Skip to searchSkip to main content
Ostratto

Information Security Policy

How we protect our systems, data, and client information.


1. Purpose
Ostratto Ltd (“Ostratto”, “we”, “our”, “us”) is committed to protecting the confidentiality, integrity, and availability of all information assets under our control.

This policy outlines our approach to information security across all business operations, systems, and data-processing activities.


2. Objectives
Our objectives are to:
  • Protect all information - client, employee, and company - from unauthorised access or disclosure
  • Ensure information is accurate, complete, and available when required
  • Maintain compliance with the UK GDPR, Data Protection Act 2018, and other applicable regulations
  • Promote security awareness and accountability across all staff
  • Prevent and respond effectively to information-security incidents


3. Scope
This policy applies to all information handled by Ostratto, including data stored or processed:
  • On company-owned devices, systems, and cloud platforms
  • Within third-party services or client systems managed by Ostratto
  • By employees, contractors, consultants, and partners working on behalf of Ostratto

It covers both digital and physical information assets.


4. Roles and Responsibilities
4.1 Managing Director. Overall responsibility for ensuring effective implementation and review of this policy.

4.2 All Employees and Contractors. Responsible for following this policy and reporting security concerns or incidents promptly.

4.3 Technical Consultants and Administrators. Ensure systems are securely configured, patched, and monitored in line with industry standards.


5. Information Classification
All information must be handled according to its sensitivity:

a) Unclassified - This is information that can be made public without any implications for the company, such as information that is already in the public domain

b) Employee confidential - This includes information such as medical records, pay and so on

c) Company confidential - Such as contracts, source code, business plans, passwords for critical IT systems, client contact records, accounts etc

d) Client confidential - This includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information, market sensitive information etc



6. Data Protection
Personal data is processed lawfully, fairly, and securely in accordance with our Privacy Policy.

Access to personal data is granted only to authorised personnel who require it for legitimate business purposes.


7. Access Control
  • Access to systems is granted on a "least-privilege" basis
  • All accounts must use strong, unique passwords and multi-factor authentication where available
  • Shared credentials are prohibited
  • Access rights are reviewed regularly and revoked when no longer required


8. System and Network Security
  • Systems are configured and maintained according to vendor and security best practices
  • Software updates and patches are applied promptly
  • Firewalls and endpoint protection are used on all networks and devices
  • Cloud services must meet recognised security and compliance standards (e.g. ISO 27001, SOC 2)


9. Physical Security
  • Office premises and IT equipment are protected by appropriate physical safeguards, including access control and secure storage
  • Portable devices must be encrypted and never left unattended in unsecured areas


10. Incident Management
  • All suspected or actual information-security incidents must be reported immediately to the Managing Director or IT Security Lead
  • Incidents will be logged, investigated, and resolved following our incident-response procedure
  • Where required, affected clients and the Information Commissioner’s Office (ICO) will be notified in accordance with legal requirements


11. Training and Awareness
All employees and contractors receive information-security awareness training at induction and periodic refreshers thereafter.

Specialist training is provided for staff handling sensitive or client data.


12. Third-Party and Supplier Security
We assess and monitor suppliers handling data or providing IT services to ensure they maintain appropriate security controls.

All third-party contracts include confidentiality and data-protection clauses consistent with this policy.


13. Data Backup and Recovery
  • Data is backed up regularly and stored securely in encrypted form
  • Backups are tested periodically to verify recoverability
  • In the event of data loss or corruption, recovery will be prioritised based on business impact


14. Continuous Improvement
We continually review our security controls to address emerging risks, technological change, and business growth.

Lessons learned from incidents and audits are incorporated into updated security procedures.


15. Review
This policy will be reviewed annually, or sooner if required by regulatory or technological changes, to ensure continued effectiveness and compliance.