Information Security Policy

At Square Root, information security is fundamental to how we operate, deliver services, and build client partnerships. We recognise that data is a critical asset, and its protection is essential to maintaining operational resilience, regulatory compliance, and client trust.

This Information Security Policy establishes the principles, controls, and governance mechanisms we apply to safeguard information assets in alignment with UK legal and regulatory requirements, including the UK General Data Protection Regulation and the Data Protection Act 2018.

Our objective is to ensure the confidentiality, integrity, and availability of information across all systems, processes, and environments.

Policy Objectives

The primary objectives of our Information Security Policy are to:

  • Protect sensitive client, employee, and organisational data from unauthorised access, disclosure, alteration, or destruction
  • Mitigate cybersecurity risks through proactive risk assessment and control implementation
  • Ensure compliance with applicable UK laws, regulations, and contractual obligations
  • Maintain business continuity and operational resilience
  • Foster a culture of security awareness and accountability

Security at Square Root is embedded at both strategic and operational levels.

Scope of the Policy

This policy applies to:

  • All employees, contractors, and third-party partners
  • All digital systems, networks, and applications
  • Cloud infrastructure and hosted environments
  • Physical and remote working environments
  • All data processed, stored, or transmitted on behalf of clients

Every stakeholder interacting with Square Root systems is expected to adhere to established security standards.

Governance & Leadership Oversight

We maintain a structured information security governance framework with defined accountability. Our governance structure includes:

  • Executive-level oversight of information security strategy
  • Clearly assigned roles and responsibilities
  • Documented security policies and operational procedures
  • Periodic risk assessments and internal reviews
  • Continuous policy evaluation and updates

Security governance ensures that information protection is embedded in business decision-making processes rather than treated as a technical afterthought.

Risk Management Framework

Square Root adopts a risk-based approach to information security. We conduct:

  • Threat identification and vulnerability assessments
  • Risk impact and likelihood analysis
  • Control effectiveness evaluations
  • Remediation planning and mitigation strategies

Risk assessments are performed during project onboarding, system architecture planning, and periodically throughout operational cycles.

This structured approach ensures that security controls remain proportionate, relevant, and effective.

Data Protection & Regulatory Compliance

We process personal data in accordance with the principles set out under UK data protection law, including:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

We implement:

  • Data Processing Agreements (DPAs) with clients and vendors
  • Data Protection Impact Assessments (DPIAs) where required
  • Clear retention and secure deletion policies
  • Cross-border data transfer safeguards when applicable

Compliance is integrated into system design, development, and operational workflows.

Technical Security Controls

Our technical safeguards are designed using a layered defence-in-depth strategy. These include:

Infrastructure Security
  • Secure cloud environments with hardened configurations
  • Network segmentation and firewall protection
  • Intrusion detection and prevention systems
  • Continuous infrastructure monitoring
Access Control Management
  • Role-Based Access Control (RBAC)
  • Least-privilege access principles
  • Multi-factor authentication (MFA)
  • Regular access reviews and audit logging
Data Protection Mechanisms
  • Encryption for data at rest and in transit
  • Secure API gateways
  • Secure key management practices
  • Database access restrictions
Application Security
  • Secure Software Development Lifecycle (SSDLC) practices
  • Code reviews and peer validation
  • Static and dynamic application security testing
  • Dependency vulnerability scanning

These controls are regularly reviewed and strengthened to address emerging threats.

Operational Security Measures

Information security extends beyond technology into daily operational conduct. We maintain:

  • Mandatory confidentiality agreements
  • Background verification where appropriate
  • Secure remote access policies
  • Device management controls
  • Security awareness and phishing prevention training
  • Documented change management procedures

Operational discipline ensures that security risks are managed proactively rather than reactively.

Incident Management & Breach Response

Despite robust preventative controls, incidents may occur. Square Root maintains a formal incident response framework to ensure rapid containment and remediation. Our process includes:

  • Immediate incident identification and containment
  • Root cause analysis and forensic investigation
  • Communication to affected stakeholders where required
  • Regulatory notification within statutory timelines, if applicable
  • Post-incident review and corrective action implementation

All incidents are documented, analysed, and used to strengthen preventative measures.

Business Continuity & Disaster Recovery

Maintaining service availability is critical to client operations. We implement:

  • Regular automated backups
  • Disaster recovery planning and testing
  • Infrastructure redundancy
  • Failover mechanisms
  • Business continuity planning documentation

These measures ensure operational resilience in the event of system disruption.

Third-Party & Supplier Security

We recognise that third-party vendors may introduce additional risk. We are therefore:

  • Conduct vendor due diligence assessments
  • Review contractual security obligations
  • Monitor third-party access permissions
  • Require compliance with relevant security standards

Third-party access is limited and controlled under strict governance.

Continuous Improvement & Security Evolution

Cybersecurity threats evolve rapidly. Our Information Security Policy is not static. We maintain continuous improvement through:

  • Periodic policy reviews
  • Ongoing risk re-evaluation
  • Threat intelligence monitoring
  • Security control upgrades
  • Internal audits and compliance reviews

Our commitment is to maintain a proactive, adaptive, and resilient security posture.

Reporting Security Concerns

If you identify a potential security vulnerability or have concerns regarding information handling, please contact us immediately.

Square Root
Website: https://square-root.co.uk
Email: info@square-root.co.uk

All reported concerns are treated confidentially and investigated promptly.

Our Commitment to Trust & Protection

At Square Root, safeguarding information is a strategic priority. Through disciplined governance, secure engineering practices, regulatory alignment, and continuous monitoring, we ensure that the data entrusted to us remains protected at every stage of engagement.

Security is a foundational principle embedded into everything we build and deliver.