Talk to us
Home/Public SectorEnterprise/Security principles
Security & assurance

How we meet the 14 Cloud Security Principles.

The NCSC sets out 14 principles for evaluating cloud security. Here's how Bondap meets each one — the same standard behind every B-SAFE system and product.

Read the principles Public sector & G-Cloud
At a glance
EEA data centres (Paris & Amsterdam) Data never leaves the EEA TLS 1.2 everywhere Annual independent pen tests ISO 27001
The 14 principles

Assured, principle by principle.

Summarised from our service definition — full documentation (RMADS and Residual Risk statement) is available to buyers on request.

01

Data in transit protection

  • TLS 1.2 across all workloads and client-to-server sessions.
  • Served over HTTPS / HTTP2, on any modern device.
02

Asset protection & resilience

  • EEA data centres in Paris and Amsterdam — data never stored outside the EEA.
  • Encrypted at rest; disks demagnetised and destroyed on decommission.
  • Geographically dispersed for availability.
03

Separation between consumers

  • Each customer in a dedicated, logically-separated instance.
  • Ongoing penetration testing and an annual independent security audit.
04

Governance framework

  • ISO 27001 governance covering the full service scope.
  • Regular independent external audits.
05

Operational security

  • Configuration, change, incident and vulnerability management under ISO 27001.
  • Assumed-breach model with protective monitoring and red-team testing.
06

Personnel security

  • Staff vetted — background, right-to-work and history checks.
  • Customer data accessed only by cleared staff, in emergencies or with authorisation.
  • Annual security training for all staff.
07

Secure development

  • Security built into development and maintenance.
  • Validated by periodic penetration tests; ISO 27001 certified.
08

Supply chain security

  • Most technology built in-house; suppliers sign to our security controls.
  • EU Model Clauses applied; ISO 27001 across the supply chain.
09

Secure consumer management

  • Customers control their own user provisioning and administration.
  • Role-based access control; management interfaces independently pen-tested.
10

Identity & authentication

  • Customer-controlled password policies.
  • Authentication over encrypted channels; two-factor available on request.
11

External interface protection

  • Annual independent penetration testing of all external interfaces.
  • Residual risks published in our RMADS and Residual Risk statement.
12

Secure service administration

  • Administration via secure interfaces within ISO 27001 scope.
  • Admin devices hardened, encrypted and anti-malware managed by Bondap.
13

Audit information for users

  • Tamper-proof audit records of when, who and what — uneditable, even by admins.
  • User activity and authentication logging available to you.
14

Secure use of the service

  • Security guidance provided, aligned to NCSC end-user-device guidance.
  • Professional services and support for safe administration.
Accreditations

Independently assured.

G-Cloud 14 ISO 27001 ISO 9001 Cyber Essentials Plus CSA STAR NCSC 14 Cloud Security Principles PSN-ready GDPR

Need our security documentation?

We'll share our RMADS, Residual Risk statement and certifications with public-sector buyers on request.

Request documentation Buy on G-Cloud