We value your privacy

    We use cookies to enhance your browsing experience, serve personalised content, and analyse our traffic. By clicking "Accept All", you consent to our use of cookies.

    Call Us
    Group Training Available
    Brity

    Information Security Policy

    Last updated: February 2026

    1. Purpose and Scope

    This Information Security Policy (the "Policy") sets out Brity Group Limited's (trading as "Brity") commitment to protecting its information assets from all threats, whether internal or external, deliberate or accidental. It applies to all information, in all forms, held or processed by Brity, including digital data, physical documents, and intellectual property.

    The Policy applies to all Brity staff, including permanent employees, temporary staff, contractors, volunteers, and any third parties who have access to Brity's information systems or data. Adherence to this Policy is mandatory for all individuals falling within its scope.

    Key Information

    This Policy is designed to comply with relevant UK legislation, including the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and the Computer Misuse Act 1990. It also aligns with best practice guidance from the Information Commissioner's Office (ICO) and industry standards.

    2. Information Security Objectives

    Brity is committed to achieving and maintaining a high level of information security to protect its operations, reputation, and the data entrusted to it. Our core information security objectives are:

    • Confidentiality: Ensuring that information is accessible only to those authorised to have access.
    • Integrity: Safeguarding the accuracy and completeness of information and processing methods.
    • Availability: Ensuring that authorised users have access to information and associated assets when required.
    • Business Continuity: Maintaining the continuous operation of critical business processes and systems, even in the face of disruptive events.
    • Regulatory Compliance: Meeting all legal, regulatory, and contractual obligations related to information security and data protection, including those set by the ICO, HSE, CITB, and Ofqual awarding bodies.
    • Risk Management: Proactively identifying, assessing, and mitigating information security risks to an acceptable level.

    3. Access Control

    Access to Brity's information systems and data is strictly controlled based on the principles of 'least privilege' and 'need-to-know'.

    Definitions
    • Least Privilege: Users are granted only the minimum level of access necessary to perform their job functions.
    • Need-to-Know: Users are granted access only to the specific information required for their current tasks.

    3.1 Role-Based Access

    Access permissions are assigned based on an individual's role and responsibilities within Brity. Access groups are regularly reviewed and updated.

    3.2 Joiners, Movers, and Leavers (JML) Process

    A formal process is in place to manage access rights throughout an individual's tenure with Brity:

    1

    Joiners (New Staff/Contractors)

    Access requests must be submitted by the line manager to IT/HR prior to the start date. Access will only be granted upon completion of all necessary HR onboarding, including background checks where applicable (e.g., DBS checks for roles involving vulnerable individuals).

    2

    Movers (Role Changes)

    When an individual changes roles within Brity, their access rights must be reviewed and adjusted by their new line manager. Previous access no longer relevant to the new role must be revoked, and new access granted as required. This must be actioned within 3 working days of the role change.

    3

    Leavers (Departing Staff/Contractors)

    Upon an individual's departure, all access to Brity's systems, data, and premises must be revoked immediately on their last day of employment/contract. This includes disabling user accounts, revoking VPN access, and collecting all company-issued equipment. HR is responsible for notifying IT of all leavers promptly.

    4

    Regular Access Reviews

    All user access rights are subject to a formal review at least annually by system owners and line managers to ensure they remain appropriate and necessary.

    4. Multi-Factor Authentication Requirements

    Multi-Factor Authentication (MFA) provides an additional layer of security beyond a password, significantly reducing the risk of unauthorised access. Brity mandates the use of MFA for access to critical systems and data.

    MFA is mandatory for:

    • All administrative access to Brity's core IT infrastructure and cloud platforms (e.g., Supabase, Lovable Cloud).
    • All user accounts accessing Brity's email system.
    • All user accounts accessing Brity's CRM system (including AI-powered CRM).
    • All user accounts accessing cloud-hosted document storage for certificates, invoices, and HR documents.
    • Remote access to Brity's network via VPN.
    • Any other system deemed critical by the IT Department.

    Exceptions to this requirement must be formally approved by the Head of IT and documented, with appropriate compensating controls implemented.

    5. Password Standards

    All Brity staff are required to adhere to the following password standards to protect their accounts and Brity's information assets:

    Mandatory Password Requirements
    • Minimum Length: Passwords must be at least 12 characters long.
    • Complexity: Passwords must include a combination of:
      • Uppercase letters (A-Z)
      • Lowercase letters (a-z)
      • Numbers (0-9)
      • Special characters (!@#$%^&*()_+-=[]{}|;':",./<>?)
    • Uniqueness: Passwords must not be reused from the last 10 passwords used for the same account.
    • No Personal Information: Passwords must not contain easily guessable personal information (e.g., names, birthdays, company name).
    • Confidentiality: Passwords must never be shared with anyone, written down in an unsecured location, or stored unencrypted.
    • Privileged Accounts: Passwords for privileged accounts (e.g., system administrators, database administrators) must be rotated every 90 days.

    Staff are strongly encouraged to use a reputable password manager to generate and store complex, unique passwords.

    6. Remote Working and Device Security

    Brity supports flexible working arrangements, including remote working, provided that information security is maintained. All staff working remotely or using mobile devices must adhere to the following security controls:

    Approved Devices Only

    Only Brity-issued or explicitly approved personal devices (Bring Your Own Device - BYOD) may be used to access Brity's systems and data. All devices must be configured according to Brity's security standards.

    VPN Requirements

    A Virtual Private Network (VPN) must be used for all remote access to Brity's internal network and systems. The VPN client must be kept up-to-date.

    Screen Lock

    All devices used for Brity business must be configured with an automatic screen lock that activates after a maximum of 5 minutes of inactivity. Devices must be locked when unattended.

    Public WiFi Restrictions

    Staff should avoid accessing sensitive Brity data or systems over unsecured public Wi-Fi networks. If unavoidable, a VPN must be used. Exercise extreme caution when connecting to unknown networks.

    Physical Security

    Remote working environments must be secure. Devices should be kept in a safe place, out of sight, and protected from unauthorised access by family members or others.

    Software Updates

    All operating systems, applications, and anti-virus software on Brity-issued devices must be kept up-to-date with the latest security patches.

    7. Encryption Standards

    Encryption is a fundamental control for protecting Brity's sensitive information, both at rest and in transit.

    Brity's Encryption Standards
    • Data at Rest: All sensitive data stored on Brity's cloud infrastructure (e.g., Supabase PostgreSQL databases, Lovable Cloud storage) and on Brity-issued devices (e.g., laptops, mobile phones) must be encrypted using AES-256 or an equivalent strong encryption standard.
    • Data in Transit: All data transmitted over networks, including internet connections, must be encrypted using Transport Layer Security (TLS) version 1.2 or higher. This applies to website traffic, email, VPN connections, and API communications.
    • Key Management: Encryption keys must be securely generated, stored, and managed. Access to encryption keys is strictly controlled and audited. Responsibilities for key management lie with the IT Department.
    • Cloud Storage: Cloud-hosted document storage for certificates, invoices, and HR documents must utilise encryption at rest and in transit as standard.

    Any deviation from these standards requires explicit approval from the Head of IT and must be documented with a clear justification and compensating controls.

    8. Cloud Provider Security Expectations

    Brity relies on various cloud service providers (CSPs) for its operations, including Supabase (PostgreSQL), Lovable Cloud, and edge functions. We expect all CSPs to meet stringent security and data protection standards.

    • Data Residency: All Brity data, especially personal data, must be stored and processed within the UK or European Economic Area (EEA) unless specific contractual agreements and appropriate safeguards (e.g., Standard Contractual Clauses) are in place and approved by the Data Protection Officer.
    • Certifications: CSPs must hold recognised industry security certifications, such as ISO 27001 and/or SOC 2 Type II, demonstrating their commitment to information security best practices.
    • Data Processing Agreements (DPAs): A legally binding Data Processing Agreement (DPA) or equivalent contract must be in place with every CSP, clearly outlining their responsibilities for data protection and compliance with UK GDPR and the Data Protection Act 2018.
    • Sub-Processor Notification: CSPs must provide Brity with advance notification of any sub-processors they intend to use for processing Brity's data, allowing Brity to exercise its right to object where appropriate.
    • Security Audits and Reporting: CSPs must be able to provide evidence of regular security audits, penetration tests, and incident response capabilities. They must also commit to promptly notifying Brity of any security incidents affecting Brity's data.

    9. Vendor and Third-Party Security Controls

    Brity engages with various vendors and third parties (e.g., awarding bodies, payment processors, HR software providers, AI model providers like Gemini/GPT for customer support bots and call summarisation) who may have access to Brity's information or systems. It is critical to ensure these third parties maintain adequate security controls.

    9.1 Due Diligence Checklist

    Before engaging any new vendor or third party that will process Brity's data or access its systems, a thorough security due diligence process must be completed. This includes:

    Security Questionnaire

    Completion of Brity's standard security questionnaire, covering areas such as data protection, incident response, access controls, and physical security.

    Certification Verification

    Verification of relevant security certifications (e.g., ISO 27001, SOC 2) and independent audit reports.

    Data Protection Impact Assessment (DPIA)

    Conducting a DPIA where the processing is likely to result in a high risk to the rights and freedoms of individuals, particularly for AI usage involving personal data.

    9.2 Contractual Requirements

    All contracts with vendors and third parties must include specific clauses addressing information security and data protection, including:

    Data Processing Agreements (DPAs)

    Mandatory DPAs for all processors, outlining responsibilities under UK GDPR and the Data Protection Act 2018.

    Security Requirements

    Specific security measures to be implemented by the vendor, aligned with Brity's standards.

    Incident Notification

    Obligation to notify Brity of any security incidents or data breaches without undue delay.

    Audit Rights

    Brity's right to audit the vendor's security controls or request audit reports.

    9.3 Annual Review

    All critical vendor and third-party security controls and contractual agreements are subject to an annual review to ensure ongoing compliance and effectiveness.

    10. Incident Escalation Procedure

    A prompt and effective response to information security incidents is crucial to minimise damage and ensure business continuity. All staff must be aware of and follow this procedure.

    1

    Detect & Report (Immediate)

    Any staff member who detects or suspects an information security incident (e.g., lost device, suspicious email, unauthorised access, data breach) must report it immediately to their line manager and the IT Department via security@brity.co.uk or the designated internal reporting tool. This must be done within 1 hour of detection.

    2

    Triage & Assess (Within 2 hours)

    The IT Department, in conjunction with the Data Protection Officer (DPO) if personal data is involved, will triage the incident to assess its severity, scope, and potential impact. Initial actions may include isolating affected systems or accounts.

    3

    Containment & Eradication (As required)

    The IT Department will implement measures to contain the incident, prevent further damage, and eradicate the root cause. This may involve system shutdowns, password resets, or data recovery efforts.

    4

    Recovery & Reporting (Ongoing)

    Once contained, efforts will focus on restoring affected systems and data. The DPO will determine if the incident constitutes a reportable data breach under UK GDPR and, if so, will report it to the ICO within 72 hours of becoming aware of it. Affected individuals will be notified where required by law. A post-incident review will be conducted to identify lessons learned.

    Escalation Matrix

    Severity Level Description Primary Contact Secondary Contact Notification Timeframe
    Critical (Level 1) Major data breach, system outage, significant financial/reputational impact. Head of IT, DPO, CEO Senior Leadership Team Immediate (within 1 hour)
    High (Level 2) Minor data breach, significant service degradation, potential legal/regulatory impact. Head of IT, DPO Relevant Department Heads Within 2 hours
    Medium (Level 3) Localised system issue, policy violation, potential data exposure. IT Department Line Manager Within 4 hours
    Low (Level 4) Minor security concern, suspicious activity, non-critical policy breach. IT Department N/A Within 1 business day

    11. Backup and Disaster Recovery

    Brity maintains robust backup and disaster recovery procedures to ensure the availability and integrity of its critical data and systems in the event of a disruptive incident.

    • Recovery Point Objective (RPO): The maximum acceptable amount of data loss measured in time. Brity's RPO for critical data (e.g., customer booking data, financial records, HR documents) is 4 hours.
    • Recovery Time Objective (RTO): The maximum acceptable downtime for critical systems. Brity's RTO for critical systems (e.g., CRM, booking system, email) is 8 hours.
    • Backup Frequency:
      • Critical data (databases, cloud storage): Hourly incremental backups, daily full backups.
      • User data (documents, emails): Daily backups.
      • System configurations: Weekly backups.
    • Backup Storage: Backups are stored securely in geographically separate locations within the UK/EEA, encrypted at rest, and protected by access controls.
    • Testing Schedule: Backup restoration procedures are tested at least quarterly. Full disaster recovery plan exercises are conducted annually to validate RPO/RTO targets and identify areas for improvement.
    • Restoration Procedures: Detailed documentation for data and system restoration is maintained and regularly reviewed by the IT Department.

    12. Staff Responsibilities and Training

    Information security is a collective responsibility. All Brity staff play a vital role in protecting the organisation's information assets.

    12.1 General Responsibilities

    • Adhere to all policies and procedures related to information security.
    • Protect all Brity information and assets from unauthorised access, disclosure, modification, or destruction.
    • Report any suspected or actual information security incidents immediately (refer to Section 10).
    • Maintain the confidentiality of all sensitive information accessed during the course of their duties.
    • Use Brity's IT systems and resources responsibly and ethically.

    12.2 Training

    • Annual Security Awareness Training: All staff are required to complete mandatory information security awareness training annually. This training covers topics such as phishing, password security, data handling, and incident reporting.
    • Phishing Simulations: Regular phishing simulation exercises are conducted to test staff awareness and resilience against social engineering attacks.
    • Role-Specific Training: Staff with specific information security responsibilities (e.g., IT Department, DPO) receive additional specialised training.
    • Onboarding Training: New staff receive information security awareness training as part of their induction process.

    12.3 Reporting Obligations

    Staff have a duty to report any observed or suspected security vulnerabilities, policy breaches, or incidents to the IT Department and their line manager without delay. Failure to report may be considered a disciplinary matter.

    13. Non-Compliance and Disciplinary Action

    Adherence to this Information Security Policy is mandatory for all Brity staff. Any breach of this Policy will be taken seriously and may result in disciplinary action.

    Consequences of Non-Compliance

    Failure to comply with the requirements of this Policy, whether intentional or due to negligence, may lead to disciplinary action, up to and including termination of employment or contract, in accordance with Brity's Disciplinary & Grievance Policy.

    Serious breaches, particularly those involving unlawful acts (e.g., unauthorised access, data theft, or misuse of information), may also result in legal prosecution and civil action.

    Brity will also consider the impact of non-compliance on its regulatory obligations, including potential fines from the ICO under UK GDPR and the Data Protection Act 2018.

    All disciplinary actions will be handled fairly and consistently, following the principles outlined in ACAS guidance and Brity's internal procedures.

    14. Review Cycle

    This Information Security Policy is a living document and will be reviewed regularly to ensure its continued effectiveness, relevance, and compliance with legal and regulatory requirements.

    • Annual Review: This Policy will be formally reviewed and updated at least once every 12 months by the Head of IT and the Data Protection Officer. The next scheduled review is February 2027.
    • Trigger Events for Earlier Review: An earlier review of this Policy may be triggered by, but not limited to, the following events:
      • Significant changes in Brity's business operations or IT infrastructure.
      • Changes in relevant UK legislation or regulatory guidance (e.g., UK GDPR, Data Protection Act 2018, ICO guidance).
      • Following a significant information security incident or data breach.
      • Changes in industry best practices or emerging threats.
      • Feedback from internal or external audits.

    Any amendments to this Policy will be communicated to all staff, and updated versions will be made available on Brity's internal policy portal.

    Policy Owner: Chief Executive Officer
    Next Review Due: February 2027
    Version: 1
    Date of Publication: 26 February 2026

    Back to top ↑