Learn how we keep your data secure

Our GDPR standards, security policies, testing and more.

Supplier name

usecure ltd

Company number


Cyber Essentials Certificate

View Certificate

(used to process personal data)


Data Protection Officer

These responsibilities are shared between Charles Preston (CEO) and Ben Pollard - CISSP CEH ISSAP.

General Data Protection Regulation (GDPR)

Here is some key information on how we securely store your data.

1. What we're storing

We store only necessary information, as collected by you. We never store any of your users' credentials that are compromised during a uPhish phishing simulation (visit our FAQ section further down this page to learn more).

2. How we're storing it

We encrypt your data both at rest and in transit, and our site and storage processes are designed for security (you can learn more on how we store your data further down this page).

3. Who can access it

We have extensive internal access controls and regulations for the usecure team, who only have access to data under limited conditions. You are able to restrict admin access to sensitive materials.

4. Our core standards

Our core compliance with the act means that:

  • We have full awareness of where any of your data is being held & when outside of the EU, ensuring appropriate compliance is in place.
  • We ensure that only those who require access to your data are able to & we have the highest level of protection against unauthorised access.
  • We ensure you have the right to view, amend, export or delete any information that we hold on your behalf, including anything held by 3rd party services.
  • We ensure that consent is given during the sign up process for all that use usecure and allowing you to withdraw at anytime.

Frequently asked questions

Based on our self-assessment and that of our external Data Protection Officer, we are currently compliant.

Responsibilities are shared between Charles Preston (CEO) and Ben Pollard - CISSP CEH ISSAP.


Our retention periods are defined by you, you have full control of what data is held on our system and are free to remove or amend anytime.

Within the EU.

Yes, please email support@usecure.io

Yes we do.

Yes, you can find it at https://www.usecure.io/privacy-policy.

We never store any of your users' compromised credentials.

By design, our phishing simulation landing pages do not have any functionality to capture the data entered on the uPhish landing pages, meaning that whatever data they enter will not be tracked or stored in any way.

The landing page will only ever track that the user failed the data entry portion of the test.

Testing, Maintenance and Personal Data Functionality

Here, you'll find details on usecure's testing and maintenance policy, confidentiality obligations and
functionality around personal data.

Testing and maintenance policy

We carry our regular independent penetration tests as well as intermittent testing alongside our release schedule.

Data Protection Policy

You can find information on our Data Protection Policy here.

Written Confidentiality Obligation

All employees are subject to written confidentiality obligations which must be signed at employment data and are reviewed annually.

Identifying, accessing and amending data

Customers have the ability to identify, access and amend their own data within the usecure portal which can only be accessed by authorised individuals in the business.

Deleting data from the application

Data can be deleted from the application by the customer and restored within 7 days, at which point it is removed from the usecure database permanently.

Downloading user information

Customers can also download the user information out of the application for use within their own reporting tool.

IT Security Policies and Measures

These are the means by which we ensure that any electronically stored information is kept secure from unauthorised access
(including encryption, pseudonymisation and use of portable equipment).

Protecting Infrastructure and Hardware

Servers, personal computers and laptops are protected by external attack from
unauthorised access, viruses and Trojan Horses by:

Anti-virus & Cyber Essentials

We have a firewall enabled and VLAN access to our Wi-Fi. We implement Anti Virus and run daily scans on our machines, as well as being a Cyber Essentials accredited business.

Admin rights

Network and individual computer administration rights are controlled through best in class Mobile Device Management (MDM) and are granted on an access role basis.

Hard password policy on all servers, personal computers and laptops

All passwords must be at least seven characters long, and include one capital letter and one number. Users are required to change passwords every calendar month.

Data encryption

We store our info using Amazon Web Services (AWS), who use the 256-bit Advanced Encryption Standard.

SPAM checks

All incoming emails are filtered for SPAM and quarantine for checking before they are delivered onto the network.

Staff Handbook

The Staff Handbook prohibits staff from opening emails or attachments from unknown sources.

No working from personal computers

Staff may not undertake work on personal computers (unless prior agreement has been stated).

Wireless network security

Wireless network is secured via WPA2 / password.

Data Encryption 

AES-256 encryption

All of our data is encrypted at rest with AES-256, block-level storage encryption.

Password encryption 

Passwords are encrypted with bcrypt.

Site traffic encryption 

All traffic on our site is encrypted in transit via TLS 1.2 or TLS 1.3.

Credentials encryption

Credentials for the production database are regularly rotated to ensure access restriction.

Database backup encryption

All backups are stored in AES-256 encrypted S3 buckets.

Physical Security Policies and Measures

This section includes details of our physical security policies and measures, including the disposal of waste.
Consideration is given to the disposal of computers, laptops, memory sticks, disks, etc.


Office security

We operate in a serviced office with turnkey door locks on the internal doors which are locked out of office hours.

Building security

The building requires keyfob entry and reception barrier which are all reviewed independently every 12 months.

Storing physical data

We do not have any physical data in the office and no data is stored locally on any of the physical machines that we use.

Disposal of a computer

The hard drive will be wiped with specialist software or removed and destroyed sufficiently so that information cannot be accessed by an authorised person.

Third-party disposal of data

If a third party is used for the disposal of data, the firm will satisfy itself with their security and staff vetting arrangements.

Business Continuity Policies and Measures

Here, you'll find details of our business continuity policies and measures, including data backup.

Flexible Working & Data Backup

Flexible working environment

usecure operates a flexible working environment including mobile-only devices (e.g., laptops) and cloud-only services. 

Home working policy

usecure also operates a home working policy and we keep no physical data onsite.

Database recovery & manual backup

Database has point-in-time recovery for up to four days, and is manually backed up everyday for a maximum of 30 backups.

Backup storage

All backups are stored in AES-256 encrypted S3 buckets.