Bud operation and maintenance
Bud is built entirely using the Microsoft Azure Platform as a service (PaaS). All operated securely in the Microsoft Azure Cloud, fully managed by Bud Systems.
As a Software as a Service (SaaS) solution, maintenance and updates are included in your subscription to Bud.
Data Center Locations & Physical Security
Bud doesn't have any in-house data centers, physical networks, and/or servers connected to the Bud platform. Microsoft manages the physical and environmental security of our Azure-based data centers, the Azure physical security is described here.
The Bud offices have two layers of perimeter security to ensure only authorised staff and visitors have access.
Bud use Azure data centres which are physically located in UK.
Backups and retention
Backups take place at least once every 24 hours, often more frequently. Backups are stored in the Azure data centre locations outlined above. Backups are tested at least annually.
All data is encrypted in transit with TLS 1.2 or above, we use a certificate from a mainstream supplier, this is renewed annually.
All data is encrypted at rest and the encryption keys are managed by Microsoft on Bud's behalf as part of their PaaS solutions.
A+ rating maintained on Qualys SSL scans.
Bud uses an advanced Web Application Firewall (WAF) which prevents malicious attacks. The rules and logs are regularly reviewed and updated as required.
We also have in place denial of service protection and rate limiting.
Azure services are additionally protected with Microsoft Defender for Cloud.
Bud undertakes CREST certified penetration testing which takes place annually.
Bud uses a Web Application Firewall which protects the Bud platform, this includes specific rules which focus on the OWASP top 10, the firewall rules are regularly updated and monitored.
Separation between Training Providers
Each tenant on the Bud application has a unique ID, data is filtered at the data layer based on this ID to ensure only the data relevant to the training provider and specific user are surfaced. Bud provides various pre-defined roles for users so each user can be given the specific required access for their role.
Supply chain is managed in a way which meets the requirements of ISO27001, suppliers are vetted and have a risk assessment completed. Suppliers are reviewed at least annually.
All user data remains within the EU.
All Bud originating emails have DMARC and SPF configured and are encrypted in transit wherever possible.
Employees and admin access
Elevated permissions are restricted to only Bud employees who need it. Bud staff can only administer the platform from approved devices which meet a minimum-security standard, and all access requires multiple authentication methods.
All employees are vetted before they join the Bud team, security checks are undertaken by an independent body.
Authentication (password and MFA)
Multi-factor authentication (two-factor authentication) is available in the Bud system and can be managed by the training provider, more information is available here.
Minimum password requirements are below, these requirements are enforced for all users.
- One lowercase character
- One uppercase character
- One number
- Eight characters minimum
Auto lockout is enabled for user accounts to protect against brute force attacks and rate limiting is configured on the login page.
Password resets can be completed securely by users, more information is available here.
Bud is built entirely using the Microsoft Azure Platform as a service (PaaS). Azure has a highly resilient infrastructure. Some services are configured to be highly available with automatic fail-over between Azure data centres, regions or zones.
In the event of a major incident at an Azure data centre, Bud has geographically separate backups and has processes to create a new environment and restore backups in a different Azure region.
Disaster Recovery plans are tested at least annually.
Development practices and testing
Bud uses Agile/Scrum methodology for development activities. All development is performed in a test environment (isolated from the live environment) with test data.
Any code changes go through peer review, release gateways and rigorous testing before release. Code is automatically reviewed for best practice and insecure practices and known vulnerabilities during the development cycle using a third-party tool.
Packages used are checked weekly against OWASP top 10 for known vulnerabilities.
Information Security Manager
To contact Bud's Information Security Manager please email firstname.lastname@example.org
Bud have been certified against ISO27001 requirements and undertake annual surveillance and internal audits to ensure we continue to be compliant.
Cyber Essentials Plus
Bud undertakes Cyber Essentials Plus on an annual basis to ensure our IT security and policy meets the requirements.
Both certificates are available to download at the bottom of this page.