Technical and Compliance Information

Security, compliance and technical documentation for the Bud platform.

Contents

  1. Operation and Maintenance
  2. Data Location and physical security
  3. Backups, Retention and DR
  4. Architecture
  5. Encryption
  6. Firewall and Detection
  7. OWASP 10
  8. Data Seperation
  9. Supply Chain
  10. Emails
  11. Employees, Training and Access
  12. Password, MFA and SSO
  13. Development Practices and Testing
  14. Information Security Manager
  15. Compliance
1. Operation and Maintenance

Bud is hosted on Microsoft Azure, primarily using Platform as a Service (PaaS). Operated securely in the Microsoft Azure Cloud, fully managed by Bud Systems. As a Software as a Service (SaaS) solution, maintenance and updates are included in your subscription to Bud.

Occasional maintenance and updates are required, these are conducted outside of business hours. For the latest status information visit status.bud.co.uk.

2. Data Centre Locations & Physical Security

Bud doesn't have any in-house data centres, physical networks, and/or servers connected to the Bud platform. Microsoft manages the physical and environmental security of our Azure-based data centres, the Azure physical security is described here.

Bud use Azure data centres which are physically located in UK. Customer data remains within these UK data centres.

3. Backups, Retention and Disaster Recovery

Backups take place at least once every 24 hours, often more frequently. Backups are stored in the Azure data centre locations outlined above. Backups are tested at least annually.

Data is kept for 7 years in most cases, see our privacy policy for more details on retention.

Azure has a highly resilient infrastructure. In the event of a major incident at an Azure data centre, Bud has geographically separate backups and has processes to create a new environment and restore backups in a different Azure region. Disaster Recovery plans are tested at least annually.

4. Architecture

Bud utilises a micro service architecture which is a method of developing software applications as a suite of independently deployable, small, modular services in which each service runs a unique process and communicates through a well-defined, lightweight mechanism to serve a business goal. To this end, services run across Azure App Service or Azure Function Apps within Azure. 

Orchestration is managed using Service Control and asynchronous messages in the Azure Service Bus, with each micro-service listening for and processing messages.

The front-end is a single page application (SPA) created in Angular. Bud’s backend services are authored on the .NET platform using a combination of C# and F#.

Backend data is stored in Azure Cosmos, SQL, Redis and storage accounts.

5. Encryption

All data is encrypted in transit with TLS 1.2 or above, we use a certificate from a mainstream supplier, this is renewed annually.

All data is encrypted at rest and the encryption keys are managed by Microsoft on Bud's behalf as part of their PaaS solutions.

A+ rating maintained on Qualys SSL scans.

6. Firewall and Detection

Bud uses an advanced Web Application Firewall (WAF) which prevents malicious attacks. The rules and logs are regularly reviewed and updated as required. The WAF also provides denial of service protection (DDoS) and rate limiting on key pages.

Azure services are additionally protected with Microsoft Defender for Cloud for vulnerability scanning, config changes, intrusion protection and alerting.

Bud undertakes CREST certified penetration testing at least annually.

7. OWASP 10

Bud uses a Web Application Firewall which protects the Bud platform, this includes specific rules which focus on the OWASP top 10, the firewall rules are regularly updated and monitored.

Code is scanned for vulnerabilities when updated.

Independent Web Application penetration testing takes place at least annually.

8. Data Separation

Each tenant on the Bud application has a unique ID, data is filtered at the data layer based on this ID to ensure only the data relevant to the training provider and specific user are surfaced. Bud provides various pre-defined roles for users so each user can be given the specific required access for their role. 

9. Supply Chain

Supply chain is managed in a way which meets the requirements of ISO27001, suppliers are vetted and have a risk assessment completed. Suppliers are reviewed at least annually.

10. Email

All platform originating emails have DMARC and SPF configured and are encrypted in transit wherever possible.

Emails are processed in the EU and contain limited PII data (name and email address).

11. Employees, Training and Access Control

Access to production data is limited, using just in time access with approvals. Only UK Bud employees can access production data. MFA, a secure VPN connection and a compliant device are all also required.

All employees are vetted before they join the Bud team, security checks are undertaken by an independent body and renewed every 3 years.

Bud employees receive security training on a regular basis, with an ongoing testing and awareness campaign. Additionally, all staff undertake an annual data protection.

12. Authentication: Password, MFA and SSO

Multi-factor authentication (two-factor authentication) is available and can be managed by the training provider, more information is available here.

Minimum password requirements and guidance are available. Password resets can be completed securely by users, more information is available here. Single Sign-on is available as an option for customers.

Auto lockout is enabled for user accounts to protect against brute force attacks and rate limiting is configured on the login page.

User passwords are hashed and salted before they are stored in an encrypted database.

13. Development Practices and Testing

Bud uses Agile and Scrum methodologies for development activities. All development is performed in a test environment (isolated from the live environment) with test data.

Any code changes go through peer review, release gateways and rigorous testing before release. Code is automatically reviewed for best practice, insecure practices and known vulnerabilities during the development cycle using a third-party tool.

Packages are checked weekly against OWASP top 10 for known vulnerabilities.

14. Information Security Manager

To contact Bud's Information Security Manager please email infosec@bud.co.uk

15. Compliance

ISO27001
Bud is certified against ISO27001 requirements and undertake independent annual audits.

Cyber Essentials Plus
Bud undertakes Cyber Essentials Plus on an annual basis to ensure our IT security and policy meets the requirements.

Both certificates are available to download.

STAR Assessment
STAR Registry Listing for Bud | CSA