Legal

Security Policy

How we protect your data and the Bookable platform

This Security Policy is a customer-facing summary of the controls we operate to protect the Bookable platform and the data entrusted to us. It is intended to give Operators and integration partners a view of our security posture. Further detail is available under NDA on request.

Related documents: Master Terms of Service, Data Processing Agreement, Privacy Policy.

1. Our approach

Security is integral to how we build and run Bookable. We operate a documented information security programme, with defined roles and responsibilities, regular risk assessments, and measures designed to protect the confidentiality, integrity, availability and resilience of our systems and our customers' data.

Our programme is aligned with recognised industry frameworks and is kept under continuous review.

2. Governance and policies

• Written information security policy, acceptable use policy, access control policy, incident response plan and business continuity plan.
• Ownership at leadership level, with defined security responsibilities across engineering and operations.
• Policies reviewed at least annually and on any material change.
• Annual risk assessment covering key assets, threats and controls.
• Vendor risk management process including security and data protection assessment of material sub-processors.

3. Certifications and assurance

We are building toward formal third-party certification. Current status:

• [Cyber Essentials / Cyber Essentials Plus — status / target date].
• [SOC 2 Type II — status / target date].
• [ISO 27001 — status / target date].
• Independent penetration testing carried out at least annually by a reputable third party; executive summaries available under NDA.

Note: Certification status must be reviewed and confirmed before publication.

4. Infrastructure and hosting

• Production systems are hosted on Google Cloud Platform (GCP). GCP is certified against ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 and SOC 1/2/3.
• Primary hosting region: United Kingdom (or EU where specified for a given Operator or service).
• Physical security of the underlying data centres is the responsibility of the cloud provider; Bookable personnel do not have physical access to host systems.
• Infrastructure is defined as code, version-controlled, and deployed through controlled pipelines.

5. Network and perimeter

• Services exposed to the public internet only where required; internal services use private networking.
• Traffic protected at the edge against distributed denial-of-service (DDoS) attacks.
• Web application firewall and bot mitigation for public endpoints.
• TLS 1.2 or higher enforced for all external traffic; obsolete protocols disabled.
• Network segmentation between environments and workloads.

6. Application security

• Secure software development lifecycle, with code review required for production changes.
• Static analysis and dependency scanning integrated into the build pipeline.
• Regular dependency updates; automated alerts for known-vulnerable packages.
• Hardened container and server configurations.
• Secrets held in a dedicated secrets management service; secrets are not stored in source code.
• Bug bounty / responsible disclosure programme (see section 13).

7. Encryption

• Data encrypted in transit using TLS 1.2 or higher between all components and external endpoints.
• Data encrypted at rest using AES-256 (or equivalent) across our primary datastores, object storage and backups.
• Cryptographic keys managed through cloud key management services with access controls and rotation.
• Payment card data is not stored on Bookable systems; payment processing is handled by PCI DSS-compliant payment providers.

8. Identity and access management

• Role-based access control (RBAC) across the platform and internal systems, with least-privilege principles.
• Multi-factor authentication required for administrative and production access.
• Centralised identity management and single sign-on for internal personnel.
• Access granted on a need-to-know basis; reviewed periodically and revoked promptly on role change or termination.
• Customer-facing platform supports MFA and role-based access for Operator users.

9. Logging and monitoring

• Centralised logging of application, infrastructure and security events.
• Alerting on anomalous and security-relevant events.
• Retention of security logs in line with policy and applicable legal requirements.
• Integrity protection for production logs.

10. Vulnerability and patch management

• Continuous vulnerability scanning of infrastructure and dependencies.
• Defined remediation SLAs based on severity.
• Prompt application of security-relevant patches to production systems.
• Periodic review of system hardening and configuration standards.

11. Business continuity and disaster recovery

• Encrypted, automated backups of production data held in a separate location.
• Tested restore procedures.
• Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets — [RTO: e.g. 4 hours] / [RPO: e.g. 1 hour]. Targets are indicative and may vary by service tier.
• Documented business continuity and disaster recovery plans, reviewed at least annually.

12. Incident response

• Documented incident response plan with defined severity levels, roles and escalation paths.
• On-call engineering rota to triage and respond to incidents.
• Personal data breach notification in line with the Data Processing Agreement — without undue delay and within 72 hours of becoming aware.
• Post-incident reviews for material incidents, with tracked remediation actions.

13. Responsible disclosure

If you believe you have identified a security vulnerability in the Services, please report it to security@bookabletech.com. We ask that you:

• Give us a reasonable time to investigate and respond before any public disclosure.
• Avoid accessing, modifying or destroying data that does not belong to you.
• Avoid service disruption or impact on other users.

We do not take legal action against researchers who act in good faith and in line with this guidance.

14. People and personnel security

• Background screening proportionate to role and permitted by applicable law.
• Contractual confidentiality and data protection obligations for employees and contractors.
• Security and data protection training on induction and at least annually.
• Defined joiner, mover and leaver processes including prompt revocation of access.

15. Vendors and sub-processors

• Material sub-processors reviewed for security and data protection before engagement.
• Written contracts including confidentiality and, where applicable, data processing terms.
• Current list of sub-processors published at /legal/subprocessors, with advance notice of changes where Operators have subscribed.

16. Data location and transfers

• Primary data location: United Kingdom / European Union.
• Onward transfers outside the UK/EEA, where necessary, are made under an Approved International Transfer Mechanism (for example, the UK IDTA, the UK Addendum to the EU SCCs, or an adequacy decision).

17. Shared responsibility

Strong security is a shared responsibility. You should:

• Use strong, unique passwords and enable multi-factor authentication.
• Restrict administrator access to personnel who need it.
• Keep user roles up to date and promptly revoke access when it is no longer needed.
• Keep your own systems (browsers, devices, endpoints) patched and secure.
• Report any suspected security issue to us without delay.

18. Contact

• Security enquiries and disclosures: security@bookabletech.com
• Privacy enquiries: privacy@bookabletech.com
• Support: support@bookabletech.com

The Bookings Group Limited

Registered in England and Wales with company number 11689193

Registered office: c/o Bright Beany Accounting, Cumberland House, 35 Park Row, Nottingham, England, NG1 6EE

Version: 1.0 | Last updated: 1 March 2026