Security Overview

This page summarises CFTS security practices for client understanding and due diligence. It does not replace the Privacy Notice, Data Processing Addendum, Terms of Service, or a service-specific agreement.

Security Approach

CFTS applies a layered security model across infrastructure, access, monitoring, backup, and operational processes.

The aim is to reduce risk through practical controls rather than relying on a single security measure.

Access Control

CFTS restricts administrative access to authorised personnel.

Controls may include:

• multi-factor authentication
• IP-restricted administrative access
• role-based access where supported
• limited privileged access
• periodic access review
• logging of administrative activity

Infrastructure Protection

Infrastructure security may include:

• hardened operating environments
• network segmentation
• firewall controls
• controlled management interfaces
• monitoring and alerting
• patching and vulnerability management
• malware or exploit protection where supported by the platform

Encryption

CFTS uses encryption controls where appropriate to the service.

Examples include:

• TLS for data in transit
• full disk encryption where implemented
• encrypted backups where implemented
• secure administrative protocols such as SSH

Encryption scope depends on the service, platform, and application design.

Monitoring and Logging

CFTS uses monitoring and logging to support availability, security, and operational response.

This may include:

• uptime monitoring
• infrastructure alerts
• security event monitoring
• service health checks
• administrative logs
• backup monitoring

Log retention depends on service type, platform, and operational need.

Physical Security

CFTS infrastructure is operated in controlled environments.

Physical controls may include:

• controlled facility access
• restricted infrastructure areas
• CCTV or facility monitoring
• environmental monitoring
• power and cooling resilience

Physical controls vary by site and service.

Incident Response

CFTS maintains procedures for investigating and responding to operational and security incidents.

Response may include:

• triage
• containment
• client notification where appropriate
• remediation
• monitoring
• recovery assistance

Confirmed personal data breaches are handled according to applicable law and the Data Processing Addendum.

Certification Position

CFTS does not claim ISO 27001 certification unless expressly stated in a formal document.

The platform is operated using recognised security practices appropriate to managed hosting and infrastructure environments.

Client Security Responsibilities

Clients remain responsible for:

• secure passwords
• client-side MFA where available
• application patching
• user account management
• secure application configuration
• avoiding unnecessary exposed services
• notifying CFTS of suspected compromise

Related Documents

• Common Information and Cyber Security Q and A
• Data Security Model
• Security Model
• Data Processing Addendum
• Shared Responsibility Model