Technical and Compliance Information

Bud is hosted on Microsoft Azure, primarily using Platform as a Service (PaaS) and fully managed in-house by Bud Systems. Bud Mark additionally uses Supabase for cloud hosting, alongside Azure.

Bud products are a Software as a Service (SaaS) solution, maintenance and updates are included in your subscription. 

When maintenance and updates are required, they are conducted outside of business hours. For the latest status information visit status.bud.co.uk. For the latest release notes see support.bud.co.uk.

Bud doesn't have any in-house data centres, physical networks, and/or servers connected to the Bud platform. Third parties manage the physical and environmental security of the UK based data centres we utilise. 

Bud only uses data centres which are physically located in UK. Customer data remains within these UK data centres.

Sub-processors may process data outside of the UK, please see Bud's privacy policy.

Bud utilises a micro service architecture which is a method of developing software applications as a suite of independently deployable, small, modular services in which each service runs a unique process and communicates through a well-defined, lightweight mechanism to serve a business goal. To this end, services run across Azure App Service, Function Apps or containers within Azure. 

Orchestration is managed using Service Control and asynchronous messages in the Azure Service Bus, with each micro-service listening for and processing messages.

The front-end is a single page application (SPA) created in Angular. Bud’s backend services are authored on the .NET platform using a combination of C# and F#.

Backend data is stored in Azure Cosmos, SQL, Redis and blob storage accounts.

Platform performance is continually monitored and threshold alerting is in place.

Bud's platforms are designed to be full scalable, in many cases auto-scaling rules are enabled to ensure the platform scales based on real time load.

All critical components are highly-resilient with resources provisioned across multiple Azure zones and automatic failover enabled.

Backups take place at least once every 24 hours, often more frequently.  Backups are tested at least annually.

• Bud: RPO is 1 hour, RTO is 24 hours.
• Bud Mark: RPO is 24 hours, RTO is 24 hours.

Data is kept for 7 years in most cases, see our privacy policy for more details on retention.

Bud has geographically separate backups and has processes to create a new environment and restore backups in a different region. Disaster Recovery plans are tested at least annually.

All critical components are highly-resilient with resources provisioned across multiple Azure zones and automatic failover enabled.

Where Bud is the identify provider, user passwords are hashed with the addition of a unique cryptographically strong random sequence of 16  characters (salt) before they are stored in an encrypted database. (PBKDF2-HMAC-SHA-256 with 100,000 iterations). 

Minimum password requirements and guidance are available. Password resets can be completed securely by users, more information is available here. Multi-factor authentication (two-factor authentication) is available and can be managed by the training provider, more information is available here.

Auto account lockout is enabled for user accounts to protect against brute force attacks and rate limiting is enforced on the login requests and password reset requests.

Alternatively, it is possible to use your own identity provider, Bud supports the following SSO industry standard protocols: OpenID Connect/OAuth2.0 & SAML 2P. More information is available on our knowledge base.

All data is encrypted in transit with TLS 1.2 or above, we use a certificate from a mainstream supplier, this is renewed annually.

All data is encrypted at rest using 256-bit AES encryption, the encryption keys are managed by Microsoft on Bud's behalf as part of their PaaS solutions.

A+ rating maintained on Qualys SSL scans.

Bud uses an advanced Web Application Firewall (WAF) which prevents malicious attacks. The rules and logs are regularly reviewed and updated, a managed OWASP rule set is enabled. The WAF also provides denial of service protection (DDoS) and rate limiting on key pages.

Azure services are additionally protected with Microsoft Defender for Cloud for vulnerability scanning, config changes, intrusion protection and alerting.

Files uploaded to Bud are scanned for malware using Microsoft Defender for Azure Storage.

Bud undertakes independent CREST certified web application and API penetration testing at least annually. 

A threat intelligence programme is in place to monitor for emerging threats and new risks. We work with the NCSC to proactively protect services and have signed up to their early warning scheme.

Bud uses a Web Application Firewall (WAF) which protects the Bud platform, this includes specific rules which focus on the OWASP top 10, the firewall rules are regularly updated and monitored.

Code and dependant packages are scanned for vulnerabilities when updated.

Independent Web Application and API penetration testing takes place at least annually.

Each tenant on the Bud application has a unique ID, data is filtered at the data layer based on this ID to ensure only the data relevant to the training provider and specific user are surfaced. Bud provides various pre-defined roles for users so each user can be given the specific required access for their role.

Supply chain is managed in a way which meets the requirements of ISO27001, suppliers are vetted and risk assessed. Suppliers are reviewed on a regular basis.

The processes are audited at least annually.

All platform originating emails have DMARC and SPF configured and are encrypted in transit wherever possible.

Emails are processed in the EU and contain limited PII data (name and email address).

Emails are sent from notifications@bud.co.uk.

Access to production data is limited, using just in time access with approvals. Only UK Bud employees can access production data. MFA, a secure VPN connection and a compliant device are all also necessary to access sensitive data/resources.

All employees are vetted before they join the Bud team, security checks are undertaken by an independent body and renewed every 3 years.

Bud employees receive security training on a regular basis, with an ongoing testing and awareness campaign. Additionally, all staff undertake an annual data protection refresher.

Bud uses Agile and Scrum methodologies for development activities. All development is performed in a test environment (isolated from the live environment) with test data.

Any code changes go through peer review, release gateways and rigorous testing before release. Code is automatically reviewed for best practice, insecure practices and known vulnerabilities during the development cycle using a third-party tool.

Dependencies (packages) are checked weekly against OWASP10 for known vulnerabilities.

To contact Bud's Information Security Manager and/or DPO please email infosec@bud.co.uk

ISO27001
Bud is certified against ISO27001:2022 requirements and undertakes independent annual audits.

Cyber Essentials Plus
Bud undertakes Cyber Essentials Plus audits on an annual basis to ensure our IT security controls and policies meet the requirements.

DPO
Bud has appointed a named DPO to oversee data protection requirements and associated risks.

STAR Assessment
Completed annually and available below.
STAR Registry Listing for Bud | CSA

Certificates are available to download.