+44 800 779 7322
Legal

Security by Design & Assurance Framework

Rebasoft Limited
Registered Office: Albany House, 14 Shute End, Wokingham, Berkshire, RG40 1BJ
Company Number: 06914233
Website: www.rebasoft.net

Effective Date: 24 March 2026
Version: 4.0 (Final – Security by Design & Assurance)

1. Purpose

This document defines the security architecture, technical and organisational controls, and assurance processes implemented by Rebasoft Limited (“Rebasoft”) in the design, development, and operation of its platform.

It is intended to provide technical transparency and assurance to customers, auditors, and regulators.

This document does not constitute a contractual commitment or service specification.

2. Security by Design Framework

Rebasoft applies a security-by-design approach across the full system lifecycle, ensuring that controls are embedded from initial design through to operation and maintenance.

Core Control Principles

  • Least Privilege
    Access is provisioned based on role and business need and reviewed periodically and upon change of role

  • Segregation of Duties
    Administrative, operational, and security responsibilities are separated

  • Defence in Depth
    Controls are implemented across multiple layers including network, system, and application

  • Secure Configuration
    Systems are deployed and maintained using hardened baseline configurations

  • Continuous Monitoring
    Systems and activities are monitored to detect anomalous or unauthorised behaviour

  • Auditability and Traceability
    Security-relevant actions are logged and retained to support investigation and review

3. Security Architecture

Rebasoft is designed using a layered architecture with defined trust boundaries and environment separation.

Architectural Controls

  • Separation of management plane and operational/data plane

  • Segregation of development, test, and production environments

  • Controlled and authenticated communication between system components

  • Use of secure protocols for all inter-system communication

  • Logical segregation of customer data

Deployment Model

The platform may be deployed within:

  • On-premises environments

  • Customer-controlled infrastructure

  • Hybrid environments

Security controls are applied consistently regardless of deployment model.

4. Governance and Risk Management

Rebasoft maintains governance processes to manage security and data protection risks.

Controls

  • Documented information security policies and procedures

  • Defined roles and responsibilities for security and data protection

  • Periodic risk assessments covering systems and data processing

  • Internal review of control effectiveness

5. Data Protection and Lifecycle Management

Rebasoft applies controls to ensure the confidentiality, integrity, and availability of data throughout its lifecycle.

Data Lifecycle Controls

  • Data collection is limited to defined purposes

  • Processing is carried out under documented instructions

  • Data retention is governed by defined retention policies

  • Data is securely deleted or returned upon request or termination

Protection Measures

  • Encryption in transit using TLS 1.2 or higher

  • Encryption at rest using AES-256 or equivalent

  • Logical segregation of customer data

  • Access restricted based on role and function

6. Identity and Access Management

Access to systems and data is controlled through defined identity and access management processes.

Controls

  • Role-Based Access Control (RBAC)

  • Enforcement of least privilege

  • Controlled and monitored privileged access

  • Periodic access reviews and revocation of unnecessary access

  • Defined provisioning and de-provisioning processes

Authentication mechanisms are applied in accordance with system sensitivity.

7. Logging and Monitoring

Rebasoft maintains centralised logging and monitoring capabilities to support detection and investigation.

Logging

  • Recording of user, administrative, and system activity

  • Logging of security-relevant events

  • Protection of logs from unauthorised modification

Monitoring

  • Continuous monitoring of systems and services

  • Detection of anomalous behaviour

  • Alerting and escalation based on defined thresholds

Logs are retained for a defined period to support investigation and compliance.

8. Cryptography and Key Management

Rebasoft implements cryptographic controls to protect data.

Controls

  • Encryption in transit using TLS 1.2 or higher

  • Encryption at rest using AES-256 or equivalent

  • Secure generation, storage, and handling of encryption keys

  • Restricted access to cryptographic material

9. Network and Infrastructure Security

Rebasoft applies controls to secure network and infrastructure components.

Controls

  • Use of secure communication protocols

  • Network segmentation and isolation

  • Restriction of network access based on role and function

  • Monitoring of network activity

10. Vulnerability and Patch Management

Rebasoft operates a structured, risk-based vulnerability management process.

Controls

  • Identification of vulnerabilities through internal and external sources

  • Risk-based prioritisation of remediation

  • Application of security patches within defined timeframes

  • Monitoring of emerging threats and disclosures

11. Secure Development and Change Management

Security is integrated into development and change processes.

Development Controls

  • Secure coding practices

  • Code review prior to release

  • Testing of functionality and security controls

  • Management of third-party components and dependencies

Change Management Controls

  • Documented change management procedures

  • Approval processes for system changes

  • Segregation between development, testing, and production

  • Controlled deployment processes

12. Incident Management

Rebasoft maintains defined procedures for managing security incidents.

Controls

  • Identification and classification of incidents

  • Investigation and impact assessment

  • Containment and remediation

  • Post-incident review

Notification

Where required, customers are notified without undue delay, typically within 24–72 hours, in accordance with legal and contractual obligations.

13. Business Continuity and Disaster Recovery

Rebasoft implements controls to support resilience and recovery.

Controls

  • Backup and recovery procedures

  • Resilient system design

  • Monitoring of system availability

Recovery

  • Defined recovery processes aligned to system criticality

  • Periodic testing of recovery capabilities

14. Supplier and Sub processor Management

Rebasoft manages third-party risk through defined processes.

Controls

  • Due diligence prior to engagement

  • Contractual security and data protection requirements

  • Ongoing monitoring of supplier performance and risk

A current list of Sub-Processors is maintained at:

www.rebasoft.net/subprocessors

15. Data Residency and Transfers

Rebasoft supports deployment models that enable control over data location.

Controls

  • Data is processed within the Customer’s chosen environment

  • Transfers outside the UK are subject to appropriate safeguards

  • Transfers comply with UK GDPR requirements

16. Security Assurance and Testing

Rebasoft maintains assurance processes to validate the effectiveness of controls.

Controls

  • Periodic internal security reviews

  • Independent penetration testing is conducted at defined intervals

  • Continuous monitoring of system security

  • Risk-based remediation of identified issues

17. Personnel Security

Rebasoft applies controls to ensure personnel understand and meet security obligations.

Controls

  • Confidentiality obligations for personnel

  • Access restricted to authorised individuals

  • Security awareness practices

18. Physical Security (Where Applicable)

Where physical infrastructure is used, appropriate controls are applied.

Controls

  • Physical access restrictions

  • Protection of systems and infrastructure

  • Environmental safeguards

19. Shared Responsibility Model

Security is a shared responsibility between Rebasoft and its customers.

Rebasoft Responsibilities

  • Security of platform architecture and controls

  • Protection of data processed within the platform

  • Implementation of technical and organisational measures

Customer Responsibilities

  • Secure configuration and deployment

  • User access management

  • Network and infrastructure security

20. Continuous Improvement

Rebasoft maintains a process of continuous improvement of its security posture.

Controls

  • Monitoring of emerging threats

  • Review and enhancement of controls

  • Incorporation of lessons learned from incidents and assessments

21. Related Documents

22. Contact

legal@rebasoft.net
support@rebasoft.net
+44 0800 799 7322

© Rebasoft Limited. All rights reserved.
Governed by the laws of England and Wales.