Control matrix

We maintain a top-level Information Security Policy plus topic-specific policies (access control, cryptography, backup, incident response, supplier security, secure development, acceptable use, BCM, data classification). Each is reviewed annually or after a significant change and is approved by the CTO.

Security roles are documented in the ISMS. The CTO is the accountable executive; a Head of Security operates the day-to-day programme; every engineering team has a named security champion.

Production deployments require approval by a second engineer. Payouts and finance operations are split between Engineering and Finance. Audit log review is performed by Security, not by the team being reviewed.

Every employment contract references the Information Security Policy. Performance reviews include adherence to security policies. Line managers reinforce expectations during onboarding and at least annually.

We maintain documented contacts for the ICO (UK), the National Cyber Security Centre (NCSC), our card-scheme acquirer for PCI matters, and the relevant police cyber units.

Security engineering staff hold memberships with (ISC)² and ISACA, and we subscribe to NCSC CiSP and industry ISACs for early threat intelligence.

We ingest threat feeds from CISA KEV, NCSC, our cloud provider and our endpoint vendor. Indicators are correlated against our SIEM and reviewed weekly by the Security team.

All new projects pass through an architecture review that includes a security checklist. Privacy-impacting projects also undergo a Data Protection Impact Assessment.

We maintain a unified asset inventory covering services, data stores, endpoints and SaaS apps. Each asset has a named owner and classification. The inventory is reconciled monthly.

Our Acceptable Use Policy is published in the staff handbook and acknowledged on hire. It covers credentials, removable media, AI tools, BYOD and travel.

Joiner-Mover-Leaver process triggers asset return on day -1 of departure. Equipment is wiped and inventoried before re-issue or disposal.

We use a four-tier classification: Public, Internal, Confidential, Restricted. Customer member data is Confidential by default; cardholder data is Restricted.

Document templates carry the classification in the footer. Source code and infrastructure metadata are tagged with classification labels enforced by CI checks.

Internal transfers go via encrypted, access-controlled channels (Slack EKM, Google Workspace, Drive). External transfers of customer data require encrypted channels and a DPA.

Access decisions follow least privilege and need-to-know, enforced through role-based access via our identity provider. Access changes are logged and reviewed quarterly.

Every user has a single Azure AD identity provisioned by HR. Identities are deprovisioned within 1 hour of offboarding via SCIM. No shared accounts; service accounts are non-interactive.

Initial passwords are one-time only. Workforce passwords meet NIST SP 800-63B and are stored in a managed password vault. MFA is mandatory.

Access reviews run quarterly for production systems and bi-annually for SaaS. Privileged access is reviewed monthly.

Suppliers are risk-tiered. Tier 1 (processes customer data) require a documented security review, DPA, sub-processor disclosure, and an annual reassessment.

Our standard supplier contract includes the DPA, SCCs where applicable, breach notification SLAs, audit rights and sub-processor change notification.

We pin and verify dependency versions, sign and verify our own artefacts, and run SCA on every build. Supply-chain advisories trigger an SLA-driven triage.

Tier 1 suppliers are reassessed annually; sub-processor changes are reviewed within 30 days; SLA breaches and incidents trigger an out-of-cycle review.

Cloud services are procured through Security review. Configuration baselines are enforced via Infrastructure-as-Code. Exit playbooks exist for every Tier 1 cloud service.

Our Incident Response Plan defines severities, roles, comms templates and external SLAs. Tabletop exercises run quarterly.

Events flow into a single triage queue with documented severity criteria. The on-call Security engineer triages within 15 minutes during business hours, 1 hour out of hours.

Severity-1 incidents convene a bridge call within 15 minutes. We follow a Contain → Eradicate → Recover → Communicate workflow. Customer comms happen within 72 hours per UK GDPR Art. 33.

Every Sev-1 and Sev-2 incident has a blameless post-incident review within 14 days. Action items are tracked to completion in the ISMS register.

Audit logs are tamper-evident and retained for 1 year hot, 7 years cold. Forensic acquisition follows ACPO good-practice guidance.

Our Business Continuity Plan defines security controls that must remain active during disruption (logging, access control, encryption). DR runbooks are tested quarterly.

Production runs across multiple Availability Zones with automated failover. RPO 1h, RTO 4h. Quarterly restore tests are documented in the ISMS.

We maintain a compliance register covering UK GDPR, DPA 2018, PCI DSS, ICO guidance, and country-specific FA / sport governing-body requirements.

Open-source dependencies are licence-scanned by SCA. Contributor agreements are required for OSS contributions. Customer-owned content remains the property of the customer.

Financial and audit records are stored in WORM (write-once-read-many) storage with documented retention. Access is logged and limited to Finance and Audit roles.

ISO/IEC 27018 governs how we handle PII in cloud environments. Our Privacy Notice and DPA describe controller and processor responsibilities.

Independent review is performed annually by our external auditor (NQA). Internal audit performs interim reviews on a rolling 12-month cycle.

Automated compliance checks run continuously against our infrastructure. Manual policy adherence is audited at least annually.

Runbooks live in our internal docs system alongside the code. They are linked from monitoring alerts and reviewed when the underlying system changes.

All new hires undergo right-to-work, identity, criminal-record (BS 7858 standard) and reference checks before access is provisioned. Higher-trust roles require enhanced DBS.

Every contract includes confidentiality, IP assignment and obligations to comply with the Information Security Policy. Failure to comply is grounds for disciplinary action.

All staff complete onboarding security training within 7 days and annual refresher training. Engineers receive role-specific secure-coding training. Phishing simulations run monthly.

Security-related disciplinary actions follow the People team's documented procedure with HR and Legal review. Sanctions range from formal warning to termination and referral to law enforcement.

Exit briefings cover ongoing confidentiality, IP and non-solicit obligations. We retain audit-log evidence for 7 years post-departure.

Mutual NDAs are signed before sharing any non-public security or product information with external parties. Internal NDAs are part of employment.

Remote working baseline: managed device, full-disk encryption, MDM-enforced screen lock, VPN/Zero-Trust access, no public-Wi-Fi without VPN, secure home-office guidance.

All staff can report incidents via #security-incidents in Slack, security@teamfeepay.com, or an anonymous form. Reports are acknowledged within one business hour.

We operate a cloud-hosted service — production data centres are AWS regions in the UK and EU, with documented physical security audited under ISO 27001 and SOC 2.

Office access requires badge + photo ID. Visitors are escorted and logged. The AWS facilities we rely on use multi-factor physical access controls.

Sensitive meetings happen in dedicated rooms with no recording. Server rooms (where they exist) require a separate badge group.

Our offices have CCTV at all entry points with 30-day retention. Out-of-hours access is alerted to Security on-call.

Our DR strategy uses two physically separate cloud regions. Production data has no single-site dependency.

Secure-area working procedures cover clean desks, restricted devices and visitor escorting.

Devices auto-lock within 5 minutes of inactivity (enforced by MDM). Confidential paper output is shredded; we maintain a clear-desk policy.

Workstations are not visible from public-facing windows. Removable media is prohibited on production endpoints.

Off-site equipment (laptops, phones) is enrolled in MDM, encrypted at rest, with remote wipe capability.

Removable media is banned on managed endpoints. Cloud-backed encrypted storage replaces all USB use cases.

We rely on AWS facilities with N+1 power, multiple ISPs and standby generators. Our offices have UPS-protected network closets.

Office cabling is routed through protected containment. Inter-site connectivity uses encrypted tunnels regardless of carrier.

Endpoint maintenance is delivered through MDM. Cloud infrastructure maintenance is performed by our cloud provider under SLA.

Endpoints are wiped to NIST SP 800-88 standards before reissue or disposal. Cloud-managed storage is cryptographically erased on decommission.

All endpoints are MDM-managed, full-disk-encrypted (FileVault/BitLocker), with EDR, screen-lock and remote-wipe enforced.

Privileged access is JIT — engineers request elevated access through an approval workflow; access is time-bound and logged.

Application-level access is enforced by RBAC and ABAC. Database access to customer data is restricted to a small named group and logged.

Source code lives in a managed Git provider. Production-deploying repos require branch protection, code review and signed commits.

Workforce authentication is SSO via Azure AD with phishing-resistant MFA. Customer-facing authentication supports MFA and (for Business plans) SAML/OIDC SSO.

Capacity is tracked per service with alerts at 70% and 85%. Autoscaling handles transient load; quarterly capacity planning handles trend growth.

Managed EDR runs on every endpoint and inbound email scans for malware. Production hosts are immutable and rebuilt rather than patched in place.

Critical CVEs are patched within 7 days, high within 30, others on a rolling cadence. SCA and SAST run on every build; DAST runs nightly against staging.

Production configuration is declared in Terraform and Kubernetes manifests with drift detection. Endpoints are baselined to CIS Level 1 via MDM.

Customer accounts are deleted 30 days after cancellation. Backups are purged on a 90-day rolling window. Deletion is logged and verifiable.

Non-production environments are seeded with anonymised data. Where production data is required for support, just-in-time access is logged and time-boxed.

DLP rules monitor email and SaaS for sensitive data egress. Endpoint controls prevent removable-media writes. Cloud storage is bucket-level locked-down.

Production data has continuous point-in-time backup for 14 days and daily snapshots retained for 35 days. Restore tests run quarterly.

Multi-AZ deployment for stateful workloads; multi-region failover for the control plane. Targets: RPO 1h, RTO 4h.

Application, system and network logs ship to a central SIEM with tamper-evident storage. Retention is 1 year hot, 7 years cold.

Detection rules run continuously in the SIEM and EDR. Alerts page the on-call Security engineer 24/7 with documented response SLAs.

All systems sync to time.aws.com and time.cloudflare.com via NTP. Drift is alerted at 1 second.

Privileged utilities (database shells, deploy scripts) require JIT access, two-person approval for destructive commands and immutable session logs.

Production hosts are immutable; software changes flow through CI/CD with code review and automated tests. Endpoint software is managed via MDM allow-listing.

Production networks default-deny. Ingress flows through a WAF and DDoS scrubber. East-west traffic is mTLS where supported.

Network services are sourced from tier-1 providers under documented SLAs. Security characteristics are reviewed at supplier onboarding and annually.

Production, staging and corporate networks are fully segregated. Workloads are segmented by service with explicit allow-lists.

Endpoint DNS is filtered through a managed secure DNS provider. Categories like malware, phishing and high-risk are blocked by default.

TLS 1.2+ in transit; AES-256 at rest. Keys are held in a managed KMS with annual rotation and dual-control for backup keys.

We follow a documented SDLC aligned to OWASP SAMM Level 2 — threat modelling on new designs, code review, SAST/SCA, DAST, and dependency policy gates.

Every product epic begins with documented security requirements derived from the threat model, OWASP ASVS and PCI DSS where applicable.

Engineering follows documented principles: zero-trust, defence in depth, secure by default, fail closed, minimise blast radius, and explicit identity for every actor.

Coding standards mandate parameterised queries, output encoding, dependency pinning, secrets via the vault, and review for any custom crypto.

SAST and SCA run on every PR. DAST runs nightly against staging. Penetration testing runs annually plus on significant change.

Outsourced development goes through the same SDLC gates and code review as internal work. Outsourcers sign confidentiality and IP-assignment agreements.

Production has its own cloud account, identity boundary and network. Customer data does not flow into non-production environments.

All production changes go through pull-request review, automated tests and a documented deployment workflow. Emergency changes have a post-deploy review.

Non-production environments use synthetic or anonymised data. Where real data is necessary, it is masked and access is logged.

Audit and assessment activities are pre-agreed, scoped and use read-only access by default. Any destructive testing happens in dedicated environments.

Access to customer PII requires JIT elevation through an approved workflow; no shared accounts touch PII; access is reviewed quarterly.

All customer PII in transit uses TLS 1.2+; at rest uses AES-256 with keys held in a managed KMS with documented rotation and access logging.

Production PII is processed only in tier-1 cloud facilities (UK/EU regions) whose physical controls are independently audited under ISO 27001 / SOC 2.

All access to customer PII generates an audit event captured by our SIEM. Logs are tamper-evident and retained for at least 1 year.

PII transfers to or from customers occur via authenticated, encrypted APIs. PII is never transferred to a third party except an approved sub-processor under DPA.

Sub-processors are listed on this Trust Centre. New or replaced sub-processors are announced with 30 days notice to allow controllers to object.

Confirmed PII incidents are reported to affected customers within 72 hours, in line with UK GDPR Article 33, with the information required for them to notify their data subjects.

We maintain a compliance register covering UK GDPR, DPA 2018, ICO codes of practice, and customer DPAs. Compliance is reviewed annually and on regulatory change.

We act on documented controller instructions only. We do not use customer PII for marketing, profiling, training models or any purpose outside the contracted service.

Our DPA enumerates the purposes for which we process PII. Any new purpose requires written controller instruction.

We collect only what the customer's use of the platform requires. Optional fields are clearly marked as optional in the product and the API.

Temporary files containing PII are written to ephemeral, encrypted volumes and erased on job completion. Diagnostic dumps are scrubbed of PII.

Retention defaults are documented per data type and overrideable by the controller. Disclosure to authorities is permitted only with legal compulsion and, where lawful, with prior notice to the controller.

Admin tooling lets controllers (club administrators) correct PII directly. API endpoints provide the same capability programmatically.

This Trust Centre and our DPA describe how we handle PII, the sub-processors we use, the regions in which we process, and our retention defaults.

Controllers can fulfil access, correction and erasure requests directly via the admin console. Where they need our help, we respond within 30 days of a written request.

Accountability is demonstrated through ISO/IEC 27001 + 27018 certification, independent pen-testing, audit logs, and our published incident-response SLAs.

Our ISO 27001-aligned ISMS, encryption-in-transit-and-at-rest, key management, JIT access, EDR, SIEM monitoring and quarterly DR testing all serve this control.

PII is processed only in UK and EU regions. Where transfers occur outside the UK/EEA, we rely on UK and EU SCCs and supplementary measures, documented per transfer.