TRUST CENTRE

Security and trust at
the core of everything

We take the security of your data seriously. This page provides transparency
into our security practices, compliance posture, and data handling policies.

ISO 27001

Information security management aligned with international standards

GDPR Compliant

Full compliance with EU and UK data protection regulations

UK & EU Hosted

Data stored exclusively in UK and EU Microsoft Azure data centres

Our Commitment

At Cliqo, security isn't an afterthought — it's foundational to everything we build. As a Microsoft Partner building on Dynamics 365 Business Central, we inherit Microsoft's enterprise-grade security infrastructure while adding our own layers of protection.

We are committed to maintaining the highest standards of data protection and are continuously improving our security posture to stay ahead of evolving threats.

Security at a Glance

  • AES-256 encryption at rest and TLS 1.2+ in transit
  • OAuth 2.0 authentication via Microsoft Entra ID
  • Role-based access control (RBAC) at every level
  • 99.9% uptime SLA backed by Microsoft Azure
  • Regular penetration testing and vulnerability assessments
  • GDPR compliant with UK and EU data residency

Security Practices

Comprehensive security measures to protect your data at every layer.

Encryption at Rest

All data encrypted using AES-256 encryption standard via Microsoft Azure's storage service encryption.

Encryption in Transit

All communications secured with TLS 1.2 or higher, ensuring data integrity during transmission.

Access Control

Role-based access control (RBAC) ensures users only access data and functions relevant to their role.

OAuth 2.0

Authentication handled through Microsoft Entra ID (Azure AD) with support for MFA and conditional access.

Monitoring & Logging

Continuous monitoring with Azure Monitor and Log Analytics for threat detection and audit trails.

Vulnerability Management

Regular vulnerability scans and annual penetration testing by independent security firms.

Data Backup

Automated daily backups with geo-redundant storage and point-in-time restore capabilities.

Incident Response

Documented incident response plan with defined escalation procedures and notification timelines.

Application Security

  • Secure development lifecycle (SDL) practices
  • Code reviews and static analysis on all changes
  • OWASP Top 10 protection measures
  • Input validation and output encoding
  • Regular dependency updates and security patching

Privacy & GDPR Compliance

Your data protection rights are at the heart of our privacy practices.

Data Processing

We process data only as instructed by our customers. Clear data processing agreements (DPAs) are in place for all clients.

  • Lawful basis for all processing activities
  • Data minimisation principles applied
  • Purpose limitation enforced
  • Transparent processing records maintained

Your Rights

We fully support data subject rights under GDPR and UK data protection law.

  • Right of access to your data
  • Right to rectification and erasure
  • Right to data portability
  • Right to object to processing

Data Residency

  • Primary data centre: UK South (London)
  • Failover region: UK West (Cardiff)
  • EU customers: West Europe (Netherlands)
  • No data transfers outside UK/EU without consent

Infrastructure & Availability

Enterprise-grade infrastructure powered by Microsoft Azure.

99.9% Uptime SLA
2 Azure Regions
24/7 Monitoring

Architecture Highlights

  • Multi-tenant architecture with strict data isolation
  • Auto-scaling compute resources based on demand
  • Azure Front Door for global load balancing and DDoS protection
  • Redundant storage with automatic failover
  • Containerised microservices on Azure Kubernetes Service

Business Continuity

Our business continuity plan ensures minimal disruption in the event of an incident.

RPO < 1 hour Recovery Point Objective
RTO < 4 hours Recovery Time Objective
Backups Daily Geo-redundant storage

Compliance & Certifications

Our commitment to meeting and exceeding regulatory requirements.

Active

ISO 27001

Information security management system certification aligned with international standards.

Compliant

GDPR

Full compliance with EU General Data Protection Regulation and UK Data Protection Act 2018.

Compliant

Cyber Essentials

UK Government-backed certification for protection against common cyber threats.

In Progress

SOC 2 Type II

Service organization controls for security, availability, and confidentiality.

Request Documentation

  • Security questionnaire responses available on request
  • Penetration test executive summary available under NDA
  • Data Processing Agreement (DPA) provided during onboarding
  • Contact info@cliqo.co.uk for documentation requests

Sub-processors

Third-party services that process data on our behalf.

Provider Purpose Location Data Processed
Microsoft Azure Cloud infrastructure & hosting UK / EU All application data
Microsoft Entra ID Authentication & identity UK / EU User credentials & tokens
SendGrid Transactional email delivery EU Email addresses & notification content
Stripe Payment processing UK / EU Billing information
Application Insights Performance monitoring UK Anonymised telemetry data

Change Notifications

We notify customers at least 30 days before adding or changing sub-processors. Subscribe to updates by contacting info@cliqo.co.uk.

Have security questions?

Our security team is available to discuss your specific requirements.

Contact Security Team