EasyQMS
Book a demo
All policies

Information Security Statement

A summary of the technical and organisational measures EasyQMS uses to protect customer data.

Last updated: Thursday 4th June 2026

This document is a working template. Specifics marked [REVIEW] must be confirmed by EasyQMS leadership and legal counsel before being relied upon contractually.

Data protection

  • All traffic encrypted in transit with TLS 1.2+.
  • Customer data encrypted at rest using AES-256 by the managed database provider.
  • Backups encrypted and rotated on a rolling schedule.

Access control

  • Row-Level Security (RLS) policies enforce per-tenant and per-role access at the database layer.
  • Role separation: engineer, foreman, manager and compliance administrator — with least-privilege defaults.
  • Administrative access to production is restricted, logged and reviewed.

Application security

  • Server-side authentication checks on every privileged action.
  • Audit logs for sensitive operations with a validated, namespaced action allowlist.
  • Dependency scanning and timely patching of known vulnerabilities.

Operational security

  • MFA enforced for all team members with access to production.
  • Background checks for staff with access to customer data, where lawful.
  • Incident response procedure with a 72-hour breach notification commitment.

Reporting an issue

If you believe you've found a security issue, please follow our Vulnerability Disclosure policy.

Contact

Questions about this policy? Email privacy@easyqms.co.uk.