Security practices
Our approach
Security measures at Imageplus are defined per engagement. The nature of the services, the data involved, the infrastructure used and the client's regulatory requirements all determine what applies. A hosting engagement for a small organisation and a dedicated platform deployment for a regulated enterprise operate under fundamentally different security arrangements.
What applies to a specific engagement is documented in the applicable SLA, DPA annex or engagement documentation before work starts.
How we operate internally
Regardless of engagement type, Imageplus applies the following to its own operations:
- Access controls based on least privilege across all systems
- Multi-factor authentication on all Imageplus administrative access, verified annually
- Unique credentials per person, no shared accounts
- Access revoked within 24 hours of engagement end
- Sub-processor security posture verified annually as part of our ISMS cycle
- Vulnerability monitoring and patch management on Imageplus-managed infrastructure
- Annual ISMS review
Engagement-specific arrangements
Larger or more complex engagements may include dedicated infrastructure, enhanced monitoring, penetration testing, extended logging, specific RTO and RPO commitments, and formal incident response procedures. These are agreed in writing before work starts and documented in the applicable SLA or DPA annex.
Secure development
For engagements involving custom software development, additional controls apply. These are described on the secure development page.
Audit and evidence
Security reviews are conducted by independent third-party auditors mandated by the client, subject to the conditions set out in the applicable DPA or SLA. Where a client accepts the Trust Center documentation as sufficient, a formal audit may not be required. Full security policies are made available to auditors rather than directly to clients, ensuring confidentiality and professional handling of sensitive operational information.