Last updated: 15 May 2026 · Version 1.0

Cybersecurity & IT Policy

This policy defines the cybersecurity and information technology controls, standards and procedures for XEROTECH LTD (“we”, “us”, “our”). It establishes the framework for protecting company and client data, systems and services from cyber threats.

This policy applies to all personnel, contractors and third parties who access XEROTECH LTD systems, data or services. It covers all devices, networks, cloud services and data processing activities carried out on behalf of the company.

1. Governance and Responsibilities

The CEO/Director holds overall accountability for cybersecurity within XEROTECH LTD. This includes approving this policy, authorising user accounts, approving changes to systems and ensuring compliance with applicable laws and standards.

All staff and contractors with access to company systems must comply with this policy. Non-compliance may result in disciplinary action, removal of access or termination of contract.

This policy is reviewed at least annually or following a significant security incident, a material change to systems or services, or a change in applicable legislation or regulation.

2. Asset Management

XEROTECH LTD maintains a hardware asset register that records all devices used for business purposes, including the device type, make, operating system, version, location and assigned user. The register is reviewed at least annually and updated whenever devices are added, replaced or decommissioned.

A software inventory is maintained listing all applications, operating systems and firmware in use across the organisation. Only licensed and supported software is permitted on company devices.

All cloud services used by the organisation are recorded in a cloud services register. For each service, the register records the service name, provider, purpose, data stored and the shared responsibility model. Cloud services cannot be excluded from the scope of our security controls.

Devices are securely configured before deployment, maintained throughout their operational life, and securely wiped or destroyed at end of life using recognised data sanitisation methods.

3. Firewalls and Internet Gateways

All internet connections used for business purposes are protected by a boundary firewall device. The business network is physically separated from any personal or domestic network using a dedicated router.

All laptops, desktops and servers run a software firewall that is enabled at all times, including when connected behind the boundary firewall. Software firewalls are configured to block inbound connections by default.

All default passwords on boundary firewall devices and routers are changed to strong, unique passwords before deployment. Unauthenticated inbound connections are blocked by default on all firewalls.

No inbound services are exposed to the internet unless there is a documented and approved business requirement. Any approved inbound rules are documented with the business justification, approved by the CEO/Director, and reviewed at least annually. Rules that are no longer required are removed promptly.

Remote administrative access to firewall and router configuration is disabled unless there is a documented business need, in which case it is protected by multi-factor authentication or restricted to a defined set of trusted IP addresses combined with managed password authentication.

All firewall and router configurations are reviewed at least annually to confirm that only necessary rules are active, default credentials have been changed, firmware is up to date and no unnecessary services are exposed.

4. Secure Configuration

All devices are configured securely before use. Default configurations are reviewed and adjusted to remove or disable unnecessary software, services, user accounts and features. Only software required for day-to-day business use is installed.

Only necessary user accounts are maintained on devices and cloud services. Default accounts, guest accounts and any other unnecessary accounts are removed or disabled. All active accounts are reviewed regularly.

All default or vendor-supplied passwords are changed before devices or services are used for business purposes. Replacement passwords meet the authentication standards defined in Section 8 of this policy.

AutoRun and AutoPlay features are disabled on all devices to prevent automatic execution of software from removable media or downloaded files without user authorisation.

All devices that require a user to be physically present are protected by a locking mechanism. Devices lock automatically after a period of inactivity. Unlocking requires authentication via password, PIN (minimum 6 characters) or biometric.

Full disk encryption is enabled on all laptops and desktops to protect data in the event of loss or theft.

5. Security Update Management

All operating systems, applications, firmware and plugins must be licensed, supported by the vendor and receiving regular security updates. Unsupported software is removed from all devices or isolated from internet-connected networks.

All high-risk and critical security updates and vulnerability fixes must be applied within 14 days of release. This applies to operating systems, applications, browser extensions, firmware on routers and firewalls, and any other software in scope. Where vendor severity information is not available, all updates are treated as high-risk and applied within 14 days.

Automatic updates are enabled on all devices and software where the option is available. This includes operating system updates, browser updates, application updates and malware definition updates. Where automatic updates are not available, a manual process is followed to check for and apply updates within the required timescale.

Router and firewall firmware is kept up to date. Firmware update availability is checked regularly and critical updates are applied within 14 days of release.

Software that reaches end of life and is no longer supported by the vendor is removed from all devices. If removal is not possible due to a business requirement, the device running the unsupported software is isolated from the internet using a firewall or VLAN.

6. User Access Control

User accounts are created only after approval by the CEO/Director. Each user is provided with a unique account. Shared accounts are not permitted. Accounts are provisioned with the minimum level of access required for the role (principle of least privilege).

When a new member of staff joins the organisation, accounts are created following the approval process. When a staff member changes role, access permissions are reviewed and adjusted. When a staff member leaves, all accounts and access are removed or disabled promptly, including cloud service accounts, device accounts, email and any remote access.

User accounts and access permissions are reviewed at least annually to confirm they remain appropriate. Any accounts that are no longer required are removed or disabled.

6.1 Administrative Accounts

Separate accounts are used for administrative tasks (such as installing software, changing configurations or managing cloud services) and for standard day-to-day activities (such as email, web browsing and document editing). Administrative accounts are never used for routine activities.

A record is maintained of all users who hold administrative accounts across devices and cloud services. This record is reviewed at least annually. Administrative access is removed when it is no longer required for the user’s role.

Administration of cloud services is carried out using separate administrator accounts that are not used for standard user activities. All cloud administrator accounts are protected by multi-factor authentication.

7. Malware Protection

All laptops, desktops and servers run anti-malware software that is configured to update definitions automatically in line with the vendor’s recommendations, prevent malware from executing on detection, scan files on access and download, and warn users when accessing known malicious websites.

Devices are configured to restrict the installation of applications to approved sources. Users are prevented from installing unsigned applications. A list of approved applications is maintained and reviewed regularly.

Mobile devices used for business purposes only install applications from official app stores. Devices are not jailbroken or rooted.

8. Password and Authentication Policy

All passwords must meet at least one of the following technical controls:

• Multi-factor authentication with a minimum password length of 8 characters and no maximum length restriction
• A minimum password length of 12 characters with no maximum length restriction
• A minimum password length of 8 characters with no maximum length restriction, combined with automatic blocking of common passwords using a deny list

All systems are configured to protect against brute-force password attacks using at least one of the following methods: multi-factor authentication, throttling the rate of login attempts (no more than 10 guesses in 5 minutes), or locking accounts after no more than 10 unsuccessful attempts.

A password manager is used to generate and store unique, strong passwords for all accounts. All users are advised to use unique passwords for each work account, avoid common or predictable passwords, use passphrases of three or more random words where appropriate, and never reuse passwords across services. Regular password expiry is not enforced, in line with NCSC guidance.

There is an established process to change passwords promptly when a password or account is known or suspected to be compromised. This includes passwords exposed through a data breach affecting a third-party service, a malware infection on a device, or notification from a vendor of a security weakness.

8.1 Multi-Factor Authentication

Multi-factor authentication (MFA) is enabled on all cloud services where available. This applies to both administrator and standard user accounts. MFA is implemented using an authenticator application or hardware security key. If a cloud service does not offer MFA and cannot be configured to link to an identity provider that supports MFA, the service is recorded in the cloud services register with this limitation noted.

9. Data Protection and Privacy

XEROTECH LTD is committed to protecting personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our full Privacy Policy is available at xerotech.io/privacy-policy.

Data is classified into three categories:

Confidential data is stored only on encrypted devices or in approved, MFA-protected cloud services. Data is retained only for as long as there is a legitimate business or legal requirement and securely deleted when no longer needed.

10. Cloud Services Security

All cloud services used by the organisation are recorded in the cloud services register. Before adopting a new cloud service, the shared responsibility model is reviewed to understand the division of security responsibilities between the provider and XEROTECH LTD.

The following controls apply to all cloud services:

• MFA is enabled on all accounts (administrator and user)
• Strong, unique passwords are used for each service
• Unnecessary features and integrations are disabled
• Access permissions follow the principle of least privilege
• User accounts are reviewed regularly and removed when no longer needed
• Data stored in cloud services is classified and handled according to Section 9

11. Remote and Home Working

XEROTECH LTD operates with home-based workers. The following controls apply to all remote working:

• Business devices connect to the internet through a dedicated business router, physically separated from any domestic network
• Software firewalls are enabled on all devices at all times
• Only approved, company-managed devices are used to access business data and services
• Full disk encryption is enabled on all laptops and desktops
• Devices are physically secured when not in use and never left unattended in public places
• Public Wi-Fi networks are avoided for accessing business services; if necessary, a VPN is used
• Screen lock is enabled on all devices and activates after a period of inactivity

12. Incident Response

A cybersecurity incident is any event that compromises, or has the potential to compromise, the confidentiality, integrity or availability of XEROTECH LTD systems, data or services. Examples include unauthorised access to accounts or devices, malware infection, phishing attacks that result in credential disclosure, data breaches, denial of service, and loss or theft of devices.

All suspected or confirmed incidents are reported immediately to the CEO/Director. The response process includes:

• Containing the incident by isolating affected devices or disabling compromised accounts
• Assessing the scope and impact of the incident
• Eradicating the threat by removing malware, closing vulnerabilities or resetting credentials
• Recovering systems and verifying that they are operating normally
• Preserving evidence for any required investigation or reporting

If a personal data breach is likely to result in a risk to individuals, the Information Commissioner’s Office (ICO) is notified within 72 hours. Affected individuals are notified without undue delay where required by UK GDPR. Incidents may also be reported to Action Fraud and the NCSC as appropriate.

Following any incident, a review is conducted to identify the root cause, assess the effectiveness of the response and implement improvements to prevent recurrence.

13. Backup and Business Continuity

Business-critical data is backed up using both cloud synchronisation and local external storage. Backups are performed regularly and include documents, emails, configuration data and any other data essential to business operations.

Backup restoration is tested periodically to confirm that data can be recovered successfully. In the event of a major disruption (such as device failure, ransomware or loss of access to cloud services), the organisation will restore from backup, procure replacement hardware if necessary, and restore cloud service access using documented recovery procedures.

14. Supply Chain and Third-Party Security

Before engaging a third-party service provider that will access, store or process company or client data, the provider’s security practices are reviewed. This includes confirming the provider’s security certifications (such as Cyber Essentials, ISO 27001 or SOC 2), understanding the shared responsibility model, reviewing their data processing and breach notification terms, and ensuring appropriate contractual protections are in place.

Third-party access to systems is granted on the principle of least privilege and revoked when no longer required. A full list of our service providers and their data handling practices is available in our Privacy Policy.

15. Acceptable Use

All users of XEROTECH LTD systems must:

• Use company systems and data only for legitimate business purposes
• Not install unapproved software on company devices
• Not disable or circumvent security controls, including firewalls, anti-malware and encryption
• Not share account credentials with any other person
• Not connect company devices to untrusted networks without appropriate protection
• Not store company data on personal devices or unapproved cloud services
• Report any suspected security incident immediately
• Lock devices when stepping away and secure them when not in use

16. Physical Security

Devices are stored securely when not in use. Screens are locked when unattended. A clean desk approach is followed to ensure sensitive information is not left visible. Devices containing business data are not left in vehicles or other unsecured locations. At end of life, devices and storage media are securely wiped or physically destroyed before disposal.

17. Training and Awareness

All staff receive cybersecurity awareness training on joining the organisation, covering this policy, phishing awareness, password security, safe use of cloud services and incident reporting. Refresher training is provided at least annually or following a significant change in threat landscape or policy.

The CEO/Director maintains personal cybersecurity competence through ongoing professional development, industry engagement and monitoring of NCSC guidance and threat advisories.

18. Policy Review

This policy is reviewed at least annually by the CEO/Director. Additional reviews are triggered by a cybersecurity incident, a significant change to systems, services or personnel, a change in applicable legislation or regulation, or as part of certification renewal.

19. Contact

For any questions about this policy or to report a security concern:

Email: security@xerotech.io
Address: XEROTECH LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ