Security and Compliance policies and information

Bud operation and maintenance

Bud is built entirely using the Microsoft Azure Platform as a service (PaaS). All operated securely in the Microsoft Azure Cloud, fully managed by Bud Systems.

As a Software as a Service (SaaS) solution, maintenance and updates are included in your subscription to Bud.

Bud Privacy Policy

You can find our privacy policy here, it covers how we use personal data, as well as how we store and secure it.

Data Center Locations & Physical Security

Bud doesn't have any in-house data centers, physical networks, and/or servers connected to the Bud platform. Microsoft manages the physical and environmental security of our Azure-based data centers, the Azure physical security is described here.

The Bud offices have two layers of perimeter security to ensure only authorised staff and visitors have access.

Bud use Azure data centres which are physically located in UK.

Backups and retention

Backups take place at least once every 24 hours, often more frequently. Backups are stored in the Azure data centre locations outlined above. Backups are tested at least annually.

Data is kept for 7 years in most cases, see our privacy policy for more details on retention.

Encryption

All data is encrypted in transit with TLS 1.2 or above, we use a certificate from a mainstream supplier, this is renewed annually.

All data is encrypted at rest and the encryption keys are managed by Microsoft on Bud's behalf as part of their PaaS solutions.

A+ rating maintained on Qualys SSL scans.

Application Security

Bud uses an advanced Web Application Firewall (WAF) which prevents malicious attacks. The rules and logs are regularly reviewed and updated as required.

We also have in place denial of service protection and rate limiting.

Azure services are additionally protected with Microsoft Defender for Cloud.

Bud undertakes CREST certified penetration testing which takes place annually.

OWASP 10

Bud uses a Web Application Firewall which protects the Bud platform, this includes specific rules which focus on the OWASP top 10, the firewall rules are regularly updated and monitored.

Separation between Training Providers

Each tenant on the Bud application has a unique ID, data is filtered at the data layer based on this ID to ensure only the data relevant to the training provider and specific user are surfaced. Bud provides various pre-defined roles for users so each user can be given the specific required access for their role. 

Supply Chain

Supply chain is managed in a way which meets the requirements of ISO27001, suppliers are vetted and have a risk assessment completed. Suppliers are reviewed at least annually.

All user data remains within the EU.

Emails

All Bud originating emails have DMARC and SPF configured and are encrypted in transit wherever possible.

Employees and admin access

Elevated permissions are restricted to only Bud employees who need it. Bud staff can only administer the platform from approved devices which meet a minimum-security standard, and all access requires multiple authentication methods.

All employees are vetted before they join the Bud team, security checks are undertaken by an independent body.

Authentication (password and MFA)

Multi-factor authentication (two-factor authentication) is available in the Bud system and can be managed by the training provider, more information is available here.

Minimum password requirements are below, these requirements are enforced for all users.

  • One lowercase character
  • One uppercase character
  • One number
  • Eight characters minimum

Auto lockout is enabled for user accounts to protect against brute force attacks and rate limiting is configured on the login page.

Password resets can be completed securely by users, more information is available here.

Disaster Recovery

Bud is built entirely using the Microsoft Azure Platform as a service (PaaS). Azure has a highly resilient infrastructure. Some services are configured to be highly available with automatic fail-over between Azure data centres, regions or zones.

In the event of a major incident at an Azure data centre, Bud has geographically separate backups and has processes to create a new environment and restore backups in a different Azure region.

Disaster Recovery plans are tested at least annually.

Development practices and testing

Bud uses Agile/Scrum methodology for development activities. All development is performed in a test environment (isolated from the live environment) with test data.

Any code changes go through peer review, release gateways and rigorous testing before release. Code is automatically reviewed for best practice and insecure practices and known vulnerabilities during the development cycle using a third-party tool.

Packages used are checked weekly against OWASP top 10 for known vulnerabilities.

Information Security Manager

To contact Bud's Information Security Manager please email infosec@bud.co.uk

Compliance

ISO27001

Bud have been certified against ISO27001 requirements and undertake annual surveillance and internal audits to ensure we continue to be compliant.

Cyber Essentials Plus

Bud undertakes Cyber Essentials Plus on an annual basis to ensure our IT security and policy meets the requirements.

Both certificates are available to download at the bottom of this page.

STAR Assessment

STAR Registry Listing for Bud | CSA

Certificate downloads

Related to

Was this article helpful?

2 out of 2 found this helpful

Have more questions? Submit a request