Security First

Information Security Policy

TalaStar Digital Ltd is committed to protecting the confidentiality, integrity, and availability of all information assets entrusted to us. This policy defines the security principles, controls, and responsibilities that govern how we handle data and operate our systems.

ISO 27001 Principles | UK GDPR | Effective: 10 April 2026 | Version 1.0

Transparency Notice

TalaStar Digital Ltd (Company No. 17060305) is an early-stage technology company. We do not currently hold ISO 27001 certification, Cyber Essentials accreditation, or any formal security certification. This policy adopts the principles of ISO 27001 as a guiding framework, not as a claim of certification. Our security measures are proportionate to our current size, data processing activities, and risk profile. As the company grows, we will pursue formal certification where appropriate and proportionate.

Foundation

Three Pillars of Information Security

Every security decision at TalaStar Digital is guided by the CIA triad — the internationally recognised foundation of information security.

Confidentiality

Information is accessible only to those authorised to access it. We apply the principle of least privilege — every person and system receives only the minimum access needed to perform their function.

Integrity

Information is accurate, complete, and has not been tampered with. We use checksums, version control, and audit logging to ensure that data remains trustworthy throughout its lifecycle.

Availability

Information and systems are accessible when needed. We use managed cloud infrastructure with built-in redundancy, automated backups, and monitoring to minimise downtime.

Security Controls

Six Security Domains

Our security controls are organised into six domains, each with specific measures proportionate to TalaStar's current operations and risk profile.

Access Control

Principle: Least privilege by default

  • All system access requires authentication — no anonymous administrative access
  • Multi-factor authentication (MFA) enforced on all cloud services and hosting platforms
  • Access credentials are never stored in source code, shared via email, or committed to version control
  • Third-party service access is reviewed quarterly and revoked when no longer needed
  • Database access restricted to application service accounts with minimum required permissions

As a sole-founder company, access control is currently straightforward. These principles are documented now so they scale correctly as the team grows.

Data Protection

Principle: Encrypt at rest and in transit

  • All data transmitted between users and TalaStar services uses TLS 1.2 or higher encryption
  • Database connections use SSL/TLS encryption — unencrypted database connections are prohibited
  • User passwords are hashed using industry-standard algorithms (bcrypt) — never stored in plaintext
  • Personal data is stored only in services that comply with UK GDPR requirements
  • No real patient data, financial data, or sensitive personal data is currently collected or processed

TalaStar currently processes minimal personal data (account emails and names only). These measures are proportionate to our current data footprint and will be expanded as data processing increases.

Infrastructure Security

Principle: Defence in depth

  • All production services hosted on managed cloud platforms with built-in security controls
  • Application dependencies are monitored for known vulnerabilities using automated scanning
  • Production deployments follow a code review and automated testing pipeline
  • Server configurations are managed through infrastructure-as-code — no manual server modifications
  • Logging enabled on all production services for audit and incident investigation purposes

TalaStar uses managed hosting services (Manus, cloud providers) which handle physical security, network firewalls, and OS patching. We do not operate our own data centres or physical servers.

Network Security

Principle: Zero trust architecture

  • All API endpoints require authentication — no open administrative APIs
  • Cross-Origin Resource Sharing (CORS) configured to allow only trusted domains
  • Rate limiting applied to authentication endpoints to prevent brute-force attacks
  • Webhook endpoints verify signatures before processing any incoming data
  • Content Security Policy (CSP) headers configured to mitigate cross-site scripting (XSS)

Network security is primarily managed by our hosting platform. TalaStar configures application-level security controls within the platform's security boundary.

Application Security

Principle: Secure by design

  • Input validation applied on all user-facing forms and API endpoints
  • SQL injection prevention through parameterised queries (Drizzle ORM)
  • Authentication tokens use signed JWTs with appropriate expiration periods
  • Sensitive operations (payments, data deletion) require re-authentication or confirmation
  • Error messages do not expose internal system details, stack traces, or database schemas

Application security is continuously improved. We do not currently conduct formal penetration testing or third-party security audits — these are planned as the company scales.

Personnel Security

Principle: Trust but verify

  • All persons with access to production systems must acknowledge this Information Security Policy
  • Security awareness is a consideration in all hiring and contractor engagement decisions
  • Access is revoked immediately upon termination of any working relationship
  • The founder maintains sole administrative access to all critical systems
  • Any future employees or contractors will receive security induction before system access is granted

TalaStar is currently a sole-founder company. Personnel security controls are documented for when the team expands. The founder is the only person with access to production systems.

Preparedness

Incident Response Procedure

If a security incident occurs, TalaStar Digital will follow this five-step procedure to contain, investigate, and resolve the incident while meeting our legal obligations.

1

Detection & Identification

Within 1 hour of discovery

Identify the nature, scope, and severity of the incident. Determine what data or systems are affected and whether the incident is ongoing.

2

Containment

Within 4 hours of detection

Take immediate action to limit the impact. This may include revoking access credentials, isolating affected services, or taking systems offline if necessary.

3

Assessment & Notification

ICO notification within 72 hours if required

Assess whether personal data has been compromised. If a personal data breach meets the threshold under UK GDPR Article 33, notify the ICO within 72 hours. Notify affected individuals without undue delay if there is a high risk to their rights.

4

Eradication & Recovery

As soon as safely possible

Remove the root cause of the incident. Restore affected systems from clean backups. Verify that the vulnerability has been addressed before restoring normal operations.

5

Post-Incident Review

Within 14 days of resolution

Document the incident, response actions, and lessons learned. Update security controls and this policy if the incident reveals gaps. Communicate findings to relevant stakeholders.

Honest note: TalaStar has not experienced a security incident to date. This procedure is documented proactively. As a sole-founder company, incident response is currently the founder's direct responsibility. As the team grows, a formal incident response team with defined roles will be established.

Standards

Compliance Frameworks

TalaStar Digital references the following frameworks. We are honest about which we actively comply with, which we aspire to, and which are delegated to our service providers.

UK GDPR

Data protection and privacy requirements for personal data processing

Applicable

Applicable — actively complied with

PECR 2003

Privacy and Electronic Communications Regulations — cookie consent and marketing

Applicable

Applicable — actively complied with

ISO 27001

International standard for information security management systems

Aspirational

Aspirational — principles adopted, certification not pursued at current scale

Cyber Essentials

UK government-backed scheme for baseline cybersecurity

Planned

Planned — to be pursued as the company scales

OWASP Top 10

Industry-standard awareness document for web application security risks

Referenced

Referenced — security measures address applicable risks

PCI DSS

Payment Card Industry Data Security Standard

Delegated

Delegated — all payment processing handled by Stripe (PCI Level 1 certified)

Report a Security Concern

If you discover a security vulnerability, suspect a data breach, or have any concern about the security of TalaStar Digital's systems, please report it immediately. We take all security reports seriously and will respond within 48 hours.

Security Reports

[email protected]

Subject line: SECURITY — [brief description]

Data Protection Concerns

[email protected]

Subject line: DATA PROTECTION — [brief description]

Privacy Policy Whistleblowing Policy Honest Roadmap

Policy Approval

This Information Security Policy has been approved by the sole director of TalaStar Digital Ltd and applies to all persons with access to TalaStar Digital's information assets and systems.

Approved by

Kristal Jane Apurado

Founder & Sole Director

Policy Details

Effective: 10 April 2026

Next Review: 10 April 2027

Version: 1.0

TalaStar Digital Ltd | Company No. 17060305 | England & Wales

Cookie Preferences

TalaStar Digital Ltd uses cookies to ensure the basic functionality of our website (essential cookies). We also use optional cookies for analytics and marketing, but only with your explicit consent. We never sell your data. You can change your preferences at any time. Read our Cookie Policy

Compliant with UK GDPR, PECR 2003, and EU ePrivacy Directive. TalaStar Digital Ltd (Co. No. 17060305).