Security Policy

Organisation Name: THE MINDFUL BREW CO LTD
Address: 12 Sheardale, Honley, Holmfirth, England HD9 6RU
Version: 1.0
Effective Date: [24/10/2025
Approved by: Jon Barnes / Sam Smith

  1. Purpose

    The purpose of this policy is to protect The Mindful Brew Co’s information assets against internal, external, deliberate or accidental threats, and ensure business continuity by safeguarding confidentiality, integrity and availability of data.

  2. Scope
    • All employees, contractors and third parties
    • All systems, cloud services and equipment owned or operated by the company
    • All data processed, stored or transmitted by the company
  3. Information Security Objectives
    • Protect company and customer data
    • Prevent unauthorised access and data breaches
    • Comply with UK GDPR and Data Protection Act 2018
  4. Roles and Responsibilities
    • The Information Security Lead is responsible for enforcing this policy
    • All staff must report security incidents immediately
    • Third parties must adhere to contracted data protection terms
  5. Data Classification
    • Public: Approved for public release
    • Internal: Business operational data
    • Confidential: Customer, supplier or employee data
    • Restricted: Sensitive commercial or legal data
  6. Access Control
    • Access granted based on role (principle of least privilege)
    • Strong passwords and multi-factor authentication required
    • Shared accounts are prohibited
  7. Data Protection & Privacy
    • Personal data processed lawfully, fairly and transparently
    • Data minimisation and retention limits apply
    • Secure destruction of data when no longer required
  8. Physical & Device Security
    • Company devices must use encryption and password protection
    • Lost or stolen devices must be reported immediately
    • No unauthorised storage of data on personal devices
  9. Cloud & Third-Party Security
    • Only approved services may be used (e.g. Shopify, Google, Stripe)
    • Third parties must meet security and compliance requirements
    • Data sharing agreements required before sharing any data
  10. Incident Management
    • All security incidents must be reported immediately
    • Data breaches must be assessed and reported as required by UK GDPR
    • Breaches reported to ICO within 72 hours if required
  11. Business Continuity
    • Critical data is backed up regularly
    • Disaster recovery plans exist for major outages
  12. Training & Awareness
    • Employees must follow cyber security best practice
    • Staff receive regular awareness guidance
  13. Policy Review
    • This policy is reviewed annually or after major changes

Signed:
The Mindful Brew Co Ltd
24/10/2025