Data Protection

Answer yes if your organisation is compliant with the PCI DSS security standard. If you have certified against the standard, please provide your certificate.

Answer yes if your organisation runs an information security and data protection training programme for all of your employees and third-party contractors. Please outline the nature and frequency of the training programme in the notes section, including any additional training provided to staff with greater responsibility, more privileged system access or access to confidential data.

Answer yes if your organisation encrypts client data on its IT systems. Please state the encryption algorithm used in the notes.

Answer yes if your organisation uses any IT systems that include applications, operating systems or hardware (including servers, network equipment or user devices) for which the vendors do not provide regular security updates. In the notes, please describe how you discover and manage these systems, including any compensatory controls you have in place to protect them and any plans for decommissioning or replacement.

Answer yes if your organisation encrypts the backups using appropriate cryptographic standards to prevent unauthorised access to the data. Please state the encryption algorithm used in the notes section.

Answer yes if your organisation's developers are instructed to build applications and systems using defined security best practice (for example, as defined by OWASP, The Open Web Application Security Project). Please state in the notes the best practise guidance followed and if your developers receive any additional security training.

Answer yes if your organisation ensures that all of its applications and systems (that are developed/built in-house) use industry best practice for authentication, and that all passwords are stored as hashes using secure hashing algorithms rather than as plain text. In the notes section, where relevant, please state the name of the authentication provider used.

Answer yes if your organisation forces all remote connections to its network infrastructure or cloud environment to be secured with a suitable solution such as a VPN or SSH connection. Please describe the nature of these controls in the notes section, both technical and procedural.

Answer by stating how many months the logs are kept for.

Please state how many months the logs are kept for.

Answer yes if all of your organisation's physical premises are staffed 24/7 by an onsite security team, reception team, or both. If security is present for some hours (not 24/7), please answer no and state in the notes section the times during which the premises are manned.

Answer yes if your organisation has conducted and documented a regulatory compliance and security risk assessment for each AI or AI-supported service you provide. Examples of what should be considered in each risk assessment include: how the LLM service operates and is secured compared with the requirements of EU AI Act or the OWASP Top 10 for LLM, an evaluation of output accuracy or bias countermeasures, abuse prevention measures, and risk of Intellectual Property or Copyright infringement claims resulting from public use of AI-generated output. Please provide supporting document(s) (as a PDF file) evidencing the assessment(s), or describe the assessment(s) in the notes section.

Answer yes if you have ensured, as far as you are able, that the users of your service have reviewed and evaluated the AI model output before use. The measures you have put in place should help mitigate the risks arising from inaccuracies or ‘hallucinations’ (plausible created statements) within AI outputs which, if applied without human review, can impact integrity and mislead decision-making. Depending on the service, this could include tagging output as 'AI generated' or providing workflows to enable the review.

Answer yes if your organisation conducts regular (e.g. quarterly, annually) supplier assurance to ensure your suppliers meet the same standards of environmental management, social responsibility, and governance that is expected of your organisation, and that they are compliant with all applicable laws and regulations. Describe the nature and frequency of the assurance activities in the notes. If you use a supplier management system to support with this, please state which system you use.