Compliance Statement
If you’re considering Cloud Gateway or are already working with us, you should know that we take compliance seriously. Security, data protection, quality, resiliency and our ESG impact is of the utmost importance to us - read how we manage these below!
Roles
Firstly, we have defined security, data protection and compliance roles and responsibilities for individual employees. These are recorded in role profiles and policies and include our Senior Leadership Team who take pride in our ability to uphold our ISMS, QMS and data privacy in everything that we do.
Risk management
As an organisation with a certified ISMS and QMS, we take a risk-based approach to operations. As well as an innate part of our operational processes, we encourage an open environment whereby risks can be raised by any member of staff.
Security
How do we maintain and deliver a secure product to you?
Our service is built to adhere to the HMG UK Official guidelines, which in turn adheres to the National Cyber Security Centre (NCSC) cloud security principles.
ISO 27001
Since 2020, we have been continually awarded ISO 27001 certification by a UKAS accredited body.
ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system.
CyberEssentials PLUS
Since 2022, we have been awarded Cyber Essentials and Cyber Essentials PLUS certificates.
CyberEssentials PLUS is a UK-based scheme designed to test and conclude that an organisation has a minimum level of cyber security protection in place.
Cloud Gateway hosts its product on the major cloud platform Amazon Web Services (AWS). The AWS data centres are located in the United Kingdom. Our products and services can be configured to other locations if required.
Hosting Cloud Gateway on these major cloud platforms provides us with extra benefits such as security tools, server maintenance, and redundancy.
See Business continuity for further information on redundancy.
We house our networking equipment in specially selected data centres in the UK. The data centres are kept secure and operational by the providers and benefit from CCTV, fire detection and suppression systems, airflow systems, power redundancy, access control, visitor management and more. All data centre providers are ISO 27001, ISO 22301, 14001 and 5001 certified, as well as SOC 2 Type II certified.
Personnel security is managed through a number of policies and procedures.
Security checks and clearance
We vet our employees before they begin working for the company via BPSS background checks. Additional security clearance is obtained whenever it is required for our customer accounts (e.g. SC level).
Confidentiality
Confidentiality clauses are included in all employee contracts.
We also ensure confidentiality clauses or Non-Disclosure Agreements with third parties where necessary. See Supplier management for further information.
On and offboarding employees
See Access control
Staff security training
All employees are required to complete compliance and security training when they join Cloud Gateway, and annually thereafter. This training covers security, quality, data protection, ESG (see below) and general compliance topic areas.
Across the business, the principle of least privilege is enforced and role-based access controls are in place to prevent unauthorised disclosure or access to information. Access to information is frequently audited.
Joiner, mover and leaver processes ensure access provision and revocation at appropriate times for employees (which is immediately for leavers).
Segregation of duties
Responsibilities are segregated so that departments manage areas within their expertise, such as networking, development, security, compliance, service delivery and internal operations. There are no role-related crossovers within the business.
Employees accessing the production network are required to use multiple factors of authentication, such as SSO, VPN connection and individual application access controls.
We protect data and communications to uphold the confidentiality and integrity of all data, whether at rest or in transit.
Any customer data that we store is encrypted to AES-256 or AES-XTS.
All of our network management functionality uses SSH, HTTPS and SNMPv3.
We are a hybrid-working organisation that makes use of office “hubs”. These hubs are rented from third parties, who provide physical security features. Although there is no information processing or storing equipment in any hub, they benefit from CCTV, manned reception desks, security personnel and access control (e.g. access cards and physical keys).
Change management
We make use of a comprehensive change management programme. Further information on this can be found in the Quality section.
Passwords
Our employees must comply with an internal policy that sets requirements such as password length, characters, storage and re-use. A password management tool is enforced across the Technical team. A password management tool is in use to enforce this.
Antimalware
Industry-standard antimalware software is installed across all endpoints and servers. The application updates daily automatically.
Back ups
To ensure operational resiliency, back ups of the product infrastructure and service data are taken no less frequently than daily and networking components hourly. All back ups are cloud based.
The Cloud Gateway Portal is backed up in real time and replicated across several availability zones within the UK.
Logging and monitoring
Activity logging is enabled across information systems and networks. Administrators are prohibited from disabling logging activity or tampering with audit log information.
Patching and updates
We take a proactive but risk-balanced approach to patches and updates. Where we can safely make use of automatic patching, we do.
Vulnerabilities
Vulnerabilities are proactively identified, logged and dealt with using industry-standard tools and according to defined processes.
We also consume information on possible vulnerabilities through various threat intelligence feeds.
A cloud firewall at the boundary of our management network protects against unauthorised network ingress and egress. All allowed connections are subject to approval.
Network segregation
All customer networks are fully segregated.
Penetration tests
Every year, a penetration test known as an “IT Health Check” is used to ethically attempt to enter our network without authorisation, as well as review our perimeter security configurations.
The organisation that conducts the penetration test is both CHECK and CREST certified.
Cloud Gateway follows a secure development lifecycle (SDLC) and aligns to the OWASP framework to limit exposure to security risk.
Development, testing, staging and production environments are all separated and no production data is used in the development or test environments.
Before releasing development work into production, security testing is folded into acceptance testing to review security controls such as enforced encryption, back ups, logging and monitoring, etc.
All suppliers are subject to due diligence assessments prior to onboarding. We review the supplier’s processes and accreditations in security, data protection, quality management, and resiliency, as well as their ESG strategies, business ethics, and legal and regulatory compliance.
If you are a customer, we will notify you of any incident that may affect you.
Our employees are trained in incident response processes, including communication channels and escalation paths. As well as procedures for identifying, reporting, and responding to incidents, we will raise problem records and conduct post-incident reports with root cause analysis to aid trend identification and implement lessons learned.
Data protection
Cloud Gateway is a GDPR compliant organisation.
We place great importance on data protection and privacy.
We recognise our obligations to meet the requirements of the GDPR and comply with the six data protection principles. Personal data is always:
Processed fairly, lawfully and in a transparent manner
Used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes
Adequate, relevant, and limited to what is necessary
Accurate and, where necessary, up to date
Not kept for longer than necessary
Kept safe and secure
Our ICO registration number is ZA413371.
Personal data of customers is stored in the United Kingdom and European Union. However, our products and services can be configured to other locations if required.
We are a data controller of the personal information you share with us to onboard you as a customer and of the cookies you allow us to track on our website.
As a network connectivity provider, we are not commonly a data processor for our customers. Data is transferred through our gateway and across the network we have connected for you. By its very nature, we cannot access encrypted data, and therefore are not a data processor of this traffic.
Data transferred in an unencrypted format, which may be the requirement for some customers and is the choice of the customer, and that contains personal information of UK/EU citizens, we are a data processor if we are required to access packet information of the transfer. We may access this information to provide troubleshooting support and investigation. Access to this information is restricted to only our technical engineers, and under no other circumstances are engineers obliged to or permitted to view traffic content.
Internally we implement various technical and organisational safeguards to protect personal information. These include:
Encryption at rest and in transit where it can be enforced
Access control such as the principle of least privilege and role-based access control
Audit logs to track access and administrator activity
Authentication procedures (SSO, MFA)
Backup and restore procedures
Data collection minimisation
Data retention schedule procedures
Cloud Gateway does not collect any customer’s special category information.
We only retain personal information for as long as it is necessary to be kept, which may include compliance with legal obligations.
At the end of a contract, or upon request from a customer where retention is not required by law, we will delete personal information in accordance with our Privacy policy.
We are a generally paperless company. If there is any case of physical records containing confidential/sensitive information, it must be securely disposed of, i.e. shredded.
We outsource the destruction of digital data to a third party, who meets the security and compliance requirements of the Ministry of Defence and the US Department of Defence, and destroys data via degaussing, Blancco and EDR-HDC.
As per our Privacy policy, if you wish to exercise any of your rights under the GDPR, please email compliance@cloudgateway.co.uk. Our Data Protection Officer will get back to you.
We are registered with the ICO, you can search their database here to access our registration information.
Quality
How do we deliver a quality product and service?
ISO 9001
Since 2020, we have been awarded ISO 9001 certification by a UKAS accredited body.
ISO 9001 specifies the requirements for establishing, implementing, maintaining and continually improving a quality management system.
We place a great deal of care and emphasis on the products we offer our customers, from technical solutions to end-user capability in the Cloud Gateway Portal, we are always looking for new products to benefit you. In fact, we actively seek ideas from our customers and staff alike.
When designing new products, we follow project management guidelines to include relevant stakeholders, gain approvals, record expectations, test deliverables and communicate releases before rolling them into production.
We practise an ITIL aligned change management process that governs all changes to our production systems/services. This includes peer review, implementation plans, testing, rollback plans, risk profiles and Change Advisory Boards (CAB).
Our service desk is composed of excellent agents committed to providing you quality support. Our processes align with the ITIL framework, carefully managing maintenance and changes, and our agents are all ITIL certified.
We truly are a customer focused organisation. After every engagement with our Service Desk, customers have the opportunity to provide feedback and under our Premium Support plan, we deliver monthly service reviews to make sure you are happy with the product and service you are receiving.
We strongly encourage our customers to provide as much feedback as possible and as often as possible, to help us monitor and continually improve our delivery of service.
We also generate an Net Promoter Score (NPS) to gauge our success at every stage of your journey. From marketing, sales, finance, support and technical delivery, we want to understand how satisfied you are with Cloud Gateway.
We have designed and implemented a continual service improvement process to make use of both internal and external feedback on the quality of our service delivery. We encourage our customers and staff to raise improvement ideas that we then record, review and plan for production where they meet the criteria of the process. We factor in how we will be able to monitor the success of these improvements to validate them as well.
We are a generally paperless company. If there is any case of physical records containing confidential/sensitive information, it must be securely disposed of, i.e. shredded.
We outsource the destruction of digital data to a third party, who meets the security and compliance requirements of the Ministry of Defence and the US Department of Defence, and destroys data via degaussing, Blancco and EDR-HDC.
As per our Privacy policy, if you wish to exercise any of your rights under the GDPR, please email compliance@cloudgateway.co.uk. Our Data Protection Officer will get back to you.
We are registered with the ICO, you can search their database here to access our registration information.
Business Continuity
Keeping you connected is as crucial to us as it is to you.
Our network is highly resilient with redundant equipment and failover sites, and we offer dual WAN links to our customers as well.
The Cloud Gateway Portal is replicated across several availability zones within the UK.
We take backups of important information as per the Back up section.
To make sure the resiliency works as we expect it to, we have designed and tested continuity plans that we test on an annual basis.
As far as internal operations are concerned, we are a remote working organisation meaning we don’t rely on physical offices and there is no risk to operations should we need to work from home. All of the IT systems we use are cloud based with resiliency and are subject to due diligence assessments. See Supplier management for further information.
Environment, social, governance
We align with the UK government Procurement Policy Note 06/20 (PPN 06/20) when monitoring, reviewing and implementing initiatives for ESG.
We are committed to making positive contributions across ESG (Environmental, Social and Governance) frameworks. We invest significant attention and focus in these areas and have a taskforce dedicated to introducing and driving initiatives across the company.
Not only are we dedicated to limiting our environmental impact and making positive contributions to the environment, we are also committed to achieving Scope 1 and 2 Net Zero emissions by 2030, and Net Zero across Scope 3 by 2035.
See our Carbon Reduction Plan and overarching Environmental policy.
We support our workforce actively through wellbeing initiatives such as a Buddy System, line manager touchpoints and staff performance reviews that specifically address wellbeing and stress.
We heavily invest and promote ongoing learning and development for our staff and contribute to the wider community through volunteering and mentorship initiatives, such as supporting young people to write CVs.
We create a community for our employees to feel at home in and represented through equity, diversity and inclusion policies and stand against any form of harassment or bullying.
To calculate our wider social value impact, we are subscribed to an online, government-backed software platform known as the Social Value Portal.
Our Senior Leadership Team is composed of both men and women and we have a diverse workforce free from discrimination or bias. Transparency is one of our core company values and so whistleblowing policies and management of conflicts of interest help us to operate openly.
Every year we release a Modern Slavery Statement on our website to demonstrate our adherence to the Modern Slavery Act..
We keep on top of applicable legislation and regulation internally and with the support of external counsel. Employees are directly assigned responsibility to ensure our compliance.