Protecting Access. Ensuring Trust. Maintaining Compliance.

1. Access & Security Responsibility

Access to DataOps IT infrastructure is granted on a Zero Trust basis. All users are expected to operate within a secure, monitored environment and adhere to this policy at all times.

Any unauthorised access or misuse may result in suspension or termination of access, and action may be taken in accordance with applicable UK legislation.

2. Identity & Access Management (IAM)

2.1 Multi-Factor Authentication (MFA)

Users must enable Multi-Factor Authentication (MFA) on all supported accounts to enhance account security.

2.2 Credential Management

Users must:

• Store credentials (API keys, passwords, SSH keys) securely using approved methods (e.g., Vault or Key Management Systems)
• Avoid hardcoding sensitive information in code
• Ensure credentials are not exposed in public or unsecured environments

2.3 Principle of Least Privilege (PoLP)

Access permissions must be limited to the minimum required for operational needs. Privileged access should be controlled, reviewed, and monitored regularly.

3. Data Security & Encryption

3.1 Encryption at Rest

Sensitive data should be protected using industry-standard encryption mechanisms.

3.2 Encryption in Transit

All data in transit must use secure protocols such as TLS 1.2 or higher.

3.3 Special Category Data

Processing of Special Category Data must comply with UK GDPR and the Data Protection Act 2018, and should only be undertaken where appropriate safeguards and agreements (e.g., Data Processing Agreement) are in place.

4. Acceptable Use

Users must not:

• Attempt unauthorised access to systems or data
• Conduct security testing without prior written approval
• Exploit vulnerabilities or bypass system controls
• Interfere with network or infrastructure operations

Any such activity may result in immediate action, including access restriction.

5. Vulnerability Reporting

If a potential vulnerability is identified:

• Do not disclose vulnerabilities publicly or to third parties without prior written approval

We encourage responsible disclosure and collaboration to maintain a secure environment.

6. Incident Response & User Obligations

In the event of a suspected security incident (e.g., credential exposure or unauthorised access):

• Notify DataOps IT as soon as reasonably possible
• Provide relevant information to support investigation
• Cooperate with incident response procedures where required

7. Monitoring, Logging & Compliance

To ensure security and compliance:

• System access and activity may be monitored and logged
• Logs may include user activity, IP addresses, and system interactions
• Logs are securely stored and used for operational, security, and compliance purposes

Where required by law, relevant information may be shared with regulatory or law enforcement authorities.

8. Security Responsibilities & Liability

Users are responsible for maintaining appropriate security controls within their environments, including:

• Secure credential management
• Proper configuration of access permissions
• Protection of user devices and endpoints

DataOps IT shall not be liable for security incidents arising from failure to follow recommended security practices.

9. Legal & Regulatory Alignment

This policy is aligned with applicable UK regulations and standards, including:

• UK GDPR
• Data Protection Act 2018
• Computer Misuse Act 1990

10. Policy Acceptance

Use of DataOps IT services constitutes acceptance of this Security User Policy.
Failure to comply may result in restricted access, service suspension, or further action as appropriate.