CMS InfoSec Ltd, trading as Cyber Made Simple, treats privacy and information security as core product requirements — not as an afterthought. This page summarises how we align with UK expectations for data protection and secure delivery of the service. It is informational and does not replace professional legal or compliance advice for your own organisation.
For personal data collection and use, see our Privacy policy. For contractual terms, see Terms of service. For product-facing security declarations and WCAG work, see Accessibility and our public status page.
Data protection (UK)
We design Cyber Made Simple for the United Kingdom context: the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we act as a controller, we identify purposes, minimise data, respect individual rights, and document decisions. Where we use processors (for example email, payments, or cloud infrastructure), we work under appropriate terms and safeguards.
You can exercise access, rectification, erasure, restriction, portability and objection rights where they apply — see Privacy policy and signed-in Account → Privacy & data for export and deletion tools.
If you have concerns you cannot resolve with us, you may complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.
Security posture
Our security programme is built around common SaaS expectations, including:
- Strong authentication — modern password policies, MFA options, and passkey support where configured for your account.
- Transport security — encryption in transit for browser and API traffic to the application.
- Role-based access in the product — least-privilege defaults for staff, editor and customer admin surfaces; privileged actions audited where the application records them.
- Secrets and sensitive configuration — credentials for integrations and similar material are not exposed in client bundles; sensitive fields are encrypted at rest where the architecture requires it.
- Operational monitoring — health, cron, error and uptime signals to detect and respond to incidents (see Service status).
We do not describe every technical control in public (doing so would help attackers). Customers with specific assurance needs should contact us for proportionate information under NDA where appropriate.
Verifiable credentials
Where we hold specific registrations or certifications, we can surface them in the site footer as short text badges (managed in admin settings) so we never imply endorsements we do not have.
No organisation-specific verification is published on this deployment yet. When your administrator enables trust marks in settings, they will appear in the footer and can be listed here.
Continuous improvement
Laws, threats and expectations evolve. We review policies and controls as the product and supplier stack change. Material updates to how we handle personal data are reflected in the Privacy policy and, where needed, in-product notices.
Last updated: 2026-06-12