Sub Processors

Information Security Policy

1. Purpose

This policy defines how Orbital Design Limited protects the confidentiality, integrity, and availability of information assets. It applies to all employees, contractors, and third parties who access company systems or data.

2. Scope

This policy covers all corporate devices, systems, networks, applications, and data handled by Orbital Design Limited, including customer websites hosted on third-party infrastructure providers.

3. Principles

  • Confidentiality – Information is protected against unauthorised access.

  • Integrity – Information is accurate, complete, and safeguarded from improper modification.

  • Availability – Information and systems are available to authorised users as required.

4. Responsibilities

  • The Directors/Management Team are responsible for overall information security governance.

  • Employees and contractors must comply with this policy and report security concerns immediately.

  • Third-party providers (e.g., WP Engine, Layershift, GitHub) must maintain appropriate security controls under contractual agreements.

5. Access Control

  • Access to systems and data is granted on a least privilege basis.

  • Strong passwords and/or multi-factor authentication are required where available.

  • Accounts are reviewed and revoked promptly when no longer needed.

6. Device & System Security

  • Corporate devices must be kept up to date with security patches.

  • Approved antivirus/endpoint security must be installed where applicable.

  • Devices must be encrypted and protected by password or biometric lock.

7. Application Security

  • Websites are developed in WordPress, following secure coding and configuration best practices.

  • Only trusted plugins and themes are used; updates are applied promptly.

  • Hosting providers’ built-in security measures (e.g., firewalls, patching) are leveraged.

  • Periodic vulnerability scans and maintenance activities are performed.

8. Data Protection & Privacy

  • Personal data is handled in compliance with GDPR.

  • Data is collected only where necessary and retained only as long as required.

  • Data transfers are encrypted (e.g., TLS/HTTPS).

9. Backup & Recovery

  • Hosting providers’ backup solutions are used to protect client websites and data.

  • Recovery procedures are tested periodically to ensure continuity of service.

10. Incident Response

  • Security incidents must be reported immediately to management.

  • Incidents are logged, investigated, and remediated promptly.

  • Clients will be notified without undue delay if their data is impacted.

11. Monitoring & Review

  • Security policies and practices are reviewed at least annually, or when significant changes occur.

  • Compliance with this policy is monitored through internal checks and third-party services as required.

12. Enforcement

Non-compliance with this policy may result in disciplinary action, termination of contracts, or legal action.

More from Orbital

Adam Cullen Joins the Team

Web & Mobile Developer

We're looking for a developer...

We're Hiring