top of page
Preview.jpeg
Preview.jpeg

Cyber Security Policy (UK)

1. Purpose

This Cyber Security Policy sets out the principles, controls, and responsibilities for protecting the information systems, data, and users of the marketplace website (the “Platform”). The objective is to reduce cyber security risks, protect personal and business data, ensure service availability, and comply with applicable UK laws and regulations.

1. About the Marketplace

GOLDFINCH operates an online platform that enables third-party sellers (“Sellers”) to list and sell goods and/or services to buyers (“Buyers”).
Unless expressly stated otherwise, we are not a party to transactions between Buyers and Sellers.

2. Scope

This policy applies to:

  • The Platform, including web applications, mobile applications, APIs, and supporting infrastructure

  • All employees, contractors, consultants, temporary staff, and third-party service providers

  • All data processed by the Platform, including personal data, payment data, and commercially sensitive information

3. Regulatory and Legal Framework (UK)

The Platform’s cyber security controls are designed to support compliance with:

  • UK GDPR and the Data Protection Act 2018

  • The Network and Information Systems Regulations 2018 (where applicable)

  • Payment Card Industry Data Security Standard (PCI DSS), where payment card data is processed

  • Relevant guidance from the UK National Cyber Security Centre (NCSC)

4. Governance and Responsibilities

4.1 Board and Senior Management

  • Provide oversight of cyber security risk

  • Approve this policy and review it at least annually

  • Ensure adequate resources are allocated to cyber security

4.2 Information Security Lead

  • Maintain and implement cyber security policies and procedures

  • Monitor cyber security risks and threats

  • Coordinate incident response and reporting

4.3 Employees and Contractors

  • Comply with this policy and supporting procedures

  • Complete mandatory cyber security training

  • Promptly report suspected security incidents or weaknesses

5. Risk Management

  • Cyber security risks shall be identified, assessed, and documented at least annually

  • Risk assessments shall consider threats to confidentiality, integrity, and availability

  • Risk treatment plans shall be implemented and tracked to completion

6. Access Control

  • Access to systems and data shall be granted on the principle of least privilege

  • Multi-factor authentication (MFA) shall be used for administrative and privileged access

  • User access rights shall be reviewed regularly and revoked promptly upon role change or termination

7. Data Protection and Privacy

  • Personal data shall be processed in accordance with UK GDPR principles

  • Data shall be classified according to sensitivity and protected accordingly

  • Encryption shall be used for data in transit and, where appropriate, data at rest

  • Data retention and deletion shall follow documented retention schedules

8. Secure Development and Change Management

  • Secure coding practices shall be followed throughout the software development lifecycle

  • Code shall be reviewed and tested prior to deployment

  • Changes to production systems shall follow an approved change management process

  • Security testing (e.g. vulnerability scanning, penetration testing) shall be conducted periodically

9. Infrastructure and Network Security

  • Systems shall be configured in accordance with recognised security hardening standards

  • Firewalls, intrusion detection/prevention, and monitoring tools shall be implemented where appropriate

  • Cloud services shall be configured using security best practices and shared responsibility principles

10. Third-Party and Supplier Security

  • Third-party suppliers shall be subject to security due diligence prior to engagement

  • Contracts shall include appropriate information security and data protection obligations

  • Third-party access to systems shall be restricted and monitored

11. Incident Management

  • A documented Incident Response Plan shall be maintained

  • Security incidents shall be reported immediately to the Information Security Lead

  • Incidents involving personal data shall be assessed for notification to the UK Information Commissioner’s Office (ICO) and affected individuals within statutory timeframes

  • Lessons learned shall be identified and controls improved following incidents

12. Business Continuity and Disaster Recovery

  • Backup procedures shall be implemented and tested regularly

  • Business continuity and disaster recovery plans shall be documented and reviewed

  • Critical services shall have defined recovery time and recovery point objectives

13. Monitoring, Logging, and Audit

  • Security-relevant events shall be logged and monitored

  • Logs shall be protected from unauthorised access and retained in line with policy

  • Periodic audits and reviews shall be conducted to assess compliance with this policy

14. Training and Awareness

  • All staff shall receive cyber security awareness training at induction and periodically thereafter

  • Role-specific training shall be provided where required

15. Policy Compliance and Enforcement

  • Breaches of this policy may result in disciplinary action, contractual remedies, or legal action

  • Exceptions to this policy must be formally documented and approved by senior management

16. Review and Maintenance

  • This policy shall be reviewed at least annually, or sooner in response to significant changes in technology, business operations, or the threat landscape.

  • Policy Owner: Information Security Lead
    Approved By: Senior Management / Board
    Last Review Date: 01/01/2026

bottom of page