Security Overview

How MyQTAG protects your data and maintains platform integrity.

This document describes the technical and organisational security measures MyQTAG maintains to protect Subscriber data and ensure the ongoing availability and integrity of the platform. It is published for transparency and to support Subscriber due diligence.

1. Our Approach to Security

Security is a core part of how MyQTAG is built and operated. We apply a defence-in-depth approach across our infrastructure, application, and operational practices, seeking to reduce the likelihood and impact of security incidents at every layer.

Our security programme is designed around the following principles:

  • Least privilege — access to systems and data is limited to those who need it;
  • Defence in depth — multiple overlapping controls rather than reliance on any single measure;
  • Continuous improvement — regular testing, review, and updating of security controls;
  • Transparency — clear communication with Subscribers about how we protect their data.

2. Infrastructure & Hosting

2.1 Cloud Hosting

The MyQTAG platform is hosted on reputable cloud infrastructure providers operating data centres within the UK and/or European Economic Area. Our hosting providers maintain recognised security certifications, including ISO 27001 and SOC 2 Type II.

2.2 Data Residency

Primary data storage and processing takes place within the UK or EEA. Where any third-party sub-processor processes data outside these regions, appropriate transfer safeguards are in place in accordance with our Data Processing Agreement. A current list of sub-processors and their locations is published at myqtag.co.uk/sub-processors.

2.3 Redundancy & Availability

Our infrastructure is designed for high availability, including:

  • redundant components to eliminate single points of failure;
  • automated failover capabilities for critical services;
  • regular load testing and capacity planning;
  • monitoring and alerting for service degradation or outages.

2.4 Backups

Subscriber data is backed up regularly using automated backup processes. Backups are:

  • encrypted at rest and stored separately from primary data;
  • tested periodically to verify successful restoration;
  • retained for a rolling period sufficient to support recovery from accidental deletion or corruption.

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between users’ browsers and the MyQTAG platform is encrypted using TLS 1.2 or higher. We enforce HTTPS across all platform endpoints and do not support unencrypted HTTP connections. HSTS (HTTP Strict Transport Security) is enabled to prevent protocol downgrade attacks.

3.2 Encryption at Rest

All Subscriber data stored in our database and file storage systems is encrypted at rest using industry-standard encryption (AES-256 or equivalent). Encryption keys are managed using our hosting provider’s key management services, with controls to prevent unauthorised key access.

3.3 Password Storage

User passwords are never stored in plain text. We use strong, adaptive hashing algorithms (such as bcrypt or Argon2) with appropriate cost factors, ensuring that passwords remain protected even in the event of a database compromise.

4. Access Control

4.1 Role-Based Access

The MyQTAG platform implements role-based access control (RBAC) allowing Subscribers to define and manage permissions for their Users. Access to data is scoped to the permissions assigned by the Subscriber, ensuring Users can only access data relevant to their role.

4.2 Multi-Factor Authentication

Multi-factor authentication (MFA) is available for all MyQTAG accounts. We strongly encourage Subscribers to enable MFA for all Users, particularly those with administrative privileges.

4.3 Internal Access Controls

Access to production systems and Subscriber data by MyQTAG personnel is:

  • restricted to authorised staff with a documented business need;
  • governed by the principle of least privilege — staff receive the minimum access necessary to perform their role;
  • subject to multi-factor authentication;
  • logged and monitored for anomalous activity;
  • reviewed and revoked promptly when no longer required.

4.4 Privileged Access

Privileged access to infrastructure and databases is tightly controlled. Administrative access is not used for routine operations and is subject to enhanced logging and oversight.

5. Application Security

5.1 Secure Development Practices

MyQTAG follows secure software development principles throughout the product lifecycle, including:

  • security requirements considered during design;
  • code review processes incorporating security checks;
  • automated static analysis and dependency scanning as part of the CI/CD pipeline;
  • use of security-focused libraries and frameworks.

5.2 Vulnerability Management

We maintain a vulnerability management programme including:

  • regular automated scanning of application and infrastructure components;
  • prompt patching of operating systems, libraries, and dependencies upon identification of vulnerabilities, prioritised by severity;
  • periodic manual security assessments and penetration testing conducted by internal or external specialists.

5.3 Common Vulnerability Mitigations

Our application is developed and tested with mitigations for common vulnerability classes, including those listed in the OWASP Top 10, such as:

  • SQL injection and NoSQL injection — parameterised queries and ORM usage;
  • Cross-site scripting (XSS) — output encoding and Content Security Policy headers;
  • Cross-site request forgery (CSRF) — CSRF token validation;
  • Broken authentication — secure session management and MFA support;
  • Sensitive data exposure — encryption in transit and at rest as described in Section 3.

5.4 Dependency Management

Third-party libraries and dependencies are tracked and reviewed. We use automated tooling to identify known vulnerabilities in dependencies and apply updates promptly. Unused or unmaintained dependencies are removed as part of regular code maintenance.

6. Network Security

Network-level controls are applied to protect MyQTAG’s infrastructure, including:

  • firewalls and security groups restricting inbound and outbound traffic to permitted ports and services only;
  • network segmentation separating production environments from development and corporate networks;
  • DDoS protection provided by our cloud infrastructure provider;
  • intrusion detection monitoring for anomalous network activity;
  • no direct public access to database or internal services — all access is via application layer.

7. Monitoring & Incident Response

7.1 Security Monitoring

MyQTAG maintains continuous monitoring of its platform and infrastructure, including:

  • centralised logging of security-relevant events (authentication, access, configuration changes);
  • automated alerting for anomalous access patterns and potential security events;
  • log retention for a period sufficient to support incident investigation;
  • review and analysis of security alerts by responsible personnel.

7.2 Incident Response

MyQTAG maintains a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. Key commitments include:

  • a dedicated point of contact for security incidents;
  • defined escalation paths and severity classifications;
  • notification to affected Subscribers within 72 hours of confirming a personal data breach, in accordance with UK GDPR and our Data Processing Agreement;
  • post-incident reviews to identify root causes and prevent recurrence.

7.3 Reporting Security Issues

We welcome responsible disclosure of security vulnerabilities. If you believe you have identified a security issue in the MyQTAG platform, please report it to security@myqtag.co.uk. We commit to acknowledging reports promptly, investigating in good faith, and keeping reporters informed of progress.

8. Personnel Security

MyQTAG takes personnel security seriously as part of its overall security posture:

  • all staff with access to production systems or Subscriber data are subject to confidentiality obligations as a condition of their engagement;
  • background screening is conducted for personnel in roles with access to sensitive systems, where permissible under applicable law;
  • security awareness training is provided to all staff and reinforced regularly;
  • access is revoked promptly upon the departure of any member of staff or contractor;
  • staff are required to comply with MyQTAG’s internal security policies and acceptable use guidelines.

9. Physical Security

MyQTAG does not operate its own data centres. Physical security of the infrastructure on which the platform runs is the responsibility of our cloud hosting providers, who maintain:

  • physical access controls including biometric authentication and security personnel;
  • CCTV surveillance and environmental monitoring;
  • recognised security certifications including ISO 27001.

MyQTAG offices and staff workstations are protected by:

  • device encryption on all company-managed devices;
  • enforced screen locks and remote wipe capability;
  • restrictions on the use of removable media and unapproved services for handling Subscriber data.

10. Supplier & Third-Party Risk Management

MyQTAG maintains oversight of third-party suppliers who process Subscriber data or provide critical services:

  • all sub-processors are assessed for security posture before engagement;
  • data processing agreements are in place with all sub-processors;
  • sub-processor security practices are reviewed periodically;
  • Subscribers are notified of material changes to the sub-processor list in accordance with the Data Processing Agreement.

11. Business Continuity & Disaster Recovery

MyQTAG maintains business continuity and disaster recovery (BC/DR) plans to ensure resilience in the event of a significant disruption:

  • documented recovery objectives (RTO and RPO) appropriate to the nature of the service;
  • regular backup testing and recovery drills;
  • failover procedures for critical infrastructure components;
  • BC/DR plans reviewed and updated at least annually.

12. Compliance & Certifications

MyQTAG’s security programme is aligned with recognised standards and frameworks. Current compliance posture:

  • UK GDPR & Data Protection Act 2018 — we operate as a data processor in accordance with our published Data Processing Agreement;
  • Cyber Essentials — [INSERT CERTIFICATION STATUS];
  • ISO 27001 — [INSERT CERTIFICATION STATUS OR TARGET DATE];
  • Penetration testing — [INSERT FREQUENCY AND LAST ASSESSMENT DATE].

Certification statuses marked [INSERT] should be updated to reflect current accreditation before publishing.

13. Shared Responsibility

Security of the MyQTAG platform is a shared responsibility between MyQTAG and its Subscribers. MyQTAG is responsible for the security of the platform and underlying infrastructure. Subscribers are responsible for:

  • managing user accounts and access permissions within their organisation;
  • enabling and enforcing multi-factor authentication for their Users;
  • maintaining the confidentiality of login credentials;
  • promptly revoking access for Users who leave or no longer require it;
  • ensuring their use of the platform complies with applicable laws and regulations;
  • reporting suspected security incidents or account compromises to MyQTAG promptly.

14. Contact & Further Information

For security questions, responsible disclosure, or requests for further information about our security practices, please contact:

MyQTAG Security Team

Email: security@myqtag.co.uk

General: support@myqtag.co.uk

Website: myqtag.co.uk/security

This Security Overview was last updated on 1 July 2025. MyQTAG reviews and updates its security practices regularly. The most current version of this document is available at myqtag.co.uk/security.