DataPress logo

NCSC Cloud Security Principles

Version:  2.2
Updated:  20th November 2025

DataPress architecture and operations align with the UK National Cyber Security Centre's Cloud Security Principles framework. This page demonstrates how our platform meets each of the 14 principles established by the NCSC for secure cloud service provision.

For additional technical details, see our Infrastructure Overview and Security Certification pages.

Principle 1: Data in Transit Protection

Data should be adequately protected against tampering and eavesdropping as it transits networks.

All data communications are protected using TLS 1.2+ encryption configured to industry-standard cipher suites aligned with NCSC TLS guidance.

  • External Connections: Cloudflare provides encrypted connections between end users and our platform, terminating TLS at the edge with managed certificates. Cloudflare then establishes encrypted connections to our origin server via SSL/TLS.
  • Internal Communications: Our Node application communicates with DigitalOcean Spaces storage exclusively via HTTPS with certificate-based authentication. Database connections (PostgreSQL and MySQL) occur locally on the same droplet, eliminating network exposure.
  • Authentication: Administrative service access requires authentication. User-facing services authenticate clients through our application layer with username/password, and MFA is being rolled out for users with extended privileges. Our platform authenticates to external services (DigitalOcean Spaces) using cryptographic API keys over TLS. TLS certificate validation ensures service authentication.
  • Single Data Centre: All infrastructure resides within DigitalOcean's LON1 facility, eliminating inter-data-centre transit concerns. No data flows between physical locations.
  • Certificate Management: Cloudflare manages TLS certificates for external connections. DigitalOcean manages certificates for Spaces API endpoints. We maintain private keys only for API authentication tokens.

Principle 2: Asset Protection and Resilience

Data and assets should be protected against physical tampering, loss, damage or seizure.

Our infrastructure operates on enterprise-grade cloud hosting with physical security controls managed by our hosting provider. Data resilience is ensured through automated daily backups retained for 7 days. All backups are encrypted by the cloud provider. Service resilience includes automated monitoring and rapid recovery procedures.

  • Physical Location and Legal Jurisdiction: All infrastructure operates within DigitalOcean's LON1 data centre in London, UK. Data storage, processing, and management occur exclusively within UK jurisdiction, subject to UK law and GDPR as implemented by the Data Protection Act 2018. No data transfers occur outside the UK during normal operations.
  • Data Centre Security: Physical security is provided by DigitalOcean, whose LON1 facility maintains ISO 27001:2013 certification covering physical access controls, surveillance, environmental controls, and equipment security.
  • Data Encryption at Rest: All data is encrypted at rest. DigitalOcean Spaces implements server-side encryption using AES-256-XTS with managed keys. Database storage (PostgreSQL and MySQL) utilizes block-level encryption provided by DigitalOcean's volume encryption. All encryption key management is handled by DigitalOcean's infrastructure.
  • Data Sanitisation and Equipment Disposal: Upon customer account deletion, database tables are dropped and files are deleted from DigitalOcean Spaces storage. DigitalOcean maintains ISO 27001-certified processes for equipment disposal when storage media reaches end-of-life.
  • Physical Resilience and Availability:
    • Backup Strategy: Automated daily backups of all droplets with 7 days retention. Estimated Recovery Time Objective (RTO): 4 hours (including incident response and restoration).
    • Service Monitoring: Continuous monitoring via pm2 process manager, DigitalOcean platform dashboards, and BetterStack alerting for service health, resource utilization, and availability.
    • Infrastructure: Single data centre deployment within DigitalOcean LON1. Cloudflare provides edge caching and DDoS protection. A facility-wide outage would require restoration from backups.

Principle 3: Separation Between Customers

Malicious or compromised customers should not be able to access or affect the service or data of others.

DataPress operates as a Software-as-a-Service (SaaS) application where customers cannot execute custom code. Per NCSC guidance, this use case does not require hardware-backed separation mechanisms.

  • Compute Separation: All customer workloads run within a single shared application instance on our Node.js platform. Customers cannot upload or execute custom code, reducing the attack surface that would require hypervisor-level separation. The application serves multiple customers through a single process with logical separation enforced at the application layer.
  • Storage Separation: Customer data isolation is implemented through application-level access controls.
    • Databases: PostgreSQL tables use customer_id columns to segregate data. All database queries include customer context validation before execution.
    • File Storage: DigitalOcean Spaces uses customer-specific folder paths. The application validates that download requests match the authenticated customer's data before serving files.
  • Network and Access Control: All separation is enforced at the application layer through our authentication and authorization framework. Each request is validated against the authenticated customer context before data access. There is no network-level segmentation between customers.
  • Resource Protection: Rate limiting prevents individual customers from monopolizing system resources. Utilization patterns are analysed regularly so resources can be scaled up to meet demand. Vertical scaling (increasing droplet resources) is our primary capacity management approach; customer sharding across horizontally scaled droplets is available as a secondary approach.

As a SaaS application without custom code execution, application-level separation is appropriate per NCSC guidance. We conduct regular security reviews and penetration testing to validate separation controls.

Principle 4: Governance Framework

The service provider should have a security governance framework coordinating management of the service.

The CEO, Tom Rees (tom@datapress.com), holds direct responsibility for security governance and service operations, functioning as the named executive accountable for information security across the platform. As a focused single-product service, this structure ensures rapid decision-making and direct oversight of all security matters.

  • Governance Framework: Our security governance is documented in our Security Policy, which defines security responsibilities, risk management procedures, and regular review processes. This is supported by our Business Continuity Plan covering service resilience and incident response.
  • Risk Management: Security risks are systematically identified and managed through regular security reviews documented in our Security Policy. This includes monitoring security advisories for our technology stack (Node.js, PostgreSQL, MySQL, DigitalOcean), evaluating emerging threats, and implementing appropriate controls. Technical security controls are validated through penetration testing. Security and information security risks are directly integrated into operational and financial decision-making, including resource allocation for security controls, infrastructure investments, and service development priorities.
  • Regulatory Compliance: The CEO serves as Data Protection Officer, ensuring GDPR compliance as documented in our Data Processing Agreement. We maintain processes for identifying applicable legal and regulatory requirements relevant to UK-based data processing. Our Terms of Service establish acceptable use requirements.
  • Security Contact: Security matters can be reported directly to admin@datapress.com.

Principle 5: Operational Security

Services must be operated and managed securely to impede, detect or prevent attacks.

Operational security is maintained through automated vulnerability management, continuous protective monitoring, documented incident response procedures, and configuration management using Infrastructure as Code.

5.1 Vulnerability Management:

Application dependencies are continuously monitored using Snyk, which automatically scans for vulnerabilities in Node.js packages and third-party libraries. Security patches are prioritized based on severity:

  • Critical/actively exploited vulnerabilities: Immediate assessment and mitigation
  • High severity vulnerabilities: Patched within 7 days
  • Medium/low severity: Addressed in regular update cycles

Operating system security updates are applied automatically on the DigitalOcean droplet. PostgreSQL and MySQL receive periodic security patching as part of scheduled maintenance cycles. Infrastructure renewal procedures ensure systems remain within supported versions.

5.2 Protective Monitoring:

Security monitoring operates at multiple layers:

  • Application Layer: Database query logging and application-level audit trails capture authentication events, data access, and administrative actions
  • Network Layer: Cloudflare's Web Application Firewall provides automated protection against common attack patterns including SQL injection, cross-site scripting, and malicious bot activity
  • Infrastructure Layer: fail2ban protects SSH access. BetterStack monitoring alerts on service availability and system health
  • Log Analysis: Event-driven log review supplements automated monitoring, with detailed investigation triggered by alerts or performance anomalies

5.3 Incident Management:

Our Business Continuity Plan provides the framework for incident response. Standard response approaches for common incident types include:

  • DDoS attacks: Cloudflare filtering with escalation options for volumetric attacks
  • Service compromise: Infrastructure replacement using Infrastructure as Code enables rapid recovery with verified clean configurations
  • Data breaches: Customer notification within GDPR-mandated timescales (72 hours to authorities, without undue delay to affected individuals)

Security incidents and vulnerabilities can be reported to admin@datapress.com.

5.4 Configuration and Change Management:

All application code is managed in Git version control. Changes undergo local testing before deployment. Infrastructure configuration is maintained as Infrastructure as Code, providing version control for infrastructure components and enabling consistent, auditable deployments.

Configuration drift is prevented through immutable infrastructure practices. Service changes affecting customer usage are communicated directly to affected customers with appropriate notice.

Principle 6: Personnel Security

Service provider personnel with access to customer data and systems require high trustworthiness.

6.1 Personnel and Security Culture:

DataPress operates with minimal personnel risk. System administration is performed exclusively by the named CEO who has undergone identity verification and professional background checks appropriate to the role, including prior government sector employment. Operational continuity over fourteen years demonstrates sustained trustworthiness.

The single-administrator model significantly reduces insider risk compared to larger team structures, eliminating the complexity of managing multiple privileged users.

6.2 Technical Controls for Service Administration:

Administrative access is controlled through multi-factor authentication on critical systems (DigitalOcean infrastructure, GitHub, Snyk) and SSH key-based authentication with passphrase protection. All SSH access and code commits are logged.

As a content management system, routine access to customer data is necessary for service operation, development, and customer support. Access is purpose-limited to these operational requirements.

Administrative activity is monitored through system logs and deployment tracking. The single-administrator architecture ensures clear accountability for all system changes.

Principle 7: Secure Development

Services should be designed, developed and deployed to minimize and mitigate security threats.

DataPress follows secure development practices appropriate to a focused SaaS platform, balancing security rigor with operational efficiency.

Development Lifecycle:

Code changes progress through local development with Git version control, followed by automated build and deployment processes. All deployments execute a comprehensive automated test suite including API correctness validation before deployment. Green/blue deployment ensures atomic service updates with rollback capability.

Staging environments are utilized for significant changes requiring customer validation before production deployment.

Supply Chain Management:

Third-party dependencies are actively managed through:

  • Continuous monitoring: Snyk automated scanning identifies vulnerabilities in Node.js dependencies (covered in Principle 5.1)
  • Dependency hygiene: Minimal dependency footprint, prioritizing well-maintained, widely-adopted libraries
  • Timely patching: Security updates applied according to severity-based timescales

Security Testing:

Security validation includes:

  • Automated testing: Test suite validates expected behavior and prevents regressions
  • Penetration testing: Annual security assessments using Burp Suite professional testing tools
  • Vulnerability scanning: Automated and continuous via Snyk integration

Configuration Management:

Application secrets and credentials are managed through environment variables, isolated from source code. Configuration is maintained separately from application code with appropriate access controls.

Production Environment Separation:

Production infrastructure is logically separated from development environments. Deployment processes enforce consistency through automated builds and testing gates before production release.

Principle 8: Supply Chain Security

Supply chain should meet the same security standards as the organization sets for itself.

DataPress infrastructure relies on established third-party providers with appropriate security controls. Customer data flows and supplier responsibilities are clearly defined.

Third-Party Data Access:

Customer data is accessible to the following third parties as part of service operation:

  • DigitalOcean (Infrastructure Provider): Provides compute, storage, and database hosting. All customer data stored on DigitalOcean infrastructure is encrypted at rest. DigitalOcean maintains ISO 27001:2013 certification for their LON1 facility.
  • Cloudflare (CDN and Web Application Firewall): Operates as a proxy layer, handling encrypted traffic between end users and our platform. Cloudflare provides DDoS protection and caching services as an industry-standard security provider.

Third-party services that do not access customer data include: Snyk (code vulnerability scanning), BetterStack (public endpoint monitoring), and GitHub (source code repository).

Shared Responsibility Model:

Security responsibilities are divided between DataPress and infrastructure providers according to our documented shared responsibility model. Cloud providers maintain physical security, infrastructure security, and compliance certifications. DataPress maintains application security, access controls, and incident response capabilities.

Supply Chain Management:

Supplier security is managed through:

  • Selection of established providers with appropriate security certifications and industry recognition
  • Monitoring provider security advisories and service health
  • Regular review of supplier security posture
  • Software dependency monitoring through Snyk (covered in Principle 5.1 and 7)

Principle 9: Secure User Management

Tools should be available for secure management of service use, preventing unauthorized access.

DataPress implements role-based access control with three user types: administrators, editors, and viewers. Account administrators can assign users to specific datasets with appropriate permission levels, including read-only access for viewers who need visibility without modification rights.

Authentication and User Management:

User authentication utilizes WordPress's built-in authentication system with username/password credentials. Account registration is available through the public web interface. Multi-factor authentication is under development and expected within the next quarter. Single sign-on integration is planned for future implementation.

Session management follows WordPress security standards, including secure session tokens and automatic timeout policies.

Management Interfaces:

Customers manage their DataPress service through:

  • Web-based administration portal for user management, permissions, and configuration
  • API access for programmatic user and dataset management
  • Email support (admin@datapress.com) for service requests and account assistance

All access control decisions use the single WordPress-based authorization mechanism, ensuring consistent permission enforcement across the platform.

Provider Access:

DataPress personnel access customer environments through authenticated database connections when providing technical support or resolving service issues, as described in Principle 6.

Principle 10: Identity and Authentication

All access to service interfaces should be constrained to authenticated and authorized identities.

All system access requires username/password authentication with minimum complexity requirements. Sessions automatically expire after 48 hours of inactivity. Password managers are supported through standard browser integration.

Multi-factor authentication is available as a custom implementation for customers with enhanced security requirements. Single sign-on (SSO) integration is planned as part of a comprehensive authentication system modernization scheduled for 2026, which will introduce enterprise-grade identity management capabilities.

Service Identity Authentication:

API credentials are available for programmatic access to DataPress services. Customers can generate and revoke API keys through the web-based management portal. All API authentication occurs over TLS-encrypted channels with certificate validation.

Credential rotation capabilities are under development to support automated lifecycle management of service credentials.

Credential Management:

The user management dashboard enables administrators to quickly add, modify, or remove user access, supporting organizational joiners/movers/leavers processes. User removal immediately revokes all access and invalidates active sessions.

Service Authentication:

All connections to DataPress authenticate the service through TLS certificates managed by Cloudflare, protecting against man-in-the-middle attacks.

Principle 11: External Interface Protection

External interfaces should be identified and defended appropriately.

DataPress exposes the following internet-facing interfaces:

  • Web Application: Public-facing interface serving both unauthenticated public content and authenticated customer applications on the same domain
  • API Endpoints: Documented REST API with both public (unauthenticated) and customer-specific (authenticated) endpoints
  • SSH Administration: Secure shell access to infrastructure on a non-standard port, restricted to key-based authentication with password authentication disabled, protected by fail2ban against brute-force attempts

Database services (PostgreSQL, MySQL) operate on localhost only and are not exposed to external networks.

Interface Protection:

All web traffic routes through Cloudflare's paid tier security services, implementing:

  • Web Application Firewall with OWASP Core Rule Set protecting against SQL injection, cross-site scripting, and common application attacks
  • Rate limiting to prevent abuse and resource exhaustion
  • "Are You Human" challenge pages for suspicious traffic patterns
  • DDoS protection with automatic mitigation
  • HTTP desynchronization attack prevention

Attack Monitoring:

Cloudflare analytics provide visibility into attack patterns and blocked threats. The combination of WAF rules and behavioral challenges has proven effective against volume-based attacks and automated credential stuffing attempts commonly observed in our threat landscape.

Infrastructure management occurs through DigitalOcean's authenticated web console with multi-factor authentication enabled.

Principle 12: Secure Service Administration

Administration systems should follow enterprise good practice, recognizing their high value to attackers.

DataPress administrative access is restricted to a single authorized administrator (CEO), eliminating the complexity and insider risks associated with managing multiple privileged users. This single-administrator model provides clear accountability for all system changes and direct oversight of customer support activities.

Administrative Access Controls:

Administrative infrastructure access requires SSH key-based authentication with passphrase protection. The administrative workstation uses biometric authentication (Touch ID) for device access. All administrative access occurs from a dedicated MacBook Pro used exclusively for service operations.

Customer data access for support purposes occurs through authenticated SSH tunnels to database services. As a single-administrator operation, formal approval workflows are not applicable - all administrative actions are performed by the accountable CEO.

Audit and Change Management:

Administrative activity is tracked through multiple mechanisms:

  • SSH session logging captures infrastructure access
  • Application-level audit logs record user actions and administrative functions
  • All infrastructure and application code changes are version-controlled in Git, providing a complete history of system modifications
  • Infrastructure as Code practices enable auditable, reproducible deployments.

Principle 13: Audit Information and Alerting

Customers should be able to identify security incidents and understand how they occurred.

13.1 Audit Information for Customers:

DataPress provides comprehensive audit trails for content and data operations:

  • Content Revision Tracking: Complete history of dataset modifications including field-level changes, timestamps, and the user responsible for each change
  • User Activity Logging: User login history and session information visible through the administrative dashboard
  • Data Access: Content-level operations are logged when they result in data modifications

Audit logs are available through the web interface with browsing and search capabilities. Customers can export audit data in CSV format for external analysis or archival purposes.

Retention and Immutability:

Audit logs are retained within the customer's database for the duration of their service subscription. Audit records are immutable - customers cannot modify or delete audit entries, ensuring integrity for forensic investigations.

13.2 Security Alerts:

DataPress does not currently provide automated security alerting to customers. Security concerns or suspected incidents should be reported to admin@datapress.com for investigation.

Customers are encouraged to monitor their audit logs for unusual patterns and can implement their own alerting based on exported audit data.

Principle 14: Secure Use of the Service

Cloud providers should help customers meet their data protection responsibilities through secure by design services.

14.1 Security by Design and Default:

DataPress implements security by design through a managed SaaS architecture where security controls are configured and maintained by the service provider rather than requiring customer security expertise.

Default Secure Configuration:

New customer accounts are immediately operational with secure defaults:

  • All infrastructure security controls (TLS, WAF, DDoS protection, encryption at rest) are enabled automatically
  • Users are created with minimal permissions by default, requiring explicit privilege elevation
  • Dataset visibility requires explicit configuration - customers must intentionally specify whether data is private or public
  • Authentication and session management follow secure defaults without customer configuration

Continuous Security Improvements:

Security enhancements are deployed to all customers automatically. When new protective measures are implemented (such as enhanced WAF rules or security patches), they are rolled out across the entire platform, ensuring all customers benefit from improved defenses without requiring action on their part.

Additional information

For specific technical implementation details or additional compliance documentation, please contact our team at support@datapress.com.