questions?

If you have any questions about our security practices, compliance status, or wish to report a vulnerability, please contact our security team.

Contact Security Team