Meeting the government’s 14 Cloud Security Principles.


Consumer data transiting networks should be adequately protected against tampering and eavesdropping. This should be via a combination of network protection and encryption.

  • All customer-facing servers negotiate a secure session using TLS with client machines, securing the data in transit.

  • This applies to various protocols such as HTTPS/HTTP2, that are used by clients on any device.

  • Data transiting networks have strong encryption using TLS1.2 across all workloads. The use of TLS establishes a highly secure client-to-server connection to help provide data confidentiality and integrity between the desktop and the data centre.


Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

  • For government data, we use datacentres in Paris and Amsterdam, and provide the additional assurance of complying with EU model clauses in order meet data protection legislation.

  • Customer data is not stored outside of the EEA.

  • Our world-class data centre security is evidenced by compliance with the ISO-27001 information security standards.

  • Customer authored Data is encrypted at rest for all cloud services.

  • When hard disks are taken out of service they are demagnetised and destroyed on site by our IaaS partner.

  • Additionally, we store data in two geographically dispersed data centers to provide high levels of availability.


Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another.

  • Customers are logically separated at the application layer.

  • We conduct ongoing penetration tests of our environment in line with the dynamic nature of the cloud, ensuring that a customer’s data remains private to them.

  • We also conduct annual independent IT security audit.

  • Residual risks are published in our Risk Management and Accreditation Document Set (RMADS) and Residual Risk statement.


The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it.

  • We comply with the ISO-27001 information security standard, covering the scope of the service delivered.

  • BONDAP is regularly audited by independent external auditors.


The service provider should have processes and procedures in place to ensure the operational security of the service.

  • Configuration, change management, incident response and protective monitoring are all demonstrated in our compliance with the ISO-27001 information security standard.

  • In addition to our ISO-27001 compliance, and our use of independent 3rd party penetration tests, we operate an assumed breach model and use active red-team penetration testing and vulnerability management as part of our Operational Security Assurance (OSA).


Service provider staff should be subject to personnel security screening and security education for their role.

  • Customer authored data can only be accessed by suitably cleared Engineering and Operation support staff, who would only access real data in the event of a system emergency or with the explicit authorization from the customer.

  • Staff are subject to pre-employment and on-going background check for social security; criminal convictions; nationality and immigration status (right to work); employment history covering at least 3 years.

  • New hires are also subject to education history and employment history checks.

  • Contractors and others who may have access to customer authored data are subject to these same checks.

  • BONDAP conducts security education training on at least an annual basis.


Services should be designed and developed to identify and mitigate threats to their security.

  • BONDAP includes security as part of the product development process and ongoing application maintenance. This is demonstrated by the ISO 27001 certification and is technically validated during the periodic penetration tests.


The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement.

  • The majority of technologies used in the delivery of BONDAP’s cloud services are developed in-house.

  • BONDAP applies EU Model Clauses to our services. All of our suppliers must sign and abide by our security controls or declare publicly their compliance with the security principles that our service claims to implement.

  • Our services are certified against the ISO-27001 information security standard.


Consumers should be provided with the tools required to help them securely manage their service.

  • Customers maintain full control over the administration and provisioning of user accounts within the service.

  • Role-based access control can be utilized to define roles and permissions to evidence data and features of the service.

  • The separation and access control within management interfaces is subjected to independent penetration testing.


Consumer and service provider access to all service interfaces should be constrained to authenticated and authorised individuals.

  • Username and password policies remain under the customer’s control.

  • Authentication tokens are passed over an encrypted channel.

  • Our services support 2 factor authentication by customer request.

  • BONDAP allows for forces to securely manage their usage of the service commensurate with their security risk profile.


All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.

  • BONDAP conducts annual independent penetration tests.

  • Residual risks are published in our Risk Management and Accreditation Document Set (RMADS) and Residual Risk statement.


The methods used by the service provider’s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service.

  • We evidence out service administration model with our ISO-27001 certification.

  • BONDAP administers services through secure interfaces. The administrative interfaces are included in scope for the ISO 27001 certification.

  • End-user devices used to manage the service are managed and controlled by BONDAP and configured with a hardened OS, an anti-malware solution and full disk encryption.


Consumers should be provided with the audit records they need to monitor access to their service and the data held within it.

  • Our services provide enhanced capabilities, allowing customers to audit and delegate end-user access within the service offering. Please review the corresponding service descriptions for details.

  • Our services maintain and provide audit records that log the when, who, and what for each entity. These records cannot be edited or changed, even by account administrators. User activity logging is available within the service to monitor users actions and authentication activity.


Consumers have certain responsibilities when using a cloud service in order for their use of it to remain secure, and for their data to be adequately protected.

  • We provide outline guidance as part of a service.

  • Individual devices should be configured in line with CESG’s end user device guidance.

  • BONDAP has many guides available to customers to educate and assist in administrating the service in a safe and secure manner.

  • BONDAP has a professional services and customer support team that can provide onsite or remote assistance related to BONDAP’s services.