Information Security Overview

Effective Date: 30 March 2026

Company: Bacsoft Limited

Introduction

Bacsoft Limited is committed to protecting the confidentiality, integrity, and availability of the systems and data entrusted to us.

We implement a range of technical and organisational controls aligned with industry best practices to ensure secure delivery of our software and services.

Hosting and Infrastructure

Our services are hosted using secure, enterprise-grade cloud platforms, including:

• Microsoft Azure (virtual machines, storage, backups).
• Microsoft 365 (email, collaboration, identity).

Infrastructure is configured to ensure high availability, resilience, and secure access.

Access Control

• Role-based access control (RBAC) is enforced.
• Least privilege principles are applied.
• Administrative access is restricted to authorised personnel only.
• Multi-factor authentication (MFA) is used where applicable.

Data Security

We implement measures to protect data at rest and in transit:

• Encryption in transit using TLS 1.2 or higher.
• Secure identity and authentication controls.
• Data stored in secure cloud environments (UK/EU regions where applicable).

Backup and Disaster Recovery

We maintain formal backup and recovery procedures to ensure data resilience:

• Regular automated backups of systems and databases.
• Recovery Time Objective (RTO): 24 hours.
• Recovery Point Objective (RPO): 12 hours.
• Periodic testing of backup and restore processes.

Business continuity procedures are in place to maintain operations during disruption.

Vulnerability Management

We actively monitor and manage system security:

• Dependency and vulnerability scanning (e.g. GitHub Dependabot).
• Regular review of software components and updates.
• Security patching applied via managed update processes.
• No known critical vulnerabilities in production systems.

Network and Application Security

• HTTPS enforced (TLS 1.2+).
• Legacy protocols (TLS 1.0/1.1) disabled.
• Firewalls and restricted access to management interfaces.
• No public exposure of databases or administrative services.
• Secure configuration aligned with OWASP guidance.

Monitoring and Logging

We maintain logging and monitoring to support system integrity and incident detection:

• Authentication and access events logged (via Microsoft Entra ID).
• Application and server logs maintained for diagnostics.
• Alerts generated for suspicious or invalid system activity.

Incident Response

In the event of a security incident:

• Affected systems are isolated.
• Access credentials are reset as required.
• Systems are restored from clean backups.
• Clients are notified where appropriate.

Personnel and Third Parties

We ensure that anyone with access to systems or data operates securely:

• Access limited to authorised employees and contractors.
• Confidentiality obligations in place.
• Third parties and contractors operate under contractual and data protection controls.

Compliance and Governance

We maintain structured processes and continuous improvement:

• ISO 9001 certified quality management system.
• Documented operational, security, and recovery procedures.
• Regular review of policies and controls.

We are currently reviewing formal certification pathways including ISO 27001 and Cyber Essentials.

Continuous Improvement

• Periodic security reviews.
• System updates and improvements.
• Alignment with evolving industry standards.

Contact

For security-related enquiries, please contact:

Bacsoft Limited

Email: enquiry@bacsoft.co.uk