Upshot's Adherence to the NCSC Cloud Security Principles

This document outlines how Upshot Systems CIC ("Upshot") adheres to the National Cyber Security Centre (NCSC) Cloud Security Principles. It is designed to provide assurance to clients that Upshot's services are secure, resilient, and aligned with expectations for cloud service providers. 

Principle 1: Data in Transit Protection

All communication with the Upshot application is encrypted over HTTPS with HTTP Strict Transport Security (HSTS) enabled. DevOps access is via SSH. The SSL configuration is rated A+ by SSL Labs. 

Principle 2: Asset Protection and Resilience 

2.1 Physical location and legal jurisdiction 

Upshot is registered in England and Wales. The application is hosted on dedicated servers managed by Hosting UK (iomart) in Maidenhead, UK. AWS (UK/EU) and Mailchimp (USA, SCC-compliant) are used for backups and email delivery. 

2.2 Data centre security 

Upshot is a hosted/cloud application. Hosting UK’s data centre is ISO 27001 certified, with 24/7 manned security, biometric access, alarms, VESDA, CCTV, and fire suppression systems. 

2.3 Data at rest protection 

All data is encrypted at rest using AES-256. Encryption keys are securely stored. AWS manages media storage keys. Backups are encrypted both on-server and in transit. 

2.4 Data sanitisation 

Upon contract end or client request, data is hard deleted from all storage locations. Nightly anonymised backups and audit logs are retained for auditing purposes. The app has built-in archiving and pseudonymisation tools for participant personal details. 

2.5 Equipment disposal 

End-of-life drives are shredded on-site. Data and access are deleted or revoked at contract end and we do not allow our drives that have been used to leave the physical site of Hosting UK.  

2.6 Physical resilience and availability 

Planned maintenance is scheduled for low-traffic periods. Upshot also has a dedicated status page (https://upshotsystems.statuspage.io/) that users can subscribe to in order to be notified of any downtime or planned maintenance. We have 99.99% uptime over the last 90 days. 

Daily backups and multi-tier redundancy ensure resilience. Hosting UK performs additional full-system backups. 

Principle 3: Separation Between Consumers

The multi-tenant Upshot application strictly segregates organisational data. User accounts only have access to the single organisation they are associated with. Data sharing between organisations, such as between a 'Facilitating' organisation and a 'Delivery' organisation must be explicitly enabled by Upshot staff in accordance with the organisational relationships of the clients and terms and conditions of use pertaining to it. 

Principle 4: Governance Framework

Torchbox (developer), and Hosting UK (host) are both ISO27001 certified. Upshot is Cyber Essentials Plus certified. Staff are DBS-checked and trained in cybersecurity. 

Principle 5: Operational Security 

5.1 Configuration and change management 

Torchbox have an Information Security Management System (ISMS) as part of the ISO270001 accreditation, which includes the NCSC’s secure software development guidelines among other policies and guidelines.  

Torchbox uses secure development practices (OWASP, secure coding, CI/CD). All code changes and new features go through testing, UAT, and controlled deployment utilising purpose-built platforms for the development and testing.  

5.2 Vulnerability management 

Annual external penetration tests are conducted (last in April 2024, no critical/high risks found). Unit and regression tests support robustness. 

5.3 Protective monitoring 

Continuous monitoring, automated testing, and limited authorised deployment users maintain integrity. 

5.4 Incident management 

A full incident response and business continuity plan is in place and regularly tested. Breaches are reported within 36 hours in line with UK Data Protection Laws. 

Principle 6: Personnel Security

All Upshot team members undergo DBS checks and cybersecurity training. Data handling policies are in place and available on request. 

Principle 7: Secure Development

Torchbox employs secure coding practices aligned with OWASP Top 10. Development is carried out in separate testing and staging environments before production deployment. 

Principle 8: Supply Chain Security

Suppliers include Hosting UK, Torchbox, AWS, and Mailchimp—all with ISO certifications or equivalent security frameworks. Data processing roles are documented in the Terms and Conditions. 

Principle 9: Secure Consumer Management 

9.1 Authentication of consumers 

Users have unique credentials. Passwords must meet strict criteria. Two-factor authentication is available. Role-based access is controlled by each organisation’s System Admins. 

9.2 Separation and access control

Data segregation is enforced by design. Roles include System Admin, Project Manager, and Session Registrar with distinct permissions. 

Principle 10: Identity and Authentication

Strong passwords, unique accounts, and optional 2FA ensure secure user authentication. Credentials are managed internally by client organisations. 

Principle 11: External Interface Protection

All external interfaces use HTTPS with HSTS. SSH is used for server management. APIs are documented and securely restricted. 

Principle 12: Secure Service Administration

Administration is carried out by certified entities: Upshot (Cyber Essentials Plus), Torchbox, and Hosting UK (ISO27001). Access and activities are logged and restricted. 

Principle 13: Audit Information Provision to Consumers

Audit logs and anonymised backups support traceability. User creation and modification of selected entities within the application is logged, identifying the user and time an action last took place. Audit trails of selected entities are kept within the application. 

Principle 14: Secure Use of the Service by the Consumer

Clients receive onboarding, training, and ongoing support. System use, configuration, and security practices are documented and explained to all administrators. 

Supporting Information 

• SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=app.upshot.org.uk
• Hosting UK Datacentre: https://hostinguk.net/datacentres
• Torchbox SoA: https://demo.upshot.org.uk/m/e4f217b5/feea5de1ec/
• Pen Test Summary: https://demo.upshot.org.uk/m/e4f217b5/e63f507ade/
• Status Page: https://upshotsystems.statuspage.io/

Contact & Support

For further details, data policies, or security documentation, please contact support@upshot.org.uk