Home / Legal / Security
Security · Vulnerability Disclosure

Security is a practice, not a page.

This page summarises how TechProf LTD approaches information security, the standards we operate to, and how to report a vulnerability if you find one.

Last updated: 5 May 2026 · Version 1.0

1. Our security posture

Information security is foundational to how TechProf LTD operates. We apply a defence-in-depth approach across our infrastructure, our development processes, and our people.

2. Standards and certifications

  • ISO/IEC 27001:2022 — information security management system aligned to the standard.
  • SOC 2 Type II — operational practices reviewed against the AICPA Trust Services Criteria.
  • Cyber Essentials Plus — UK National Cyber Security Centre's hands-on technical assessment.
  • UK GDPR — registered data controller with the UK Information Commissioner's Office.
  • PCI DSS v4.0 — for client engagements that handle cardholder data.

3. Technical controls

Across our infrastructure and the engagements we deliver, we maintain:

  • Encryption — TLS 1.2+ in transit, AES-256 at rest. Keys managed via cloud-native KMS with rotation policies.
  • Identity and access — single sign-on, mandatory multi-factor authentication, principle of least privilege, just-in-time elevation, quarterly access reviews.
  • Endpoint security — managed endpoints with full-disk encryption, EDR, automated patching, screen lock policy.
  • Network segmentation — production isolated from staging and corporate networks. Zero-trust principles applied to inter-service communication.
  • Logging and monitoring — centralised logging with retention aligned to client requirements; security event monitoring with on-call escalation.
  • Vulnerability management — automated SCA and SAST in CI/CD; weekly dependency scanning; regular external penetration testing.
  • Backup and recovery — automated, encrypted backups; documented and tested restoration procedures.

4. Software development lifecycle

Security is embedded in delivery, not bolted on:

  • Threat modelling for new services and major changes.
  • Mandatory code review with at least one approver besides the author.
  • Automated static and dynamic analysis on every pull request.
  • Secrets are never committed to source. We use cloud secret managers with short-lived credentials.
  • Production deployments are gated behind change-management and rollback procedures.

5. People

  • Background checks for all employees and contractors handling client data.
  • Security awareness training at onboarding and annually thereafter.
  • Phishing simulation programme.
  • Acceptable Use Policy signed by every team member.

6. Incident response

We have a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. We meet UK GDPR breach notification requirements and will inform affected clients of any incident materially impacting their data within 72 hours of confirmation.

7. Vulnerability disclosure

We welcome reports of security issues from researchers and members of the public.

How to report

Email security@techprofessional.co.uk with:

  • A clear description of the vulnerability.
  • Steps to reproduce.
  • The affected URL, system, or component.
  • Any proof-of-concept, screenshots, or logs (please don't include actual personal data).
  • Your contact details and whether you'd like to be credited.

If sensitive, you may encrypt your report with our PGP key (available on request).

What you can expect from us

  • Acknowledgement within two business days.
  • An assessment and triage within five business days.
  • Regular updates as we work through remediation.
  • Public credit (if you'd like) when the issue is fixed.

What we ask of you

  • Don't publicly disclose the vulnerability before we've had a reasonable opportunity to fix it.
  • Don't access, modify, or delete data beyond what's needed to demonstrate the issue.
  • Don't perform denial-of-service testing, social engineering, or physical attacks.
  • Act in good faith and within applicable laws.

We don't currently operate a paid bug bounty programme but we recognise contributions in our hall of fame and will provide a written reference where appropriate.

8. Out of scope

The following are typically not considered eligible for disclosure:

  • Reports generated solely from automated scanners without analysis.
  • Missing security headers without a demonstrable impact.
  • Self-XSS, clickjacking on pages without sensitive actions, or rate-limiting absence on non-authenticated endpoints, unless chained into a higher-impact issue.
  • Issues in third-party services we don't operate.

9. Contact

For all security matters: security@techprofessional.co.uk.