FastDraft Security Features

This article provides answers to frequently asked questions in relation to the FastDraft Security Features. 

 

Does FastDraft’s Service Level Agreement (SLA) include agreed uptimes for the service e.g. 99.95% availability?

In our standard terms and conditions we guarantee service uptime of 99.95%.

We monitor uptime using third party uptime monitoring software Pingdom.

Does FastDraft’s Service Level Agreement (SLA) include an RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for services and any data processed?

Our standard configuration provides an RTO of 8 hours and RPO of 8 hours.

As part of the implementation, we will review the back-up strategy, RTO/RPO targets and data retention policies with you, configuring these to your needs.

We offer an enhanced data recovery service with improved RTO/RPO with Microsoft’s Business Critical databases or pools if required. 

Does FastDraft’s Service Level Agreement (SLA) include agreed customer notification timelines in the event of a service availability incident?

We will endeavour to give to you reasonable notice of any service availability incident with the platform. 

Does the SLA include regular maintenance windows to facilitate patching and vulnerability management activities?

Built Intelligence:

• Will provide the maintenance services for the duration of the services provided, including scheduled and/or emergency maintenance as required to ensure the availability, integrity and security of the Platform, which shall typically be conducted outside of the hours of 0600hrs to 2100hrs GMT, Monday to Friday and 0800hrs to 1700hrs GMT, Saturday, Sunday and public holidays
• Where practicable, use reasonable endeavours to give you at least 8 Business Hours prior notice of any maintenance that is likely to affect the availability of the Platform or is likely to have a material negative impact upon the performance or use of the Platform
• Endeavour to give to you at least 3 Business Days' prior notice of the application of an upgrade or non security update to the Platform
• Endeavour to give to you reasonable notice of the application of any security update to the Platform
• Provide the maintenance services in accordance with the standards of skill and care reasonably expected from a leading service provider in our industry.

Is the service you provide to the customer independently certified to any best practice security standards such as ISO 27001, SOC 2 Type 2, etc.?

Yes. Our organisation is independently certified to ISO 27001 and ISO 9001, ISO14001, and Cyber Essentials Plus. These certifications demonstrate our commitment to best practice in information security, quality management, and cyber hygiene.

Our hosting provider, Microsoft Azure, is certified to a wide range of international security standards including ISO 27001, SOC 1, SOC 2 Type 2, ISO 27018, PCI DSS, and GDPR compliance. We leverage Azure’s compliance framework and security controls as part of our overall platform governance.

Are all services provided to the customer within the scope of the independent certification to ISO27001 and ISO9001, ISO14001, and Cyber Essentials Plus standards?

Yes, all products and services are covered by the scope of:

• ISO27001 Information Security Management System 
• ISO9001 Quality Management System 
• ISO14001 Environmental Management System 

Do you operate in regions outside of the EU?

Yes. While the majority of our services are hosted in Microsoft Azure data centres located within the EU and UK (specifically UK South, UK North and West Europe), we also operate in other regions to support global clients — including Australia East and South Africa North.

However, we logically separate customer data by region and ensure that EU and UK customer data remains within EU/UK data centres unless otherwise agreed. This supports compliance with GDPR and other data residency requirements.

Do you have a programme in place to monitor and ensure compliance with all relevant regulations and legislation?

Yes. We maintain an active compliance programme aligned with our ISO 27001 and ISO 9001 certifications, which includes regular internal audits, risk assessments, and policy reviews to ensure ongoing compliance with relevant regulations and legislation — including GDPR, UK Data Protection Act, and applicable contractual obligations.

We monitor regulatory developments through a combination of internal governance processes and support from third-party cybersecurity and compliance consultants, who assist with interpreting changes and updating policies accordingly.

Staff are provided with annual training on data protection, information security, and regulatory awareness as part of our ongoing compliance efforts. We also conduct regular reviews of our data processing practices, access controls, and vendor contracts (including DPAs and SCCs) to ensure continued compliance across our services.

Where independent certification is not performed, does your organisation implement it’s own information security compliance programme?

We are independently certified for security compliance via ISO 27001 and Cyber Essential Plus.

Where an information security compliance programme is not in place, please describe how compliance with security requirements, contract, SLAs, etc. are monitored and maintained?

We are certified for security compliance via ISO 27001 and Cyber Essential Plus.

Do you contract third parties in your delivery of services to Customers?

Yes, we have a limited number of subcontractors and can provide a list of all subcontracted services upon request.

Do any third parties perform sub-processing of personal data provided by, or collected on behalf of the customer?

Yes, we have a small number of carefully selected third-party sub-processors to support the delivery of our services. These include:

• Microsoft Azure – for secure hosting and infrastructure services.
• Zendesk – for customer support ticketing and communications.
• Mailgun – for transactional email delivery.

We can provide a list of all third-party sub-processors for the services upon request.

Where personal data may be processed by these providers, it is governed by Data Processing Agreements (DPAs) that include Standard Contractual Clauses (SCCs) and other safeguards to ensure compliance with GDPR and the UK Data Protection Act.

We maintain a documented list of sub-processors, perform due diligence prior to onboarding, and regularly review their security and privacy practices. Sub-processors are only granted access to personal data necessary for their function, and access is limited and controlled under strict contractual and technical safeguards.

Do any third parties process sensitive business data provided by, or collected on behalf of the Customer?

No

Do any third parties perform operations outside of the EU?

No

Do you have a programme in place to ensure third party suppliers are adhering to required information security standards?

All organisational assets that are accessible by third party suppliers and are within the scope of the ISO27001 Supplier Relationships (ISMS DOC ORG06) policy. 

This includes third party suppliers involved in the storage, transmission and processing of information, even where the information is encrypted or otherwise generally inaccessible to the supplier.

Do you regularly review the contracts and performance of third parties used in the delivery of services to the Customer?

On a regular basis, the Information Security Manager reviews all outstanding actions in respect of deficiencies in third-party services to ensure that appropriate corrective or preventative action is being taken, having regard to the fact that ultimate responsibility for the information processed by the third party remains with the organisation. 

Do you regularly conduct BCP and/or disaster recovery testing in conjunction with third parties used in delivery of the services to the Customer?

As part of our ISO27001 Information Security Management System the policy Operation DOC C8 documents that the BCP plan is updated annually and the BCP test is carried out annually. 

Do you have a right to audit in place with third parties used in delivery of services to the Customer?

We rely on industry-leading third-party providers, including Microsoft Azure (for hosting and infrastructure), Zendesk (for customer support), and Mailgun (for email delivery), all of which are certified to high international standards such as ISO 27001, SOC 2, and GDPR compliance. While we do not hold direct “right to audit” clauses with these providers, we ensure due diligence through their published audit reports, compliance documentation, and security certifications.

Microsoft Azure provides transparency through its Service Trust Portal, which includes independent audit reports and compliance packages available for review. Similarly, Zendesk and Mailgun publish third-party audit reports and certifications that demonstrate their adherence to industry security and privacy frameworks.

If the Customer requires specific audit rights or evidence, we are happy to facilitate access to these compliance reports or work with the third-party provider to obtain necessary assurances, provided they do not introduce risk to our broader platform or breach provider terms.

Do you have a formal software development life-cycle (SDLC) in place?

Yes. We follow a formal and structured Software Development Life Cycle (SDLC) aligned with Agile methodologies. Our SDLC encompasses requirements gathering, design, development, testing (including automated and manual QA), deployment, and post-release monitoring. Code changes are managed through version control (Git) with mandatory peer reviews and CI/CD pipelines to ensure quality and traceability.

Security is embedded throughout the SDLC. We follow secure coding practices, regularly review dependencies for vulnerabilities, and use static code analysis and dependency scanning tools as part of our CI/CD process. All releases are documented, tested, and go through change control processes before being deployed to production.

Our teams are cross-functional, and development activities are supported by clearly defined roles, documentation standards, and sprint planning, ensuring continuous delivery and alignment with customer and regulatory expectations.

Does the SDLC include up-to-date security practices, such as how to secure software against risks identified by the OWASP Top 10?

Yes. Security is an integral part of our SDLC. Our development team incorporates up-to-date security practices throughout the lifecycle, including measures aligned with the OWASP Top 10 risks (such as injection, broken authentication, security misconfiguration, and more). Developers are trained on secure coding principles, and we perform code reviews with a focus on security.

We use automated static code analysis and dependency vulnerability scanning in our CI/CD pipelines to detect and remediate issues early in the development cycle. Our applications are penetration tested annually and monitored for potential vulnerabilities, and findings are addressed through structured remediation plans.

These practices are aligned with our ISO 27001 certification and internal secure development policy, ensuring continuous improvement and adherence to industry standards.

Does the SDLC include a change management process which ensures that all changes are security assessed, and tested appropriately prior to production release?

Yes. Our SDLC includes a formal change management process to ensure all changes are assessed for security impact and tested appropriately before deployment to production. Each change goes through peer review, automated and manual testing, and must meet defined acceptance criteria. Changes are tracked via our ticketing system and reviewed during sprint planning and retrospectives.
Security assessments are performed as part of code reviews and CI/CD pipelines, which include static code analysis, dependency scanning, and environment specific configuration checks. Higher-risk or sensitive changes may undergo additional scrutiny, including manual testing or targeted reviews by senior engineers.
All deployments follow our documented release procedures, and changes are logged with clear audit trails to maintain accountability and traceability in line with our ISO 27001-aligned processes.

Are developers and other relevant staff provided with regular training which includes up-to-date secure development practices?

Yes. All developers and relevant technical staff receive regular training on secure development practices, both during onboarding and as part of our ongoing professional development program. Training covers topics such as secure coding, secure authentication, data protection, and common vulnerabilities (including those outlined in the OWASP Top 10).

We provide annual refresher training on cybersecurity and secure development practices, which is delivered via our own Learning Management System (LMS). The training content is developed and updated with the support of third-party cybersecurity consultants to ensure it reflects the latest threats and best practices.

This training is a core part of our ISO 27001-aligned Information Security Management System (ISMS) and helps ensure a culture of security awareness across our engineering teams.

Do you have separate development, test and production environments?

Yes. We maintain fully separate development, test, and production environments. These environments are logically and securely isolated to prevent unauthorized access or cross-contamination of data and services.

Only anonymized or synthetic data is used in development and test environments to protect customer confidentiality. Access controls and permissions are role-based and restricted according to the principle of least privilege, ensuring that only authorized personnel can access each environment.

Deployment pipelines are environment specific, and changes are thoroughly tested and reviewed in lower environments before being promoted to production. This separation is critical to maintaining the integrity and security of our services and is aligned with our ISO 27001 certification.

We also enforce segregation of duties across our development, test, and production environments to ensure that no individual has end-to-end control over code changes and deployments without appropriate oversight.

Access to production systems is tightly restricted and limited to authorised personnel. Developers do not have direct access to production infrastructure. All changes are made through controlled CI/CD pipelines, which require peer review, automated testing, and approval before promotion to production.

Test and QA teams operate independently of the development team to ensure objective validation of functionality and security. This segregation of duties is a key control within our ISO 27001 aligned Information Security Management System and helps safeguard the integrity and stability of our platform.

When performing peer review or code testing, are security checks included in this process?

Yes. Security checks are an integral part of our peer review and code testing processes. During peer reviews, developers are expected to assess code for potential security issues such as input validation, authentication and authorisation logic, error handling, and secure data handling practices.
In addition to manual review, our CI/CD pipelines automatically run static code analysis and dependency vulnerability scanning to detect known security issues early in the development process. These findings must be resolved or risk accepted before code can be merged and deployed.

This security focused review process is reinforced by regular developer training on secure coding practices and OWASP Top 10 vulnerabilities, ensuring consistent attention to security at every stage of development.

Do you have a system for effectively tracking all code changes so that there is a full audit trail in place for code change?

Yes. All code changes are tracked using Git-based version control systems, providing a complete and auditable history of all modifications. Each change is associated with a specific user, timestamp, and commit message, and is linked to a ticket or user story in our issue tracking system.

Code changes go through pull requests, which include peer review, automated testing, and approval before they can be merged. This process ensures traceability from initial requirement through to deployment.

In addition, our CI/CD pipelines log build and deployment history, providing an end-to-end audit trail of what code was deployed, by whom, and when. These practices are aligned with our ISO 27001 controls for change and release management.

Is vulnerability scanning and/or penetration testing of the software performed regularly?

Yes. We conduct regular vulnerability scanning and annual penetration testing to ensure the security of our software and infrastructure. Automated vulnerability scans are integrated into our CI/CD pipelines and are run routinely on our codebase and third-party dependencies to detect known issues early in the development lifecycle.

Penetration testing is performed at least annually by a CREST-approved security testing provider, and additional tests are commissioned when major new features or significant architectural changes are introduced that may impact the platform’s security posture.

All findings are reviewed, risk-assessed, and remediated in line with our ISO 27001 aligned vulnerability management process to maintain the integrity and resilience of our services.

Do you have a formally approved and implemented security baseline for all servers and operating systems used in delivery of services to the customer, e.g. disabling or removal of all unnecessary applications and services, only deploying approved operating system versions, restricting the ability to share files or folders to only relevant drives, disabling of default accounts, etc.?

Yes. We have a formally approved and implemented security baseline for all servers and operating systems used in the delivery of services. Our infrastructure is hosted in Microsoft Azure, where we apply hardened configurations aligned with best practices and ISO 27001 controls.
We use Azure Security Center, Microsoft Defender for Cloud, and Azure Policy to enforce and monitor compliance with these baselines. Any deviations or changes to baseline configurations are immediately reported via our Azure monitoring and alerting tools to relevant staff, enabling prompt review and remediation as required.

Do you have a formally approved and implemented security baseline for all networking equipment and firewalls used in the delivery of services to the customer, e.g. "deny by default" for all firewall and routing rules, implementation of IPS/IDS, disabling of insecure protocols such as Telnet, disabling or default accounts, etc.?

Yes. As part of our ISO 27001 aligned Information Security Management System (ISMS), we maintain a formally approved and implemented security baseline for all networking and firewall configurations used in the delivery of services. Our services are hosted within Microsoft Azure, where we use Azure native networking controls, including Network Security Groups (NSGs), Azure Firewall, Web Application Firewall (WAF), and Microsoft Defender for Cloud.

All changes to firewall and networking configurations are monitored in real-time, and deviations from approved baselines trigger alerts to our security and infrastructure teams for immediate review and remediation.

Are regular reviews performed to ensure security baselines have been effectively implemented?

Yes. We perform regular reviews of all security baselines across our infrastructure to ensure they remain effective, up-to-date, and compliant with internal policies and ISO 27001 requirements.

Our security baselines for servers, networks, firewalls, and services are monitored using Azure Policy, Microsoft Defender for Cloud, and Azure Monitor, which continuously assess configuration compliance. Any deviations from the approved baselines trigger automated alerts to our infrastructure and security teams for immediate investigation and remediation.

In addition to automated checks, we conduct periodic manual reviews and audits of baseline adherence as part of our ongoing risk management and internal audit programme. These reviews feed into our change management process and support our commitment to continuous improvement and secure service delivery.

Are regular penetration tests performed to test for any vulnerabilities, and to determine if hardening baselines are adequate in protecting the systems?

Yes. We perform regular penetration tests, conducted at least annually by an independent CREST approved security testing provider. These tests assess both application layer and infrastructure layer security, with a specific focus on identifying vulnerabilities and validating the effectiveness of our hardening baselines.

In addition to scheduled tests, we commission additional penetration testing when major features or architectural changes are released, or when risk assessments indicate it is necessary.

Findings from each test are reviewed, risk-ranked, and fed into our internal vulnerability management process for remediation. Results are also used to validate and update our server and network hardening baselines, ensuring they remain effective in protecting our systems against evolving threats.

These activities form part of our broader ISO 27001 aligned security assurance programme.

Do you segregate web, application, test, and database servers, either logically or physically?

Yes. We implement logical segregation of web, application, test, and database servers within our Microsoft Azure environment. This segregation is achieved through the use of dedicated virtual networks (VNets), subnets, and Network Security Groups (NSGs), which tightly control traffic flow between system components and environments.

Each layer (e.g., web, app, database) operates within isolated network segments, with strict firewall rules and access controls based on the principle of least privilege. Test environments are completely separated from production and do not contain live customer data.

This segregation supports defence-in-depth, reduces lateral movement risk, and is reviewed regularly as part of our ISO 27001 compliant architecture and infrastructure hardening processes.

Do you have a formal patch management process in place which ensures systems are regularly patched for vulnerabilities?

Yes. We have a formal patch management process in place to ensure that all systems are regularly patched for known vulnerabilities. This process is aligned with our ISO 27001 certified Information Security Management System (ISMS) and forms part of our broader vulnerability management programme.

We leverage Microsoft Azure Update Management and Defender for Cloud to monitor patch status across our infrastructure, and apply updates based on risk and severity. Critical and security related patches are prioritized and applied as soon as possible, with all other updates managed during scheduled maintenance windows to minimize disruption.

Patch deployments are tested in lower environments before being promoted to production, and all changes follow our change management process, including peer review, approval, and rollback planning.

Patch status and exceptions are regularly reviewed by our infrastructure and security teams, with alerts triggered for any deviations from expected baselines.

Do you have a formal process in place for the handling of zero-day vulnerabilities?

Yes. This process is aligned with our ISO 27001 ISMS and includes procedures for rapid assessment, prioritisation, mitigation, and communication.

Upon notification of a zero-day vulnerability via vendor advisories, threat intelligence feeds, or monitoring tools such as Microsoft Defender for Cloud our infrastructure and security teams perform an immediate risk assessment to determine exposure across our environment.

Where applicable, we take temporary mitigation measures (e.g. disabling vulnerable services, applying workarounds, tightening access controls) while permanent fixes are evaluated or released by vendors. All remediation steps are tracked through our ticketing and change management system.

We continuously monitor authoritative sources for updates and coordinate closely with key providers like Microsoft to ensure timely response and patch application.
All actions taken are logged, reviewed post-incident, and included in our continuous improvement cycle.

Do you have monitoring mechanisms in place that will generate alerts when any protected systems or files are altered, or when unauthorised changes are made?

Yes. We use Microsoft Defender for Cloud and Azure Monitor to track changes across protected systems, configurations, and critical resources. Alerts are automatically triggered for unauthorised or suspicious changes, and these are reviewed by our internal security and infrastructure teams as part of our incident response process.

Are systems configured to generate audit and event logs?

Yes. All key systems are configured to generate audit and event logs, including user activity, authentication events, system changes, and access to sensitive data. These logs are centralized and monitored using Azure Monitor, Log Analytics, and Microsoft Defender for Cloud to support security, compliance, and operational visibility.

To prevent tampering or deletion, are audit and event logs restricted so that only authorised persons have access?

Yes. Audit and event logs are stored in secure, tamper-resistant locations within Azure Log Analytics and Microsoft Defender for Cloud. Access is strictly limited to authorised personnel, enforced via role-based access control (RBAC) and monitored for any unauthorised access attempts.

Are audit and event logs configured so that they do not capture excessive information e.g. the content of communications containing personal data?

Yes. Our logging configuration follows the principle of data minimisation. Audit and event logs capture only metadata and activity details (e.g. who accessed what and when), but do not log the content of communications or personal data. This approach supports GDPR compliance and reduces risk of exposing sensitive information through log files.

Are audit and event logs retained in line with regulatory, contractual, and legal requirements?

Yes. Audit and event logs are retained in accordance with our ISO 27001 aligned policies and any applicable regulatory, contractual, or legal requirements. Retention periods are defined based on data classification and use case, and logs are stored securely with access controls and monitoring in place.

Are audit and event logs regularly reviewed to ensure that any potential breaches are quickly identified?

Yes. Audit and event logs are regularly reviewed by our internal support and security teams. We use Azure Monitor and Microsoft Defender for Cloud to generate alerts for anomalous or high-risk activity, enabling us to detect and respond to potential breaches promptly.

Do you have a formal Access Control Policy in place which sets out the requirements for accessing systems, as well as creating, handling, and securing passwords?

Yes. We have a formally approved Access Control Policy in place that defines the requirements for accessing systems, managing user accounts, and creating, handling, and securing passwords. This policy is a key component of our ISO 27001 certified Information Security Management System (ISMS) and is reviewed regularly.

• Key elements of the policy include:
• Role-based access control (RBAC) to ensure users only have access to the systems and data necessary for their role.
• Enforced least privilege and need-to-know principles across all environments.
• Mandatory use of strong passwords, with length, complexity, and expiration requirements.
• Multi-factor authentication (MFA) for all administrative and user access to critical systems.
• Restrictions on shared accounts and mandatory audit logging of user activities.
• Secure handling and storage of passwords, including encryption and hashing.
• Access requests, changes, and removals follow a documented approval workflow and are tracked through our service management system, with regular reviews of access rights and account hygiene.

Do you have a joiners/movers/leavers process in place to ensure access to systems is removed or changed when users change role, or when employment is terminated?

Yes. This process is aligned with our ISO 27001 Information Security Management System and is enforced consistently across employees and subcontractors.
Joiners are granted access based on role and responsibilities, following a documented approval process.

Movers have their access rights reviewed and updated promptly to reflect any changes in responsibilities or teams.

Leavers have all access to systems and data revoked on their final working day, or earlier if required. This includes disabling user accounts, revoking credentials, and removing access to all internal and third-party systems.

These actions are tracked through our internal service desk system and are subject to auditing and periodic access reviews to ensure compliance and minimise risk.

Do you have an approval process in place to ensure only authorised persons can gain access to the systems?

Yes. Access is granted on a role-based access control (RBAC) model, with each request requiring approval from the relevant line manager or system owner. All requests are logged and processed through our internal ticketing system, ensuring full traceability and auditability.

No user is granted access without a valid business need, and access rights are reviewed regularly to ensure continued relevance. Administrative and privileged access undergoes additional scrutiny and is subject to enhanced logging and monitoring.

Do you perform regular reviews of user and administrator access to the systems to ensure access lists are kept up-to-date?

Yes. Access reviews are conducted quarterly as part of our ISO 27001 access control procedures. We use our internal ticketing system to track and verify that access remains appropriate, particularly for admin and privileged accounts. These reviews include validating roles against current responsibilities, and any unnecessary access is promptly revoked.

Do you have a formal process and system in place for adequately managing and maintaining the security of privileged accounts, such as administrator accounts?

Yes. Privileged accounts are managed under our Access Control Policy and protected by multi-factor authentication, strict role-based access, and audit logging. Admin access is granted only with formal approval, reviewed regularly, and restricted to dedicated accounts separate from day-to-day user credentials.

Do you have a formal process and system in place for managing encryption keys?

Yes. We use Microsoft Azure Key Vault to securely manage and store encryption keys. Access to keys is tightly controlled, logged, and audited. Key usage follows defined policies, and rotation is enforced in line with our ISO 27001 controls.

Do you implement additional access controls for critical systems, such as multi-factor authentication/Conditional Access?

Yes. All access to critical systems and admin interfaces is protected by multi-factor authentication (MFA) and, where supported, Conditional Access policies. These controls help enforce device compliance, location-based restrictions, and limit exposure to high-risk sign-ins.

Is data encrypted in transit within the Cloud Service?

Yes. All data in transit is encrypted using TLS 1.2 or higher across our cloud services. This includes communications between users, services, and internal components hosted within Microsoft Azure.

Is data encrypted at rest within the Cloud Service?

Yes. All data at rest is encrypted using AES-256 encryption by default within Microsoft Azure. This includes databases, storage accounts, and backups.

Are all data backups encrypted?

Yes. All data backups are encrypted at rest using AES-256 encryption, in line with our cloud provider’s default security standards and as per our ISO 27001 controls and requirements.

Are industry standard encryption algorithms used to encrypt data, and the versions deployed regularly reviewed to ensure deprecated or vulnerable versions are updated?

Yes. We use industry-standard encryption algorithms, including AES-256 for data at rest and TLS 1.2 or higher for data in transit, as provided by Microsoft Azure.
Encryption protocols and configurations are regularly reviewed as part of our vulnerability management and cloud monitoring processes. Deprecated or vulnerable versions are identified through vendor advisories and threat intelligence, and we apply updates or reconfigurations promptly to maintain compliance and security.

Is there a formal process in place to notify customers of data breaches?

Yes. We have a formal incident response plan in place, aligned with ISO 27001 and GDPR requirements. In the event of a data breach, affected customers are notified without undue delay, along with relevant details, impact assessments, and remediation steps. We are also registered with the Information Commissioner’s Office (ICO).

Is access to data appropriately restricted to only those users who require access?

Yes. Access to data is governed by role-based access control (RBAC) and the principle of least privilege. Users are only granted access necessary for their role, and permissions are reviewed regularly to ensure continued appropriateness.

Is access to data monitored to ensure unauthorised access is identified promptly and blocked?

Yes. Access to data is continuously monitored and logged using Microsoft Defender for Cloud and Azure Monitor. Suspicious or unauthorised activity triggers real-time alerts for investigation and response by our security team.

Is there a formal process in place for the destruction of data which includes secure erasure and destruction of removable media?

Yes. We follow a formal data disposal policy aligned with ISO 27001. Data is securely erased using industry-standard tools and methods, and any removable media is physically destroyed or securely wiped before disposal or reuse. Cloud-based data is deleted in accordance with Microsoft Azure’s secure deletion policies.

Are certificates of destruction maintained as evidence of all secure data destruction activities?

Yes. Where physical media is securely destroyed by an approved third party, in our case our IT service provider ReformIT, certificates of destruction are provided and retained as evidence. For cloud-based data, we rely on Microsoft Azure’s attested deletion processes, which comply with recognised standards and audit requirements.

Do you have a documented Business Continuity and/or DR procedure for the services provided to the customer?

Yes. We maintain a documented Business Continuity and Disaster Recovery (BC/DR) plan for all critical services, including those provided to the customer. This includes defined Recovery Time Objectives (RTO) of 8 hours and Recovery Point Objectives (RPO) of 48 hours, with regular testing and review as part of our ISO 27001 compliance.

Are BCP and/or DR procedures regularly tested to ensure that they operate as planned?

Yes. Our Business Continuity and Disaster Recovery procedures are tested at least annually to ensure they are effective and up to date. Tests include simulated outage scenarios and recovery drills, with outcomes reviewed and used to refine the procedures as needed.

Do BCP and/or DR procedures currently include the recovery and restoration of the customer data?

Yes, when onboarded a customer’s data would be fully included in our BCP and DR procedures, with recovery and restoration covered under our standard RTO and RPO commitments for all client data.

Where you do not provide recovery of the customer data as part of the service, what mechanisms are in place to allow the customer to backup data?

If recovery is not provided as part of the service, we offer secure API access and export functionality to allow the customer to back up their data independently. This includes:

• Excel data registers
• PDFs of all communicated notices
• All documents uploaded into the FastDraft platform

These exports can be automated or scheduled as needed. When you become a customer, full recovery and backup would be included under our standard service offering and DR commitments.

Do you provide your own data centre services, or are data centre services sub-contracted to a third party provider, e.g. AWS?

We do not operate our own data centres. All infrastructure and hosting services for FastDraft are provided through Microsoft Azure, a trusted third-party cloud provider certified to international standards such as ISO 27001, SOC 2, and PCI DSS.

Where you provide your own data centre services, do you adhere to an approved standard for data centre security such as ISO 27001, SOC 2 Type 2, etc.?

We do not operate our own data centres. All hosting for FastDraft is provided by Microsoft Azure, which is certified to ISO 27001, SOC 2 Type 2, and other international security standards

Where you provide your own data centre services, is it possible to facilitate a site visit by the customer or nominated third party to audit the physical security controls in place?

All hosting is provided by Microsoft Azure, which is certified to ISO 27001, SOC 2 Type 2, and other international security standards. Their data centres undergo regular audits and are certified to standards such as ISO 27001 and SOC 2 Type 2. We review Azure’s compliance documentation and certifications regularly to ensure alignment with our regulatory and contractual obligations and copies of these audits can be provided to customers.

Do you perform regular reviews of your physical security controls to ensure they are in line with regulatory, legal, and contractual requirements?

As we use Microsoft Azure for all hosting, physical security is managed by Microsoft. Their data centres undergo regular audits and are certified to standards such as ISO 27001 and SOC 2 Type 2. We review Azure’s compliance documentation and certifications regularly to ensure alignment with our regulatory and contractual obligations.

Is the service provided SaaS, PaaS , IaaS or other?

FastDraft is provided as a Software as a Service (SaaS) to Customers. Our data centres and FastDraft software running on Platform as a Service (PaaS) hosting environment.

Do you host the application in a data centre you manage or do you host on a IaaS provider? If hosted by a third party please provide the details.

The application is not hosted in a data centre managed by us. Instead, it is hosted remotely via Platform as a Service (PaaS) resources provided by Microsoft Azure, a leading cloud Infrastructure provider.

Where is the data hosted? Including Datacentre locations, countries?

Enterprise clients may chose the location of their data storage. For UK clients all data is stored in the UK South Data Centre, hosted on Microsoft Azure. For our international clients it is stored in their geographical region. For example, we use data centres in Europe for our European clients, Australian data centre for our Australian clients and so on.

What is the application topology? For example, shared or separate web/application servers?

The application, FastDraft, is hosted on Microsoft Azure's cloud infrastructure and follows a multi-tier architecture. The architecture is comprised of several layers:

1. Application Layer: The only client connecting to FastDraft's backend is the website. All communication with the platform takes place via secure API endpoints.
2. Caching / Web Server Layer: FastDraft uses web cache (or HTTP cache) technology for the temporary storage of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag.
3. Communication Layer: Communication with the backend is only possible through API end points (web services). All web services are secured through the use of access tokens which are decrypted server-side to ensure authentication is valid and access to data strictly controlled.
4. Business Layer: This layer contains all business logic and controls what data is made available to each communication request.
5. Data Layer / Data Access Layer: Contains the data context/model for each data entity (table). All data requests are made via Stored Procedures and access to the data layer is strictly through the business layer.

Is the data stored in a database or container and is the information segregated?

Data is stored in a database as part of the FastDraft platform, which is hosted on Microsoft Azure's cloud infrastructure. The platform uses a combination of a Company ID, a Project ID, and a Contract ID to ensure all data is isolated.

Does your application support Azure AD for authentication?

Yes, the FastDraft application supports Azure Active Directory (AD) for authentication. It uses the IdpaaS authentication

If the application supports Azure Active Directory (AD) for authentication, does your application work with Azure Conditional Access?

Yes, the FastDraft application works with Azure Conditional Access. It uses the Auth0 authentication service and supports several Single Sign-On solutions, including MS Azure Active Directory via OAuth 2.0/OpenID Connect. Azure Conditional Access is a feature of Azure Active Directory and can be used to enforce security policies whenever a user attempts to access a resource. Therefore, if Azure AD is supported, Azure Conditional Access can be implemented as part of the security policies.

Does the application support password complexity?

Yes, the application supports password complexity. It follows the UK National Cyber Security Centre guidance for password structure. The application requires users to use strong, unique passwords and enforces regular password changes. Reuse of passwords is prohibited for subsequent attempts, and eight-character alphanumeric passwords are required. The application also supports two-factor authentication for additional security.

Which specific password settings are customisable (length, complexity, expiration, etc.)?

The FastDraft application allows for the configuration of password policies for all enterprise clients. It follows the UK National Cyber Security Centre guidance for password structure, which includes the enforcement of strong, unique passwords and regular password changes. Specific customisable settings include:

1. Length: Passwords must be at least 16 characters long.
2. Complexity: Passwords must be complex and include a special character, upper and lower case characters.
3. Expiration: The application enforces regular password changes.#
4. Reuse: Reuse of passwords is prohibited for subsequent attempt.
5. Two-Factor Authentication: The application also supports two-factor authentication for additional security.

Please note that these settings might be controlled by the authentication service when Single Sign-On is implemented.

Does your application lock user accounts after unsuccessful attempts? If yes, please specify how many attempts or whether it’s configurable?

Yes, the application does lock user accounts after unsuccessful attempts. The system validates the logon data only on completion of input and then, if there is an error, the system requires the user to try again. The logon procedure limits the number of unsuccessful attempts and automatically either enforces a time delay before further attempts are allowed, or simultaneously disconnects the data link, sends an alert and rejects any further attempts without specific authorisation from the System Administrator.

What options are available to unlock accounts?

FastDraft provides a self-service password reset feature via the user's official email address. If a user's account is locked due to unsuccessful login attempts, they can reset their password from the login page, which should unlock their account. If the user has lost their username, they would need to reach out to the helpdesk support for assistance. It's important to note that when Single Sign-On is implemented, account management, including unlocking of accounts, is typically controlled by the authentication service, such as Azure Active Directory.

Are user accounts managed by you/provider?

The management of user accounts in FastDraft is a shared responsibility. The application allows for the creation and administration of user accounts by the client's administrators. However, certain high-level administrative tasks, such as granting system-level access, are performed by the senior engineering staff of the service provider. Therefore, while users and client administrators have control over certain aspects of account management, the provider also plays a role in managing accounts, particularly those with elevated privileges.

Does your application support automatic logout of users due to inactivity?

Yes, the FastDraft application supports automatic logout of users due to inactivity. The system automatically logs out users after a period of inactivity to ensure the security of user data.

What is the default inactivity timeout value?

This setting can be configured by the client according to their requirements when they are on an enterprise plan. The default is 15 minutes.

Are we allowed to reconfigure the inactivity timeout value?

Yes when you are on an enterprise plan.

Does your application support user Role-Based Access Controls?

Yes, the FastDraft application supports Role-Based Access Controls (RBAC). User access to the system is controlled via a three-tier role-based security layer, allowing users in a given role or group to be managed and modified as requirements develop. The three-tier hierarchy for roles includes system permissions, contract party roles, and supplementary contract roles. This provides a great deal of flexibility for administration of users. Administrators can assign users to roles/profiles for all tiers below their own permission tier and customise individual access to contract and workflows on specific contracts.

Are user roles pre-defined or can you create new roles or customise existing roles as needed?

The FastDraft application provides a set of pre-defined user roles, but it also allows for the creation and customisation of roles as needed. The platform provides a three-tier hierarchy for roles, which includes system permissions, contract party roles, and supplementary contract roles. Administrators can assign users to roles/profiles for all tiers below their own permission tier and customise individual access to contracts and workflows on specific contracts. Therefore, you can create new roles or customise existing roles as needed.

Does your application support IP Access Restrictions (aka IP Whitelisting) to restrict user logins to only authorised IP address ranges?

Yes, the FastDraft application supports IP Access Restrictions, also known as IP Whitelisting. This feature allows the system to restrict user logins to only authorised IP address ranges, enhancing the security of the application.

Does your application have user login audit logs that can be reviewed by a client administrator?

Yes, our application maintains a comprehensive audit trail of user login activity and system actions at the infrastructure, application, and database levels. While these logs are not directly accessible via the user interface, they are available upon request. Clients can submit a support ticket to request access to specific audit logs, which are then reviewed and shared in accordance with our security and data protection policies.

Does your application support sending email notifications to the client administrator when anomalous activity is detected (i.e. numerous failed logins, successful login from unrecognized IP address or device, etc.)?

FastDraft does not currently send automated email notifications to client administrators in the event of anomalous activity. However, we do monitor for such events internally (e.g., repeated failed login attempts, logins from unrecognized IP addresses), and alerts are sent to designated internal security personnel for review and appropriate action. Our security committee are notified in the event of anomalous activity.

Are rules pre-defined or can the client admin adjust/customise the monitors and email notifications?

Monitoring rules are pre-defined and managed internally by our team. Clients currently do not have the ability to customise or adjust these monitors or associated email notifications. However, our internal monitoring policies are designed to align with industry best practices and ensure prompt review and response to any potentially anomalous activity.  In addition, this activity could be tracked using Webhooks, triggers or flows written in Microsoft PowerAutomate or similar tools like Zapier. 

Does your application support Syslog for shipping logs to a client-managed the customer Incident & Event Monitoring Solution (e.g. Splunk, Arcsight, Qradar)?

FastDraft could directly integrate with a client-managed SIEM solutions via Syslog or similar protocols. Alternatively relevant log data can be provided upon request through a support ticket.

These requests are reviewed by our team and fulfilled in accordance with our security and data handling policies.

Does your application use appropriate encryption via 3rd party signed certificates to encrypt data in transit?

Yes, FastDraft uses appropriate encryption for data in transit. The application is hosted in Microsoft Azure and exposes only a HTTPS endpoint, which protects all data in transit between clients and the Azure services. The platform only uses the latest version of TLS, a protocol that provides privacy and data integrity between two communicating applications. This ensures that the data transmitted between the user and the FastDraft application is encrypted and secure.

Are any login portals appropriately encrypted?

Yes, the FastDraft application ensures that all login portals are appropriately encrypted. The application is hosted in Microsoft Azure and only exposes a HTTPS endpoint, which protects all data in transit between clients and the Azure services. The platform only uses the latest version of TLS, a protocol that provides privacy and data integrity between two communicating applications. This ensures that the data transmitted between the user and the FastDraft application is encrypted and secure.

Are APIs/Web Services appropriately encrypted?

Yes, all API's are encrypted over TLS1.2+ and are protected end points requiring a valid bearer token.

Are any interfaces not encrypted? If yes, please describe the interface(s).

No. FastDraft enforces HTTPS communications.

Do you encrypt the data at-rest for data collected through the web application?

Yes, all data collected through the web application is encrypted at rest using industry-standard encryption protocols. We leverage Microsoft Azure’s built-in encryption mechanisms, including Transparent Data Encryption (TDE) for SQL databases and encryption for Azure Blob Storage, to ensure that all customer data remains protected at all times.

At what level do you encrypt the data (i.e. entire database, certain database fields, file-level encryption, whole disk encryption)?

We encrypt data at rest using a combination of database-level and storage-level encryption. Azure SQL databases are protected using Transparent Data Encryption (TDE), and files stored in Azure Blob Storage are encrypted using server-side encryption with AES-256. Disk-level encryption is also enabled by default on Azure managed disks.

Are login passwords stored as hashes (using at least SHA-2 or greater) in the application database?

Yes, where SSO is not used, login passwords are securely stored in the application database as cryptographic hashes using at least SHA-2 or stronger algorithms. When SSO is used, we do not store or manage user passwords, as authentication is handled by the client’s Identity Provider.

Is your application developed using secure coding standards and practices?

Yes, our application is developed following secure coding standards and best practices, including the OWASP Top 10 guidelines. We have defined secure development standards as part of our ISO 27001 certified Information Security Management System (ISMS), and our development team receives regular training to ensure ongoing compliance with these practices.

How are security checkpoints built into the software development process?

Security checkpoints are integrated throughout our software development lifecycle, including requirements gathering, design reviews, code reviews, and testing phases. We conduct static code analysis, peer reviews with a focus on security, and security testing (including vulnerability scanning) before deployment. These practices are aligned with our ISO 27001 standards to ensure secure and reliable releases.

Do you perform vulnerability scanning on your application to ensure security issues are addressed prior to releasing to production?

Yes, annually.

Do you hire a 3rd party security testing company to perform penetration testing against your web application to identify and remediate security issues prior to releasing the web app to production?

Yes, we use a CREST accredited pen test provider.

Are any of the web pages of your web application dependent on the use of 3rd party plugins or software such as Java, Adobe Flash, Shockwave, or other for functionality?

No, our web application does not rely on outdated or insecure third-party browser plugins such as Java, Adobe Flash, or Shockwave. The application is built using modern technologies, including ReactJS, and leverages well-maintained third-party libraries and components (e.g., DevExpress) that do not require additional browser plugins for functionality.

Does the application require specific software versions? Or can the dependent software be updated without loss of functionality?

FastDraft only requires a modern internet browser and internet connection. FastDraft uses a single, unified code base, and all production instances are deployed through a central release pipeline, ensuring they are always on the same version and is modular in design, allowing specific features to be enabled or disabled per instance without altering the underlying code. While dependencies are managed centrally, updates are thoroughly tested to maintain compatibility and prevent functionality loss.

FastDraft by Built Intelligence is a SaaS contract management platform designed for the construction industry, hosted in Microsoft Azure. It leverages Azure App Services for application hosting, Azure SQL

Database for data storage, and Azure Storage for file management, ensuring a scalable, secure, and high-availability environment. The platform supports Single Sign-On (SSO) via Azure AD and other identity providers, providing secure authentication and role-based access control. Built on a RESTful API-driven architecture, FastDraft integrates with third-party systems and automates workflows using Azure

Functions and Webhooks. It ensures data encryption (at rest and in transit), follows GDPR compliance, and provides automated backups for data resilience. Delivered as a multi-tenant cloud solution, it eliminates infrastructure management for customers while offering a robust, extensible contract management experience.

Provide details of your organisations registration with any regulators (for instance, the ICO), any relevant supervisory authorities, and/or certification bodies.

Built Intelligence is registered with the Information Commissioner’s Office (ICO) in the UK ensuring compliance with UK GDPR and the Data Protection Act 2018. We are ISO 27001 and ISO 9001 certified, demonstrating our commitment to information security and quality management. Additionally, we hold

Cyber Essentials and Cyber Essentials Plus certifications, reinforcing our security posture against cyber threats. We are also ISO 14001 certified, further enhancing our environmental management practices. Our platform is hosted in Microsoft Azure, which adheres to industry standards such as ISO 27001, ISO 27017, ISO 27018, and SOC 1/2/3, ensuring a secure and compliant infrastructure for our customers.

Please provide locations (city and country) for data centre and system administration facilities only, that will be associated to this service.

Built Intelligence utilises Microsoft Azure data centres to host the FastDraft platform, ensuring high availability, redundancy, and compliance with regional data protection regulations. For UK and EU customers, data is hosted within UK South, UK North, and West Europe Azure data centres, ensuring compliance with UK GDPR and EU GDPR requirements. In addition to our core hosting, we use Zendesk (hosted in the USA) for customer support and Mailgun (hosted in the EU) for transactional email services. These services are carefully selected to ensure compliance with data protection and security standards. System administration is conducted remotely by our technical team, with access restricted through Azure security controls, VPNs, and role-based access management (RBAC) to maintain compliance with ISO 27001 and Cyber Essentials Plus security standards.

Where will remote administration be conducted from?

Remote system administration is conducted from the UK and EU, with access strictly controlled through Azure security policies and role-based access management (RBAC) to maintain compliance with ISO 27001 and Cyber Essentials Plus security standards.

Do you have a written information security policy, approved by your senior management?

Built Intelligence’s ISO27001 Information Security Management System and Information Security Policy (DOC ORG01) is approved by the company Directors.

How do you protect against advanced targeted/deliberate attacks (external or internal) gaining access to client data, e.g. by Advanced Persistent Threats or similar?

Built Intelligence employs a zero-trust, defence-in-depth security model to protect against Advanced Persistent Threats (APTs) and targeted attacks. Our infrastructure is secured using Azure-native firewalls, DDoS protection, Virtual Network (VNet) isolation, and endpoint protection to prevent unauthorised access. Multi-layered malware controls, automated patch management, and continuous vulnerability scanning ensure that all software remains up to date and secure. All data is encrypted at rest (AES-256) and in transit (TLS 1.2/1.3), with strict access controls, Role-Based Access Control (RBAC), and Privileged

Access Management (PAM) enforcing the principle of least privilege. We implement continuous threat monitoring with Microsoft Security Center and Defender ensuring real-time detection and response to suspicious activities. Multi-Factor Authentication (MFA) and user activity logging further reduce the risk of insider threats. Data Loss Prevention (DLP) policies and automated security audits help mitigate risks before they become incidents. As an ISO 27001 and Cyber Essentials Plus certified organisation, we conduct annual penetration testing and regular security assessments to maintain a proactive security posture against evolving threats.

Does your business ensure that risks in your business and business services are identified, evaluated and managed effectively?

Yes, Built Intelligence ensures that risks in our business and business services are systematically identified, evaluated, and managed through a structured approach to Operational Risk Management (ORM) and Enterprise Risk Management (ERM). Our ISO 27001 and ISO 9001 certifications provide a framework for risk assessment, mitigation, and continuous improvement across all operational and strategic areas. At the operational level, we conduct regular risk assessments, covering security, compliance, system availability, and data integrity. This includes threat modelling, vulnerability assessments, penetration testing, and business continuity planning to ensure resilience against disruptions. At the enterprise level, we maintain a Risk Management Framework (RMF), integrating strategic, financial, regulatory, and cybersecurity risks into our governance processes. Risks are monitored, reviewed, and escalated through security committee, ensuring alignment with business objectives and regulatory requirements.

How does your business manage software, firmware and operating system vulnerabilities?

FastDraft services run on Microsoft Azure’s Platform-as-a-Service (PaaS) infrastructure, meaning Microsoft is responsible for patching and maintaining the underlying infrastructure, including operating systems, firmware, and network security. This ensures that critical security updates are applied promptly, reducing exposure to vulnerabilities. At the application level, we implement a robust vulnerability management process within our Software Development Lifecycle (SDLC). This includes secure coding practices, automated dependency scanning, static and dynamic code analysis (SAST/DAST), regular penetration testing, and peer code reviews. We continuously monitor security advisories such as OWASP and apply necessary updates to application dependencies and third-party components. Our approach aligns with ISO 27001 and Cyber Essentials Plus standards, ensuring that vulnerabilities are identified, assessed, and remediated effectively.

What background verification checks are carried out on staff in accordance with relevant laws, regulations and ethics?

Built Intelligence conducts background verification checks on all employees using BBPS, ensuring compliance with relevant laws, regulations, and ethical standards. This process includes identity verification, right-to-work checks, employment history verification, and criminal background checks where legally permitted. We adhere to ISO 27001 best practices, ensuring that personnel handling sensitive data meet security and integrity standards. All background checks are conducted in compliance with local labour laws and data protection regulations (e.g., UK GDPR and EU GDPR) to maintain a secure and trustworthy working environment.

Please describe if there is a formal user access policy (is this consistent across any subcontractors)?

Built Intelligence has a formal user access policy, which is a key control under our ISO 27001 Information Security Management System (ISMS), ensuring that access to systems and data is securely managed and consistently applied to both employees and subcontractors (including developers, business analysts, and product owners). Access is granted based on the principle of least privilege (PoLP) and role-based access control (RBAC), with enforcement of Multi-Factor Authentication (MFA) and Single Sign-On (SSO). Regular access reviews and strict onboarding/offboarding procedures ensure that accounts are revoked when no longer required. These measures align with ISO 27001, ensuring secure and auditable access management across all user types.

Can Single Sign On (SSO) be utilised for authentication to the service?

Yes, Single Sign-On (SSO) is supported for authentication to the FastDraft platform. We integrate with Azure Active Directory (Azure AD), Auth0 and other Identity Providers (IdPs) that support SAML 2.0, OAuth 2.0, and OpenID Connect (OIDC), allowing seamless and secure authentication. SSO implementation aligns with our ISO 27001 security controls, ensuring centralised identity management, Multi-Factor Authentication (MFA) enforcement, and role-based access control (RBAC). This enhances security while simplifying user access management for organisations using FastDraft.

Are multi-factor authentication options available?

Yes, Multi-Factor Authentication (MFA) is supported for FastDraft. When using Single Sign-On (SSO) with Azure AD, Auth0 or other supported Identity Providers (IdPs), MFA can be enforced at the IdP level, ensuring centralised authentication security. FastDraft also supports multi-tenanted SSO, meaning each organisation can configure its own IdP for authentication, maintaining separate authentication domains across multiple tenants. This ensures that users from different companies authenticate through their own corporate IdP, improving security and access control. For non-SSO users, we use standard application authentication, where credentials are hashed and encrypted in the database. While SSO is not available in this scenario, security is maintained through strong password policies and encrypted credential storage, aligning with ISO 27001 access control requirements.

Is encryption used to protect data in transit and at rest? Is this consistent throughout any subcontractors used?

Yes, encryption is used to protect data both in transit and at rest across all Built Intelligence systems, ensuring compliance with ISO 27001 security controls. Data at Rest: All stored data, including databases, files, and backups, is encrypted using AES-256 encryption within Microsoft Azure’s secure infrastructure. Data in Transit: All communications between clients, services, and APIs are encrypted using TLS 1.2/1.3, ensuring secure data transmission. This encryption policy is consistently applied across all subcontractors who develop, maintain, or interact with our systems. We enforce strict security agreements, role-based access control (RBAC), and data handling policies to ensure subcontractors adhere to the same security standards as Built Intelligence.

If you provide internet-facing websites or portals for the system/service, how are certificates managed?

We use SSL certificates provided and managed by Microsoft as part of the Azure cloud infrastructure and services.

If you use internet-facing SSL certificates, what is the rating using the online Qualys SSL Server Test

Its currently grade A as TLS 1.3 support for all resources in Azure is not yet fully supported.

Has your business disabled legacy ciphers TLS 1.0 and TLS 1.1 as per industry recommendations?

Yes, we only use modern ciphers.

What backups and archives are taken as standard, including any data mirroring?

Built Intelligence follows Azure best practices for backups, archiving, and data resilience, aligning with ISO 27001. Azure SQL Database and Storage use geo-redundant backups (GRS) with point-in-time recovery (PITR) for data restoration. Zone-redundant storage (ZRS) and automatic failover ensure high availability, while Azure Blob Storage cold and archive tiers support long-term data retention. All backups are AES-256 encrypted at rest and protected in transit using TLS 1.2/1.3, with strict role-based access controls (RBAC). Azure Site Recovery (ASR) provide disaster recovery capabilities, ensuring minimal downtime (RPO and RTO of 8 hours). These policies apply consistently across internal operations and subcontractors to maintain data integrity and security.

If any client data is stored outside the datacentres, what protection (physical or technical including encryption) is applied?

Built Intelligence primarily stores client data within Microsoft Azure data centres and associated services that support the FastDraft platform. However, in some cases—such as for support, customer service, or business operations—client data may also be stored on encrypted staff laptops or within secure third-party services such as Dropbox, OneDrive, and Zendesk. All such data is encrypted at rest using AES-256 and in transit using TLS 1.2/1.3. Access is strictly controlled through role-based access controls (RBAC) and multi-factor authentication (MFA), and these security practices are consistently applied across both internal teams and subcontractors to ensure compliance with ISO 27001 and GDPR.

Are backups tested inline with a backup policy?

Yes, Built Intelligence follows a formal backup policy aligned with ISO 27001 to ensure data integrity and availability. Backups are tested through automated and manual recovery drills to validate data integrity, retention policies, and disaster recovery capabilities. Testing includes restoration of Azure SQL Database backups, file storage recovery, and application services to ensure that data can be recovered effectively in the event of an incident.

Are backups segregated by their own physical storage media per client?

Backups aren’t kept on separate disks or tapes for each customer. Instead, they reside in Microsoft Azure’s managed storage platform, where isolation is provided logically rather than by dedicated physical media

In the event that connectivity is lost to the service for a lengthy period or the service is otherwise unavailable, what options are available to obtain a copy of the data within an acceptable time scale?

Built Intelligence ensures data availability and recovery options in the event of extended service disruptions, aligning with ISO 27001. Additionally, Azure’s geo-redundant storage (GRS) and disaster recovery mechanisms provide resilience, minimizing downtime and ensuring data integrity. Clients can request a copy of their data in a structured format (e.g., CSV, EXCEL, JSON) through a formal data request process. Data is securely retrieved from application and its services (Azure SQL Database backups and Azure Storage), ensuring delivery within an agreed-upon timeframe.

Have Recovery Time Objective (RTO) and Recovery Point Objective (RPO) been defined for the service?

Yes, Built Intelligence has defined a Recovery Time Objective (RTO) of 8 hours and a Recovery Point Objective (RPO) of 8 hours for the FastDraft platform, ensuring business continuity and data resilience.

These objectives align with ISO 27001 and are supported by Azure’s geo-redundant storage (GRS), automated backups, and disaster recovery capabilities, ensuring data integrity and service restoration within the defined timeframes.

What relevant certifications has Built Intelligence achieved (ISO, Cyber Essentials, SOX. etc.).

Built Intelligence holds the following certifications:

• ISO 27001:2013 – Information Security Management System (ISMS)
• ISO 27001:2022– Recertification
• ISO 9001 – Quality Management System
• Cyber Essentials
• Cyber Essentials Plus – UK Government-approved cybersecurity standards
• ISO 14001 – Environmental Management System

We follow the NCSC’s Ten Steps to Cyber Security guidance and implement mature, layered defence-in-depth controls, leveraging Microsoft Azure’s built-in security compliance frameworks (including ISO 27001, SOC 1/2/3, and CIS benchmarks) to enhance data protection and resilience.

Please identify ANY subcontractors/supply chain partners that provide services to the system (e.g. support/development, help desk)

Built Intelligence engages subcontractors and supply chain partners for specific services related to the FastDraft platform, ensuring they adhere to ISO 27001 security controls and Cyber Essentials Plus standards. Development; Support – We engage subcontracted developers, business analysts, and product owners to assist with ongoing development and maintenance of the platform. Customer Support – We use Zendesk (hosted in the USA) for help desk and ticketing services. Transactional Email Services – We use Mailgun (hosted in the EU) to handle automated system notifications and transactional emails. Cloud Infrastructure – FastDraft is hosted entirely within Microsoft Azure, leveraging Azure’s PaaS services for compute, storage, databases, and security compliance frameworks. All subcontractors and supply chain partners operate under strict security agreements, access controls, and compliance policies, ensuring data protection, privacy and system integrity. 

Please identify ANY subcontractors/supply chain partners that provide data hosting services to the system

Built Intelligence relies on Microsoft Azure as the sole data hosting provider for the FastDraft platform.

Are there other third parties vendors who have access to the physical system environment, if so for what purposes?

No, the only party with access to the physical data centres is Microsoft.

Please select all relevant certifications your subcontractors/supply chain partners have achieved (ISO, Cyber Essentials, SOX. etc.).

• CSTAR
• Cyber Essentials
• Cyber Essentials Plus
• ISO/IEC 27001:2013
• SOC 1
• SOC 2

Do you have a technical obsolescence strategy?

Our organisation provides a structured technical obsolescence strategy through our ISO 27001 certified Information Security Management System (ISMS) and ISO 9001 certified Quality Management System (QMS), ensuring continuous monitoring, risk assessment, and lifecycle planning for all critical technologies. This approach enables us to proactively manage system upgrades, mitigate risks from outdated components, and maintain security and service quality standards.

Is development outsourced?

Built Intelligence does engage a small number of long-term subcontractors to support software development. These subcontractors work under strict contractual agreements and operate as integrated members of our development team. They can only access Built Intelligence systems and resources—including source code, environments, and customer data—via company-managed devices and assets, such as Cloud 365 accounts with enforced security policies. All subcontractors are subject to the same access controls, security training, and monitoring as internal staff, ensuring consistent adherence to our ISO 27001 and GDPR compliance requirements.

If applicable, how do you supervise and monitor the activity and ensure the security of out-sourced system development?

Built Intelligence supervises and monitors outsourced system development through a combination of strict access controls, audit logging, and standardized processes. Subcontractors are only allowed to access company systems via Built Intelligence-managed Cloud 365 accounts and secured devices with enforced security policies such as MFA, disk encryption, and endpoint protection. All development activity—including code changes and system access—is logged and monitored using tools like Git and Azure DevOps. Subcontractor contributions follow the same peer review and CI/CD workflows as internal staff, and all subcontractors complete mandatory security and data protection training. These measures ensure outsourced development is fully aligned with our ISO 27001 and GDPR compliance standards.

Please advise how secure practice standards are adhered to for the following: design, development, testing, change control.

We embed secure practice standards across the entire software lifecycle. During design, threat modelling and risk assessments are carried out to identify potential vulnerabilities early. In development, our team follows secure coding standards and is trained on common risks such as those outlined in the OWASP Top 10. All code changes undergo peer review and are scanned for vulnerabilities using automated tools. Testing includes both functional and security-focused checks, with vulnerability scanning performed in staging environments using Microsoft Defender for Cloud. Changes are managed through a formal change control process, requiring testing, approval, and documentation before deployment to ensure the integrity and security of the platform.

Do you follow any industry best practice for secure development (e.g. OWASP)

Yes

Is security testing performed before the system goes live?

Yes

How regularly is security testing performed (e.g. pen testing and vulnerability scanning)?

We perform automated vulnerability scanning continuously through our CI/CD pipelines and in staging environments prior to release. External penetration testing is conducted annually by a CREST approved provider, and additional testing is performed after major changes or new feature releases.

How is test data generated, if required?

Test data is generated using synthetic or anonymised data, ensuring that no live or personally identifiable information is used in non-production environments. This approach supports privacy and compliance with GDPR and ISO 27001 requirements.

Will high level results of security tests be made available to a limited audience within the customer?

Yes. High-level summaries of penetration test results and relevant security assessments can be shared with a limited audience within the customer’s organisation upon request, subject to appropriate confidentiality agreements. This supports transparency while protecting sensitive details.

What opportunity is there for client directed security testing?

We are open to client directed security testing, including penetration testing or vulnerability assessments, provided it is pre-agreed in writing and conducted within a defined scope, timeframe, and under strict change control. Coordination ensures that testing does not disrupt service availability or breach EULA requirements.

Are all internet-facing components protected behind web application firewalls?

Yes, all internet-facing components of the FastDraft platform are protected behind Web Application Firewalls (WAFs), ensuring defence against malicious traffic, DDoS attacks, and common web threats in alignment with ISO 27001 security controls. We utilise Azure Web Application Firewall (WAF) with Azure Front Door and Application Gateway, which provides real-time threat detection, bot protection and OWASP Top 10 mitigations. Additional security measures include Azure DDoS Protection, network isolation and strict access controls, ensuring a secure and resilient perimeter for the platform.

What architectures are used to secure the components of the system/service, e.g. multi-tier architectures, data segmentation, network segmentation, etc.

Built Intelligence employs a multi-tier, defence-in-depth architecture to secure the FastDraft platform, aligning with ISO 27001 security controls and Azure best practices. Multi-Tier Architecture: FastDraft follows a separation of concerns model, where the presentation layer (React UI), application layer (APIs and services), and data layer (Azure SQL Database, Azure Storage) are isolated to minimize attack surfaces. Network Segmentation: We use Azure Virtual Networks (VNets), Network Security Groups (NSGs), and private endpoints to restrict access between internal and external services, ensuring least privilege access. Data Segmentation and Encryption: Customer data is logically segmented within Azure SQL Databases and encrypted at rest (AES-256) and in transit (TLS 1.2/1.3). Access is strictly controlled through Role-Based Access Control (RBAC) and Privileged Identity Management (PIM). Web Application Firewall (WAF)and DDoS Protection: All internet-facing components are secured with Azure WAF, Azure Front Door, and DDoS Protection, mitigating common web-based threats. These security controls ensure strong isolation, resilience, and compliance with industry best practices and regulatory standards such as GDPR, Cyber Essentials Plus, and ISO 27001.

Please specify the underlying technologies the system is ran on (i.e. operating system, database technology).

• The FastDraft platform is built using Microsoft Azure’s Platform-as-a-Service (PaaS) and runs on the following underlying technologies:
• Operating System: Windows-based Azure App Services (fully managed by Microsoft)
  Application Backend: .NET Framework and .NET Core APIs
• Frontend: ReactJS for the web UI
• Database Technology: Azure SQL Database (PaaS), fully managed by Microsoft
• Storage: Azure Blob Storage for document and file storage
• Authentication and Identity Management: Azure AD, Auth0 and SuperTokens (SSO and authentication services)
• Security and Networking: Azure Front Door, Azure Web Application Firewall (WAF), and DDoS Protection

All components are hosted within Microsoft Azure data centres, ensuring compliance with ISO 27001, GDPR, and Cyber Essentials Plus standards.

Is client data kept separate or commingled at rest, e.g. by physical or logical means?

Client data in the FastDraft platform is separated based on the deployment model.
Enterprise Customers: Data is physically separated using dedicated databases, storage accounts/containers, and app services, ensuring complete isolation per customer.
Shared Instance: Data is logically separated within a multi-tenant architecture, using tenant-specific identifiers, Role-Based Access Control (RBAC), and row-level security in Azure SQL Database and Azure Storage. Regardless of deployment, all data is encrypted at rest (AES-256) and in transit (TLS 1.2/1.3), aligning with ISO 27001, GDPR, and Cyber Essentials Plus security standards.

How are changes assessed for security risks prior to approval?

Built Intelligence assesses security risks for all changes as part of our ISO 27001 compliant change management process. Changes undergo threat modelling, static and dynamic security analysis (SAST/DAST), and peer code reviews to identify vulnerabilities before approval. Automated security testing scans for risks in dependencies, configurations, and application code. All changes are tested in a staging environment before deployment, with high-risk updates requiring formal approval and rollback plans as part of our change management controls. This ensures security risks are identified, assessed, and mitigated before production, maintaining compliance with ISO 27001 and Cyber Essentials Plus.

When implementing application structural changes, what controls are there in place to ensure that our data maintains its integrity and is secure during the migration phase?

Built Intelligence follows ISO 27001 compliant data migration controls to ensure data integrity and security during application structural changes. All migrations are tested in a staging environment before production deployment, using transactional integrity checks, backup validation, and automated rollback mechanisms to prevent data corruption. Data is encrypted at rest (AES-256) and in transit (TLS 1.2/1.3) throughout the migration process. Access is strictly controlled using Role-Based Access Control (RBAC) and Privileged Identity Management (PIM). Post-migration, data integrity validation and audit logging confirm successful completion, ensuring compliance with ISO 27001 and Cyber Essentials Plus.

What logging facilities are in place to monitor user access and actions within the system?

Built Intelligence logs user access and actions at the infrastructure, application, and database levels to ensure security and compliance with ISO 27001 and Cyber Essentials Plus. Azure Monitor and Defender track authentication attempts, network activity, and system performance, while application and API logs capture user interactions and authentication events. At the database level, we maintain a full audit trail through dedicated audit tables, alongside SQL audit logs that record access and modifications. Logs are securely stored, monitored for anomalies, and reviewed periodically, enabling proactive threat detection and forensic analysis.

What controls are in place to prevent tampering of the logs within your system?

Built Intelligence ensures log integrity and tamper resistance through immutable storage, strict access controls, and automated monitoring, in compliance with ISO 27001 and Cyber Essentials Plus. Logs are securely stored in Azure Log Analytics and with Role-Based Access Control (RBAC) and Privileged Identity Management (PIM) restricting modifications. At the database level, a full audit trail is maintained through dedicated audit tables, ensuring all changes are tracked. Hashing, cryptographic signing, and anomaly detection further protect logs from unauthorised alterations.

What aspects of the service/system are logged for security events, and what is the frequency of review of these logs?

Built Intelligence logs security events across infrastructure, application, and database layers, including internet-facing services, internal system access, and administrative actions, ensuring compliance with ISO 27001 and Cyber Essentials Plus. Internet-Facing Services: Authentication attempts, API access, firewall activity, and Web Application Firewall (WAF) logs. Application and API Logs: User logins, session activity, privilege escalations, system configuration changes (all requests made via the API's. Database Activity: Full audit trail in audit tables, including administrator actions, data modifications, and query execution. Logs are monitored in real-time via Azure Defender tools, with automated alerts for anomalies. Security log reviews occur periodically as part of our risk management and compliance processes.

What security logs could be shared with the Customer, e.g. in the event of an attempted or actual data breach?

Built Intelligence will share security logs with the customer upon request, ensuring transparency while protecting the integrity of our platform and infrastructure. Logs that do not introduce security risks may include authentication attempts, user access records, API activity, and relevant audit trails. All log requests must be submitted via a support ticket for review and approval. Sensitive infrastructure and system-level logs will be excluded to maintain platform security and compliance with ISO 27001 and Cyber Essentials Plus.

Are system administrator, system operator, privilege accounts and security logs regularly reviewed?

As part of our ISO 27001 ISMS, privileged access accounts (including system administrators and operators) are subject to strict access controls, with regular reviews conducted to verify necessity and usage. Security logs are collected, protected, and reviewed on a defined schedule to detect unauthorised or suspicious activities in accordance with Annex A controls. 

Do you have a data retention policy?

As part of our ISO27001 ISMS, Built Intelligence data is protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with legislator, regulatory, contractual and business requirements.

Data is subject to the levels of protection appropriate to their classification level (i.e. at least the same as that of the asset to which they relate or the information they contain) and they are therefore protected, stored, maintained and disposed of in line with this policy.

The required retention periods by record type, examples are defined in ISMS REC 8.1.1A Data Asset Register.

What is the data retention regime, and does it include backups, archives and any offline stores held by you? How do you handle commingled data?

Built Intelligence follows a structured data retention policy aligned with ISO 27001 and regulatory requirements, ensuring that production data, backups, and archives are managed securely. Production Data: Retained based on contractual agreements and legal requirements, with automated data purging for expired records. Backups and Archives: Azure SQL Database and Azure Storage backups follow geo-redundant (GRS) retention policies, with point-in-time recovery (PITR) for up to 35 days and long-term archiving where required. Offline Storage: No offline physical storage is used, as all backups reside within Microsoft Azure’s cloud infrastructure. For shared instances, commingled data is logically separated using tenant-specific access controls, encryption (AES-256), and database row-level security, ensuring strict data isolation. Enterprise customers have dedicated databases, storage containers, and app services for physical separation of their data.

What SLA(s) do you have for notifying security breaches to clients so they can comply with various breach notification laws?

Within a timely manner we would notify the customer of any relevant security incidents.
When a large scale vulnerability (such as Spectre/Meltdown) is publicly disclosed, how do you manage the issue to check for vulnerabilities and mitigate them?
Built Intelligence follows a structured vulnerability management process, aligned with ISO 27001 and Cyber Essentials Plus, to assess and mitigate large-scale vulnerabilities when publicly disclosed. Since FastDraft is hosted on Microsoft Azure’s PaaS infrastructure, Microsoft manages all underlying OS, firmware, and hypervisor patching. We continuously monitor Microsoft Security Advisories, industry threat intelligence, and CVE databases for critical vulnerabilities. At the application level, we conduct security scans, dependency checks, and penetration testing to identify potential risks. If a vulnerability affects our application stack, we implement secure coding updates, configuration changes, or third-party library patches, testing them in a staging environment before production deployment. Critical vulnerabilities are addressed via our incident response process, ensuring rapid mitigation with minimal disruption.

Do you conduct cyber-attack simulations to test your incident response plans?

Yes, Built Intelligence conducts theoretical cyber-attack simulations to test our incident response plans, ensuring preparedness against security threats in alignment with ISO 27001 and Cyber Essentials Plus. These simulations include threat scenarios such as phishing, ransomware, and data breaches, assessing detection, containment, response, and recovery processes. Findings from these exercises are reviewed to enhance security controls, escalation procedures, and staff awareness, ensuring continuous improvement in our cyber resilience.

Will personal data of EEA citizens be stored, processed, transferred, accessed (including viewed) or remotely accessed outside of the EEA (European Economic Area), either by your staff or other parties?

Built Intelligence ensures that the personal data of EEA citizens is stored and processed within the EEA, using Microsoft Azure data centres in UK South, UK North, and West Europe for EEA customers. However, some limited data processing activities occur outside the EEA:- Customer Support: We use Zendesk (hosted in the USA) for support ticketing, which may include limited personal data when users submit requests. Remote Administration: System administration is conducted exclusively from the UK and EU, ensuring no unauthorized access from outside these regions. All data transfers comply with GDPR requirements, utilising Standard Contractual Clauses (SCCs) and encryption to ensure data security and regulatory compliance.

Does your organisation have a robust framework of policies and procedures to comply with its obligations under data protection law?

Yes, ISO 27001 provides a robust framework of policies and procedures that Built Intelligence follows to comply with its obligations under data protection law. our ISO 27001 certified Information Security Management System (ISMS) includes controls for access management, encryption, data retention, incident response, and audit logging, ensuring alignment with GDPR and Cyber Essentials Plus. While we do not have a separate dedicated data protection policy, our ISO 27001 framework ensures structured governance and compliance with data protection obligations.

Does your organisation have a data breach policy/procedure?

Yes Built Intelligence follows a data breach response procedure as part of our ISO 27001 ISMS to ensure that security incidents are identified, assessed, contained, and reported effectively. Summary of Data Breach Procedure: Detection Reporting – All suspected breaches are logged and escalated through incident management processes, with alerts from Azure Security Center, Defender monitoring. Assessment and Containment – The impact, affected data, and root cause are evaluated, and immediate containment measures are implemented. Notification and Compliance – If personal data is affected, Built Intelligence follows GDPR guidelines, notifying affected parties and regulatory authorities within required timeframes. Remediation and Recovery – Security controls are updated, affected systems are restored, and lessons learned are reviewed to strengthen defences. For evidence of this procedure, we can provide relevant ISO 27001 compliance documentation upon request.

Does your organisation provide data protection and information security training to your employees?

Yes, Built Intelligence provides data protection and information security training to all employees as part of our ISO 27001 compliance. Training is conducted upon hiring and is retaken annually to ensure staff remain up to date with security best practices. We collaborate with a third-party cybersecurity consultant to develop the training, which is delivered through our own Learning Management System (LMS). This ensures consistent knowledge reinforcement and alignment with GDPR, Cyber Essentials Plus, and internal security policies.

Has your organisation reported (or lead to a client reporting) any data breaches to a Supervisory Authority (such as the Information Commissioner’s Office) within the last 5 years?

No, Built Intelligence has not reported any data breaches to a Supervisory Authority (such as the Information Commissioner’s Office) within the last five years, nor have we led to a client reporting one. We maintain a proactive security posture through our ISO 27001 certified Information Security Management System (ISMS), which includes robust access controls, encryption, continuous monitoring, and incident response procedures to minimise risks and protect client data.

Does the customer have an ability to audit in the event of a security incident/potential breach or actual breach.

Yes, but this will be restricted to only required information that would be beneficial to both parties to help resolve a security or data incident and with both parties in agreement and approved by senior leadership teams and agreed by Legal Counsel.

For any hosting location, what physical protection is in place against natural disasters, malicious attacks or accidents?

Built Intelligence hosts the FastDraft platform in Microsoft Azure data centres, which implement enterprise-grade physical security and disaster protection in compliance with ISO 27001, SOC 1/2/3, and other global security standards. Each Azure data centre includes: Natural Disaster Protection – Geographically distributed locations, seismic bracing, fire suppression, and flood-resistant designs to mitigate risks. Malicious Attack Defense – 24/7 on-site security, biometric access controls, perimeter fencing, CCTV surveillance, and armed response teams. Accident Prevention – Redundant power, cooling, and network systems ensure high availability, while geo-redundant storage (GRS) and automated failover provide resilience against hardware failures. Microsoft Azure maintains continuous monitoring, risk assessments, and compliance certifications to safeguard data from environmental and security threats.

Are there appropriate procedures implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products?

Yes, aligned to legislative, regulatory and contractual requirements related to IPO and use of propriety software products.

Are there any security and data protection related clauses covered within the the customer contract and those within your supply chain?

Yes, obligations on parties to follow best practice guidance and deploy adequate controls within the environment to protect confidentiality, integrity and availability.