This article outlines our technical and organisational security measures and should be read in conjunction with our article on Website Development Lifecycle, Data Storage & Security.


1. Entrance Control 

Website data is hosted at Bytemark, please refer to their DPA for this information in relation to them as the hosting company.

Our entrance control is via our secure and manned office and all visitors are accompanies at all times.


2. System Access Control 

Website data is hosted at Bytemark, please refer to their DPA for this information  in relation to them as the hosting company.

We control our access to our website systems via passwordless SSH keys held by authorised and trained personnel. 

Additional password entry is then required to add/change/remove


3. Data Access Control 

Website data is hosted at Bytemark, please refer to their DPA for this information in relation to them as the hosting company.

We control our access to website data via passwordless SSH keys held by authorised and trained personnel. 


4. Transmission Control 

We recommend implementing HTTPS on websites to securely encrypt data during transmission over the internet, ideally 'Strict' mode & with Secure & SameSite Cookies enabled

We implement a robust SSL configuration rated A+ on Qualys SSL Labs.

We recommend implementing Content Security Policy (CSP) violation error capture using our HTTPS Reporter tool (read how to set up CSP in your REC+ site here) and also to crawl your site for mixed content using our HTTPS Checker tool.

We recommend implementing Cloudflare's Content Delivery Network (CDN) for an additional security layer. Contact us for advice on this and you can read about changing DNS settings here.


5. Data Entry Control 

The Data Controller (i.e. the website owner / administrators) will ensure they have mapped their overall data entry points for both administrators and website users and who can access data, and thereby will identify which points take place on their website. 

For website users, this will typically be via user forms, newsletter signups and checkout processes. Refer to our GDPR section for articles on users rights to Access, Rectification, Erasure. 

Administrators entering or accessing data on the website are controlled via system login and User Access Control permissions with auditing available for key activities.

We use rate limiting to stop malicious brute force attacks and allow administrators to be whitelisted by IP address 


6. Data Processing Control 

Refer to our GDPR section for articles on users rights to Restricted Processing, Right To Object, Data Portability, Deleting Form Data.

Within our software development cycle we follow privacy-by-design and default in relation to the GDPR.


7. Availability Control 

Website data is hosted at Bytemark, please refer to their DPA for their information and also our article on Website Data Storage & Security concerning our own measures at an REC+ application level and admin access by our support staff.

We run tools that monitor site availability, server and application performance, SSL availability, domain availability, SPF records, data storage, bandwidth usage and volumes of emails sent, DNS blacklist checks


8. Separation Control

The system architecture achieves separation of personal data and software from one and any other customer.

Our websites sit on our own dedicated servers and do not use "shared servers".

Customers can access their own data as detailed in the article The Right Of Access (User Login To View Their Data)

Data collected for different purposes, such as forms and orders, is stored and accessed separately within the system.