AdoptIQ

Legal · Updated 23 May 2026

Information Security Policy

This policy describes AdoptIQ's technical and organisational controls. It is incorporated by reference into the AdoptIQ Master Services Agreement (§6.3) and the Data Processing Agreement (§8).

1. Scope and governance

This policy applies to all AdoptIQ staff, contractors and systems that process Customer Data. The CTO is the accountable owner. The policy is reviewed at least annually and after any material incident.

AdoptIQ is aligned to ISO 27001 from launch and targets formal certification by end of Year 2. Cyber Essentials certification by end of Year 1, Cyber Essentials Plus by end of Year 2.

2. Data residency and hosting

All Customer Data is hosted in the United Kingdom (AWS London, eu-west-2). Off-region backups are held in AWS Ireland (eu-west-1). No Customer Data is transferred outside the UK / EEA.

3. Encryption

Encryption at rest: AES-256 via AWS KMS-managed keys for databases, object storage and backups.

Encryption in transit: TLS 1.2+ for every connection between users, AdoptIQ services and connected SaaS estates.

4. Access control

Role-based access control with least-privilege defaults. All AdoptIQ employee access requires multi-factor authentication.

Production access is limited to named on-call engineers; access is logged and reviewed monthly.

5. Logging, monitoring and audit

Administrative actions on Customer workspaces are written to a tamper-evident audit log retained for 7 years (see /legal/audit-retention).

Application and infrastructure logs are retained for 12 months. Security alerts route to a 24/7 on-call rota.

6. Vulnerability and change management

Dependencies are scanned daily; critical CVEs are patched within 72 hours. External penetration testing is performed quarterly from Year 2.

All production changes go through code review and CI checks before deployment.

7. Incident response

AdoptIQ maintains a documented incident-response plan. Personal-data breaches are notified to the Customer within 24 hours of confirmed detection, in line with the DPA and UK GDPR Article 33.

8. Personnel

All staff complete annual security and data-protection training. Background checks are completed before access to production. Confidentiality obligations survive termination.

9. Business continuity

Database point-in-time recovery for the previous 7 days; daily encrypted backups retained for 35 days. RPO ≤ 1 hour, RTO ≤ 4 hours for the production service.

10. Contact

security@adoptiq.co.uk · CTO is the named security contact.