Common Information and Cyber Security Q and A

CFTS operates its hosting and edge infrastructure with layered security controls, controlled administrative access, encrypted data handling, active monitoring, structured recovery processes, and GDPR-aligned data processing governance.

Administrative access is restricted to authorised personnel, protected by multi-factor authentication where applicable, and reviewed periodically. Infrastructure is monitored for availability and security events, with logging, alerting, backup, and incident response processes in place.

The aim is not to make broad certification claims, but to provide clear, transparent answers about how client systems and information are protected in practice.

PURPOSE

Standard responses for client due diligence, procurement, and security questionnaires.

INFORMATION SECURITY GOVERNANCE

Do you have documented security policies?

Answer: Yes.

CFTS maintains documented security governance including Access Control, Business Continuity & RTO/RPO, Incident Responses and Data Processing Addendum documentation.

Are you ISO 27001 certified?

Answer: No.

While not ISO 27001 certified, the hosting platform is operated in alignment with recognised industry best practices for managed hosting environments.

Do you conduct periodic security reviews?

Answer: Yes.

Administrative access and security configurations are periodically reviewed.

ACCESS CONTROL

Is privileged access restricted?

• Answer: Yes.

Root access is limited to authorised administrators and protected by IP whitelisting and multi-factor authentication.

Is MFA enforced?

Answer: Yes.

Multi-factor authentication is enforced for WHM and WHMCS administrative access.

Are access logs retained?

Answer: Yes.

Logs are retained for a minimum of 1 year.

INFRASTRUCTURE & HOSTING

Where is data hosted?

Answer: In a Tier III UK data centre, Tier III HCI data centre (Maidenhead, Kampala).

Is infrastructure dedicated or shared?

Answer: Dedicated server deployment.

Is the environment monitored?

Answer: Yes.

Continuous uptime monitoring and security alerting are in place.

ENCRYPTION

Is data encrypted in transit?

Answer: Yes.

TLS 1.2+ is enforced.

Is data encrypted at rest?

Answer: Yes.

Full disk encryption and encrypted backups are implemented.

Is payment card data stored?

Answer: No. 

The platform does not store payment cardholder data.

BACKUP & DISASTER RECOVERY

Do you maintain backups?

Answer: Yes.

A 3-2-1 encrypted backup strategy is implemented.

What is your RTO?

Answer: 24–48 hours in catastrophic failure scenarios.

What is your RPO?

Answer: Dependent on configured backup intervals.

THREAT PROTECTION

Do you use a Web Application Firewall?

Answer: Yes.

mod_security (FULL ruleset) is enabled.

Do you use malware detection?

Answer: Yes.

Imunify360 provides real-time malware scanning and proactive exploit prevention.

Are systems patched regularly?

Answer: Yes.

Automatic security updates and critical CVE remediation are enabled.

DATA PROTECTION & GDPR

Do you act as a Data Controller or Processor?

Answer: CFTS acts as a Data Processor; the client is the Data Controller.

Do you have a Data Processing Addendum?

Answer: Yes.

A GDPR-aligned DPA is available.

Do you notify clients of breaches?

Answer: Yes.

Clients are notified without undue delay in the event of a confirmed personal data breach.

INCIDENT RESPONSE

Do you have an incident response plan?

Answer: Yes.

Documented procedures are in place.

Are security events monitored?

Answer: Yes.

Monitoring, logging, and alerting systems are active.