Our approach
Unhectic Limited operates a proportionate, defence-in-depth approach to information security. We do not certify against ISO/IEC 27001 at this stage, but our controls are aligned with its principles where they apply to a firm of our size, and we are willing to share specific control evidence with clients on request under appropriate confidentiality terms. Our focus is on the controls that meaningfully reduce risk for the work we actually do, rather than a paper compliance exercise.
Access control
We operate role-based, least-privilege access. Systems are accessible only to people who need them for their work, with permissions reviewed when a role changes. Multi-factor authentication is mandatory for all team members on all business-critical systems — email, source-code repositories, cloud consoles, ticketing, and any production environment. Access is revoked the same day someone leaves the business, and we audit the revocations periodically. Shared accounts are not permitted on production systems.
Encryption
In transit
All web traffic to and from systems we operate uses TLS 1.2 or higher. Older protocols are disabled. All client data crossing public networks is encrypted in transit, including data crossing between our offices and the cloud platforms we use.
At rest
Sensitive data is encrypted at rest using current industry standards (AES-256 or equivalent), via the encryption services provided by our cloud platforms (Amazon Web Services, Google Cloud, and Microsoft Azure). Encryption keys are managed within those providers’ key-management services. Local laptops used by team members are encrypted at the disk level.
Vendor and sub-processor review
Any vendor that handles client data is reviewed for security posture before onboarding. The review covers data residency, the vendor’s own security certifications, the contractual data-protection terms they offer, and their incident-response track record. Material sub-processors are listed on the Sub-processors page, which we update when the list changes.
Incident response
We maintain a written incident response process. In the event of a confirmed or suspected security incident affecting client data, we will: (a) contain and investigate the incident without delay; (b) notify affected clients without undue delay and within 72 hours where the UK GDPR or our contract requires; (c) notify the Information Commissioner’s Office where the incident triggers a notification obligation; and (d) provide a written post-incident report describing what happened, the effect, and the corrective steps. We do not delay client notification while we work out what we want to say.
Business continuity
Critical systems are backed up daily, and backups are tested. We maintain offsite copies of key business records. We have tested failover procedures for the systems that support active client engagements, and we revisit those procedures when an engagement is added that materially changes the recovery profile. Our offices are not single points of failure for any work that is in flight.
Security monitoring
Production systems are monitored for anomalous behaviour using the tooling native to the cloud platforms we operate on, supplemented where appropriate by third-party monitoring. Critical security alerts are reviewed within one working day; high-severity alerts within four working hours. Logs of administrative activity on production systems are retained for at least one year.
Personnel security
All directors, employees, and contractors are bound by confidentiality terms that survive the end of their engagement. Background checks are run on personnel with access to client production systems before that access is granted. Security awareness is refreshed annually, with focused refreshers when a new threat pattern (for example, a notable phishing wave or supply-chain compromise) makes one warranted.
Annual review and improvement plan
This statement and the underlying control set are reviewed at least annually. Material control changes are reflected in the version banner. The review identifies controls to strengthen in the year ahead and tracks the closure of those items, so that improvement is a continuous activity rather than a one-off audit response.