top of page

Information Security Policy

WeAreWay Ltd
Effective Date: 3 June 2025

1. Introduction

WeAreWay Ltd is committed to ensuring the confidentiality, integrity, and availability of all data and information systems under our control. This Information Security Policy outlines the principles and practices we follow to protect our digital assets, customer information, and internal systems from unauthorised access, disclosure, alteration, or destruction.

 

This policy applies to all employees, contractors, and third parties who access WeAreWay Ltd systems or data.

2. Objectives

The objectives of this policy are to:

- Prevent unauthorised access to information

- Protect the confidentiality of customer, partner, and internal data

- Ensure the integrity and availability of systems and information

- Mitigate risks associated with cybersecurity threats

- Maintain regulatory compliance (including UK GDPR)

- Support business continuity and incident response

3. Scope

This policy applies to:

- All digital information assets created, stored, or transmitted by WeAreWay Ltd

- Physical devices used for business purposes

- All cloud-based infrastructure, software platforms, and APIs maintained by the company

- All individuals granted access to WeAreWay Ltd’s systems

4. Roles and Responsibilities

Management – Ensure implementation and review of security controls; allocate resources for information security

Privacy & Security Lead – Oversee daily security operations, implement controls, handle incident response

Employees & Contractors – Follow security procedures, report incidents, safeguard credentials

Third Parties – Operate under contractual obligations ensuring data protection and security compliance

5. Key Principles

5.1 Access Control

- Access to systems is restricted based on role and business need

- Strong authentication mechanisms (e.g. MFA) are required

- Privileged accounts are reviewed regularly

 

5.2 Data Classification and Handling

- Data is classified as Public, Internal, Confidential, or Restricted

- Confidential and Restricted data is encrypted at rest and in transit

- Only authorised personnel may handle personal or sensitive data

 

5.3 Network and Infrastructure Security

- Firewalls, intrusion detection/prevention systems, and endpoint protection are deployed

- Regular vulnerability scanning and patch management are enforced

- Remote access is secured through VPN and monitored

 

5.4 Secure Software Development

- All code is developed following secure development practices (e.g. OWASP)

- Code reviews and security testing (e.g. static analysis, pen tests) are conducted regularly

- Third-party components are assessed for vulnerabilities

 

5.5 Physical and Environmental Security

- Access to workspaces and servers is restricted

- Equipment is locked, tracked, and protected from theft or tampering

- Secure disposal procedures are in place for hardware and media

6. Cryptographic Controls

- Sensitive information is encrypted using industry-standard algorithms (e.g., AES-256, TLS 1.3)

- Cryptographic keys are stored securely and rotated periodically

- Passwords are stored using salted and hashed mechanisms (e.g., bcrypt or SHA-256)

7. Incident Management

- All security incidents must be reported immediately to the Privacy & Security Lead

- Incident response procedures include containment, impact assessment, and notification (where required)

- Post-incident reviews are conducted to improve controls

8. Business Continuity

- Business continuity plans are documented and tested annually

- Backups of critical systems and data are performed regularly and stored securely

- Cloud service providers must support rapid recovery and high availability

9. Compliance

WeAreWay Ltd complies with:

- UK General Data Protection Regulation (UK GDPR)

- Data Protection Act 2018

- Relevant contractual and industry-specific obligations

- ISO/IEC 27001 principles (as a guideline)

10. Awareness and Training

- All staff receive information security training during onboarding and annually thereafter

- Training covers topics such as phishing, password management, data handling, and incident response

11. Monitoring and Audit

- Logs are collected and monitored for suspicious activity

- Internal audits are conducted periodically to verify compliance

- Third-party assessments may be commissioned where appropriate

12. Policy Review

This policy is reviewed annually or upon significant change in systems, regulations, or business structure. Updates are approved by company management.

13. Contact Information

For questions or to report a security incident, contact:

 

Privacy & Security Lead

WeAreWay Ltd

Email: info@weareway.co.uk

Turn data into foresight. Our platforms use predictive models to forecast trends, personalize user experiences, and power smarter business decisions.

bottom of page