Cyber Horizon
Back to Legal

Information Security Policy

Cyber Horizon Intelligence Ltd

Last Updated: 6 June 2026 · Version 1.2

Cyber Horizon Intelligence is committed to protecting the confidentiality, integrity, and availability of the information entrusted to us. This policy describes the security controls and practices we operate. We continuously mature our security programme; where a control is being established rather than fully operational, we say so.

1. Security Objectives

  • Confidentiality: Information is accessible only to authorised individuals.
  • Integrity: Information and systems remain accurate and complete.
  • Availability: Services and data are reliably accessible when needed.
  • Compliance: We meet applicable legal, regulatory, and contractual requirements.

2. Infrastructure & Hosting

Cyber Horizon is a cloud-native platform. We do not operate our own data centres; instead we build on established cloud infrastructure providers whose facilities deliver physical security, network protection, redundancy, and DDoS mitigation. Our application is hosted on Vercel and our primary data store is provided by Supabase (running on AWS infrastructure in the European Union by default). We rely on, and inherit, the infrastructure and network security controls of these providers.

3. Data Protection

  • Encryption of data at rest (AES-256), provided by our database platform
  • Encryption of data in transit using TLS
  • Encrypted, managed backups with point-in-time recovery
  • Logical separation of customer data in our multi-tenant architecture

4. Access Control

  • Multi-factor authentication (MFA) available for user accounts
  • Single sign-on (SSO) via SAML/OIDC supported
  • Role-based access control (RBAC) and the principle of least privilege
  • Access reviews and prompt revocation on termination or role change
  • Strong authentication and session-management controls

5. Application Security

  • Secure development practices and peer code review
  • Dependency and vulnerability scanning in our build pipeline
  • Input validation, output encoding, and secure authentication controls
  • Separation of development, staging, and production environments

6. Monitoring & Incident Response

We operate automated application and error monitoring with alerting, and maintain a defined incident-response process covering identification, containment, eradication, recovery, and post-incident review. Incidents are classified by severity (low, medium, high, critical) to drive escalation and response timelines. We are progressively expanding our monitoring coverage as the platform matures.

7. Vulnerability Management & Disclosure

We perform automated dependency and vulnerability scanning, and we are establishing a programme of periodic independent penetration testing. We welcome reports from security researchers — please see our Vulnerability Disclosure Policy or contact security@cyberhorizon.co.

8. Compliance & Certifications

  • UK GDPR and EU GDPR compliance for personal data
  • SOC 2 — working towards (not yet certified)
  • ISO 27001 — aligning our controls and pursuing certification
  • NIST Cybersecurity Framework alignment
  • Security logging and regular internal security reviews

9. Sub-processors

We use a limited set of trusted sub-processors to operate the Service, each bound by appropriate data-protection obligations. Our current sub-processors are listed on our Sub-processors page.

10. Governance

This policy is reviewed at least annually or as needed, approved by senior leadership, communicated to staff, and supported by security awareness training. It will be updated as our security programme matures.

Contact

For questions about this policy or to report a security concern: security@cyberhorizon.co