Technical and Compliance Information

Security, compliance and technical documentation for the Bud platform.

1. Operation and Maintenance

Bud is hosted on Microsoft Azure, primarily using Platform as a Service (PaaS). Operated securely in the Microsoft Azure Cloud, fully managed by Bud Systems. Bud Mark additionally uses Supabase for cloud hosting, alongside Azure.

Bud products are a Software as a Service (SaaS) solution, maintenance and updates are included in your subscription to. 

Occasional maintenance and updates are required, these are conducted outside of business hours. For the latest status information visit status.bud.co.uk.

2. Data Centre Locations & Physical Security

Bud doesn't have any in-house data centres, physical networks, and/or servers connected to the Bud platform. Third parties manage the physical and environmental security of the UK based data centres we utilise. 

Bud only uses data centres which are physically located in UK. Customer data remains within these UK data centres.

Sub-processors may process data outside of the UK, please see Bud's privacy policy.

3. Backups, Retention and Disaster Recovery

Backups take place at least once every 24 hours, often more frequently. Backups are stored in the Azure data centre locations outlined above. Backups are tested at least annually. RPO is 1 hour, RTO is 24 hours.

Data is kept for 7 years in most cases, see our privacy policy for more details on retention.

Bud has geographically separate backups and has processes to create a new environment and restore backups in a different region. Disaster Recovery plans are tested at least annually.

4. Architecture

Bud utilises a micro service architecture which is a method of developing software applications as a suite of independently deployable, small, modular services in which each service runs a unique process and communicates through a well-defined, lightweight mechanism to serve a business goal. To this end, services run across Azure App Service or Azure Function Apps within Azure. 

Orchestration is managed using Service Control and asynchronous messages in the Azure Service Bus, with each micro-service listening for and processing messages.

The front-end is a single page application (SPA) created in Angular. Bud’s backend services are authored on the .NET platform using a combination of C# and F#.

Backend data is stored in Azure Cosmos, SQL, Redis and storage accounts.

5. Encryption

All data is encrypted in transit with TLS 1.2 or above, we use a certificate from a mainstream supplier, this is renewed annually.

All data is encrypted at rest and the encryption keys are managed by Microsoft on Bud's behalf as part of their PaaS solutions.

A+ rating maintained on Qualys SSL scans.

6. Firewall and Detection

Bud uses an advanced Web Application Firewall (WAF) which prevents malicious attacks. The rules and logs are regularly reviewed and updated as required. The WAF also provides denial of service protection (DDoS) and rate limiting on key pages.

Azure services are additionally protected with Microsoft Defender for Cloud for vulnerability scanning, config changes, intrusion protection and alerting. Files uploaded to Bud are scanned for malware using Microsoft Defender for Azure Storage.

Bud undertakes independent CREST certified web application and API penetration testing at least annually.

7. OWASP 10

Bud uses a Web Application Firewall which protects the Bud platform, this includes specific rules which focus on the OWASP top 10, the firewall rules are regularly updated and monitored.

Code is scanned for vulnerabilities when updated.

Independent Web Application penetration testing takes place at least annually.

8. Data Separation

Each tenant on the Bud application has a unique ID, data is filtered at the data layer based on this ID to ensure only the data relevant to the training provider and specific user are surfaced. Bud provides various pre-defined roles for users so each user can be given the specific required access for their role. 

9. Supply Chain

Supply chain is managed in a way which meets the requirements of ISO27001, suppliers are vetted and have a risk assessment completed. Suppliers are reviewed on a regular basis.

10. Email

All platform originating emails have DMARC and SPF configured and are encrypted in transit wherever possible.

Emails are processed in the EU and contain limited PII data (name and email address).

11. Employees, Training and Access Control

Access to production data is limited, using just in time access with approvals. Only UK Bud employees can access production data. MFA, a secure VPN connection and a compliant device are all also required.

All employees are vetted before they join the Bud team, security checks are undertaken by an independent body and renewed every 3 years.

Bud employees receive security training on a regular basis, with an ongoing testing and awareness campaign. Additionally, all staff undertake an annual data protection refresher.

12. Authentication: Password, MFA and SSO

Multi-factor authentication (two-factor authentication) is available and can be managed by the training provider, more information is available here.

Minimum password requirements and guidance are available. Password resets can be completed securely by users, more information is available here. Single Sign-on is available as an option for customers.

Auto lockout is enabled for user accounts to protect against brute force attacks and rate limiting is configured on the login page.

User passwords are hashed and salted before they are stored in an encrypted database.

13. Development Practices and Testing

Bud uses Agile and Scrum methodologies for development activities. All development is performed in a test environment (isolated from the live environment) with test data.

Any code changes go through peer review, release gateways and rigorous testing before release. Code is automatically reviewed for best practice, insecure practices and known vulnerabilities during the development cycle using a third-party tool.

Packages are checked weekly against OWASP top 10 for known vulnerabilities.

14. Information Security Manager

To contact Bud's Information Security Manager please email infosec@bud.co.uk

15. Compliance

ISO27001
Bud is certified against ISO27001 requirements and undertake independent annual audits.

Cyber Essentials Plus
Bud undertakes Cyber Essentials Plus on an annual basis to ensure our IT security and policy meets the requirements.

Both certificates are available to download.

STAR Assessment
STAR Registry Listing for Bud | CSA