Cloud policy

ETHISYS LTD 

Cloud Security Policy 

Last Updated: 9 April 2026  ·  England & Wales  ·  UK GDPR / PECR Compliant 

 

Contact: privacy@ethisys.co.uk  ·  Company No. 11371203  ·  Registered in England and Wales 

This policy applies to all Ethisys Ltd employees, contractors, consultants, and third parties who access, process, or store data using cloud-based services on behalf of Ethisys Ltd. Questions should be directed to privacy@ethisys.co.uk. 

  1. Purpose and Scope

Ethisys Ltd uses cloud computing services to deliver AI, automation, and digital transformation solutions to clients. This policy establishes controls for the secure procurement, configuration, and ongoing use of cloud services to protect the confidentiality, integrity, and availability of company and client data. 

This policy applies to all cloud environments used by Ethisys Ltd, including: 

  • Infrastructure as a Service (IaaS) — e.g., Microsoft Azure, Amazon Web Services 
  • Platform as a Service (PaaS) — e.g., Azure App Service, Azure Functions 
  • Software as a Service (SaaS) — e.g., Microsoft 365, Sitecore, HubSpot 
  • Developer and CI/CD platforms — e.g., GitHub, Azure DevOps 
  1. Policy Statement

Ethisys Ltd is committed to maintaining the security of information assets held or processed in cloud environments. All cloud services must be approved, configured, and monitored in accordance with this policy, relevant industry standards (including ISO 27001 principles and CIS Benchmarks), and applicable law including UK GDPR and the Data Protection Act 2018. 

  1. Cloud Service Procurement and Approval
  • All new cloud services must be approved by the Technical Lead before use. 
  • Procurement must consider the provider’s security certifications (ISO 27001, SOC 2, Cyber Essentials). 
  • A Data Protection Impact Assessment (DPIA) must be completed where the service involves personal data. 
  • Data Processing Agreements (DPAs) under Article 28 UK GDPR must be signed with all cloud processors. 
  • Services processing personal data must store data within the UK or EEA, or have adequate transfer mechanisms in place. 
  1. Data Classification and Storage

4.1 Classification 

All data stored in cloud environments must be classified: 

  • Public — Information approved for unrestricted public access 
  • Internal — Business information for internal use only 
  • Confidential — Sensitive business or client data requiring access controls 
  • Restricted — Highly sensitive data including personal data, credentials, financial records 

4.2 Storage Controls 

  • Restricted and Confidential data must not be stored in public cloud storage buckets or repositories. 
  • Personal data must be stored in named, approved cloud regions only. 
  • Test and development environments must not contain live personal data unless explicitly approved. 
  • Cloud storage must have versioning and soft-delete enabled where technically feasible. 
  1. Identity and Access Management
  • Access to cloud resources must follow the principle of least privilege. 
  • Multi-Factor Authentication (MFA) is mandatory for all cloud console and administrative access. 
  • Service accounts and API keys must be non-personal and scoped to minimum required permissions. 
  • API keys, secrets, and credentials must never be committed to source code repositories; use Azure Key Vault or equivalent. 
  • Access rights must be reviewed quarterly and revoked promptly upon role changes or offboarding. 
  • Root or owner-level accounts must be protected with MFA and used only when operationally necessary. 
  • Role-Based Access Control (RBAC) must be applied on all cloud platforms where available. 
  1. Encryption
  • All data in transit must be encrypted using TLS 1.2 or higher. 
  • All data at rest classified as Confidential or Restricted must be encrypted using AES-256 or equivalent. 
  • Encryption keys must be managed using a dedicated key management service (e.g., Azure Key Vault, AWS KMS). 
  • Customer-managed keys must be used where required by client contracts or data sensitivity. 
  • Database connections must use SSL/TLS; unencrypted connections are not permitted. 
  1. Network Security
  • Cloud virtual networks must be segmented with firewalls or Network Security Groups (NSGs). 
  • Inbound internet access to management interfaces (SSH, RDP, admin consoles) is prohibited except via VPN or bastion host. 
  • Public-facing endpoints must be protected by a Web Application Firewall (WAF) where feasible. 
  • Unused ports, protocols, and services must be disabled. 
  • Remote workers must use approved VPN or Zero Trust Access where required. 
  1. Vulnerability Management and Patching
  • Cloud infrastructure components must be patched within 30 days of a patch release, and within 7 days for critical CVEs (CVSS ≥ 9.0). 
  • Automated vulnerability scanning must be performed at least monthly on cloud workloads. 
  • Container images must be scanned for known vulnerabilities before deployment. 
  • Infrastructure as Code (IaC) templates must be reviewed for security misconfigurations before deployment. 
  1. Security Monitoring and Logging
  • All cloud environments must have audit logging enabled (authentication events, administrative actions, data access). 
  • Logs must be retained for a minimum of 12 months and protected from unauthorised modification. 
  • Alerts must be configured for: failed authentication, privilege escalation, unusual data export, configuration changes. 
  • Security monitoring tools (e.g., Microsoft Defender for Cloud, AWS Security Hub) must be enabled on production environments. 
  1. Incident Response
  • Suspected cloud security incidents must be reported to the Technical Lead within 4 hours of discovery. 
  • Where a personal data breach is suspected, the Data Protection contact must be notified immediately. 
  • Confirmed reportable breaches must be notified to the ICO within 72 hours (UK GDPR Article 33). 
  • Affected individuals must be notified without undue delay if at high risk (UK GDPR Article 34). 
  • All incidents must be documented with a post-incident review completed within 14 days. 
  1. Business Continuity and Disaster Recovery
  • Critical cloud-hosted systems must have a documented RTO and RPO. 
  • Backups of critical data must be taken at minimum daily, stored in a separate region, and tested quarterly. 
  • Disaster recovery procedures must be tested at least annually. 
  • Cloud provider status pages for key services must be subscribed to. 
  1. Third-Party and Supplier Obligations

Third parties and contractors accessing Ethisys cloud environments or client data must: 

  • Sign appropriate agreements including NDAs and DPAs where applicable. 
  • Adhere to this policy and any additional client-specific security requirements. 
  • Use MFA for all cloud access. 
  • Not sub-process personal data without prior written consent. 
  • Notify Ethisys Ltd of any actual or suspected incidents within 24 hours. 
  1. Compliance and Audit
  • Cloud environments must be configured per provider security benchmarks (e.g., CIS Benchmark for Azure/AWS). 
  • Compliance posture must be reviewed quarterly using automated tooling where available. 
  • Ethisys Ltd reserves the right to audit cloud usage and access logs at any time. 
  1. Roles and Responsibilities

Role 

Responsibility 

Technical Lead / CTO 

Policy ownership; approval of cloud services; incident escalation point 

Developers / Engineers 

Compliance in day-to-day cloud operations; reporting incidents 

Project Managers 

Ensuring client projects use only approved services and configurations 

All Staff / Contractors 

Adherence to this policy; reporting suspected violations or breaches 

Data Protection Contact 

Overseeing DPIA process; ICO notification; privacy@ethisys.co.uk 
  1. Policy Review

This policy is reviewed annually or following a significant change to Ethisys Ltd’s cloud environment, a material security incident, or a change in relevant legislation. The current version is effective from 9 April 2026. 

Questions: privacy@ethisys.co.uk