Security posture

Security as an engineering practice

A transparent summary of how Indigo Pascal Ltd designs, builds and operates software for regulated finance, AI and public sector buyers — covering identity, secure SDLC, encryption, hosting, monitoring and incident response.

Cyber Essentials

In progress

UK GDPR

Aligned

NCSC Cloud Principles

Aligned

Security domains

How we protect your data

Identity & access

MFA enforced on all production systems and developer accounts
Least-privilege access; just-in-time elevation where supported
No shared credentials; per-person service accounts
Hardware-backed keys / passkeys preferred

Secure SDLC

Code review on all changes; protected main branches
Automated dependency scanning (Dependabot / Renovate)
SAST and secret scanning in CI
Reproducible builds with pinned dependencies
Signed commits where supported

Encryption

TLS 1.2+ in transit on all public surfaces
AES-256 at rest on hosted databases and object stores
Secrets in managed vaults (never in source control)
Hardware-backed key storage where supported

Data handling

Data minimisation by default; only what's needed for the contract
Sub-processor register maintained per engagement
UK / EU data residency by default; client-specific exceptions agreed in DPA
Documented retention schedule per data class

Hosting & infrastructure

Tier-1 UK / EU cloud providers (Azure, AWS, Cloudflare, Vercel)
Renewable-energy regions preferred where available
Infrastructure-as-code; reviewable, rollback-capable
Network segmentation, WAF and DDoS protection on public endpoints

Monitoring & response

Centralised audit logging on all production systems
Alerting on anomalous auth, error rates and dependency advisories
Documented incident response process — triage, contain, notify, learn
72-hour breach-notification commitment per UK GDPR

Certifications & alignment

Certifications roadmap

Cyber Essentials

In progress

Self-assessment via IASME — submitted; certificate pending.

Cyber Essentials Plus

Planned 2026

Audited assessment scheduled following CE certification.

ISO 27001 alignment

Roadmap

Information Security Management System aligned with ISO 27001 controls; full certification deferred until revenue justifies external audit.

NCSC Cloud Security Principles

Aligned

Architecture and supplier choices align with the 14 NCSC cloud security principles.

Vulnerability disclosure

If you believe you have found a security vulnerability in any Indigo Pascal Ltd system, website or piece of software, please report it responsibly.

Email security@indigopascal.com with a clear description and proof-of-concept.
Allow reasonable time for triage and remediation before public disclosure.
Do not access, modify or destroy data beyond what is necessary to demonstrate the issue.
Acknowledged researchers will be credited (with permission) on this page.

Need a security questionnaire response?

Indigo Pascal can complete buyer security questionnaires (SIG, CAIQ, supplier assurance), provide DPAs and supply Cyber Essentials evidence on request from verified procurement contacts.

Request security pack See verified credentials