Security Statement

Sitethreesixty is a trading name of Your Home Tech Guy Ltd, a company registered in England and Wales under company number 16884983, with its registered office at 108 Glebelands Rd, Sale, Cheshire M33 6JR, United Kingdom. We also operate through Sitethreesixty LLC in the United States.

We take the security of your data and websites extremely seriously. This Security Statement explains the technical and organisational measures we use to protect client data, websites, and systems. It supplements our Privacy Policy.

1. Our Security Approach

We follow industry best practices and the principles of "defence in depth." All client websites and services are built on enterprise-grade, secure infrastructure with multiple layers of protection.

2. Infrastructure & Core Security

Cloudflare (Primary Platform)

• Global CDN and edge network with 300+ data centres
• Automatic DDoS protection and mitigation
• Web Application Firewall (WAF) blocking OWASP Top 10 threats
• Bot management and zero-trust security controls
• TLS 1.3 encryption for all traffic
• Strict transport security (HSTS)

GitHub (Code & Version Control)

• AES-256 encryption at rest
• Role-based access control with mandatory two-factor authentication (2FA)
• Full audit logging and dependency vulnerability scanning
• SOC 2 Type II certified

Payment Processing

All card payments are processed directly by Stripe (PCI DSS Level 1 compliant). We never store credit or debit card details on our systems.

3. Email & Communication Security

We provide secure transactional and client communications through:

• Maileroo – Primary provider for contact forms, notifications, and automated emails (GDPR-compliant with TLS encryption).
• Optional enterprise solutions: Google Workspace or Microsoft 365 (both SOC 2/3 and ISO 27001 certified).

Clients may also retain their existing email provider — we preserve all DNS records during migration.

4. Client Portal (360Dash)

• HTTPS-only access with HSTS
• Secure authentication with session timeouts and brute-force protection
• Clients can only access their own data
• All actions are logged for audit purposes
• Sensitive data encrypted at rest

5. Data Storage & Backup Strategy

• Primary storage: Cloudflare R2 with automatic geo-redundancy
• Daily automated backups retained for a minimum of 30 days
• Additional encrypted backups via Apple iCloud (for critical recovery)
• Regular restoration testing
• Backups are encrypted using AES-256

6. Encryption Standards

• In transit: TLS 1.3 everywhere
• At rest: AES-256 encryption
• Backups: Fully encrypted with secure key management
• Passwords: Stored using strong hashing (bcrypt)

7. Access Control & Least Privilege

• Strict "need-to-know" principle — staff only access data required for their role
• Multi-factor authentication required for all administrative and infrastructure access
• Regular access reviews and prompt revocation when no longer needed
• API keys are scoped, rotated regularly, and never shared

8. International Data Transfers

Personal data may be shared between Your Home Tech Guy Ltd (UK) and Sitethreesixty LLC (US). We protect these transfers using the UK International Data Transfer Agreement (IDTA) together with a Transfer Risk Assessment. Our key processors (Cloudflare, GitHub, Stripe, etc.) are covered by equivalent approved safeguards.

9. Incident Response & Breach Notification

In the unlikely event of a security incident:

• Automated monitoring and alerting systems enable rapid detection
• We follow a formal incident response plan (contain → investigate → remediate → review)
• We will notify affected clients and the ICO within 72 hours where required by UK GDPR

10. Client Website Security

Every website we build and manage includes:

• Free SSL/TLS certificates (HTTPS enforced)
• Modern security headers (CSP, HSTS, X-Frame-Options, etc.)
• Regular security updates and patching
• Input validation and CSRF protection on forms
• Minimal third-party scripts to reduce attack surface
• Static-first architecture where possible (immune to many database attacks)

11. Third-Party Providers

We only work with providers that meet high security standards. Key certifications include:

• Cloudflare: SOC 2 Type II, ISO 27001, PCI DSS Level 1
• GitHub: SOC 2 Type II, ISO 27001
• Stripe: PCI DSS Level 1, SOC 2
• Maileroo, Google Workspace, Microsoft 365: Appropriate GDPR, SOC, and ISO certifications

We remain responsible for our own security measures but are not liable for the independent security practices of third-party providers beyond our contractual agreements with them.

12. Your Rights & Data Retention

For information about data retention periods and how to exercise your GDPR rights (access, deletion, etc.), please see our Privacy Policy.

13. Contact Us

For security questions, to report a vulnerability, or for any security-related concern:

Email: admin@sitethreesixty.com

We treat all vulnerability reports seriously and aim to respond within 48 hours.