Back to Legal & Trust Centre
Public document Public

Information Security Management System Overview

Document OwnerFriam Limited
Document ReferenceFRM-SEC-001
Version1.1
Effective Date17 June 2026
ClassificationPublic
Review CycleAnnual

1. Introduction

Friam Limited (“we”, “us”, “our”) is the company behind AgentGuard, Ready Vet Staff (VetGuard), HotelGuard, FirmGuard, CareGuard and the EveryGuard family of UK compliance products. We are committed to maintaining the highest standards of information security. This overview describes our Information Security Management System (ISMS), which is aligned with the principles and controls of ISO/IEC 27001:2022.

While we have not pursued formal ISO 27001 certification, our security practices are designed around the principles of this internationally recognised standard. As an early-stage company we apply these controls proportionately to our size and risk; some of the practices described below are aspirational or in progress rather than fully formalised. We continuously review and improve our security posture — this is a regulated-industry product, and our customers’ trust depends on us getting it right.

2. Scope

Our ISMS applies to:

  • All information assets owned, controlled, or processed by Friam Limited
  • All systems used to deliver our services — the marketing site, the agent app, the API, the worker fleet, the customer-verify flow, the trainee surface, and the public Trust pages
  • All personnel, including employees, contractors, and third parties with access to our systems
  • All locations from which our services are delivered or managed

3. Information security policy

Our information security policy is founded on three core principles:

  • Confidentiality — ensuring information is accessible only to authorised individuals
  • Integrity — safeguarding the accuracy and completeness of information, including the cryptographic integrity of signed compliance documents and audit packs
  • Availability — ensuring authorised users have access to information when needed

4. Risk management

We operate a risk-based approach to information security:

  • Risk identification — regular assessment of threats and vulnerabilities
  • Risk assessment — evaluation of likelihood and impact of identified risks
  • Risk treatment — implementation of appropriate controls to mitigate risks
  • Risk monitoring — ongoing monitoring and review of the risk landscape

We review our security risks regularly, and whenever significant changes occur to our systems, processes, or threat landscape.

5. Security controls

5.1 Access control

  • Role-based access control (RBAC) limiting access to a need-to-know basis
  • Unique user identification and authentication
  • Least-privilege, individually-credentialed administrative access (multi-factor authentication is on our security roadmap)
  • Magic-link auth for trainee accounts (no passwords stored, single-use tokens)
  • Account passwords hashed with bcrypt; prompt removal of access when no longer required

5.2 Cryptography

  • TLS 1.2 or higher for all data in transit
  • AES-256 encryption for data at rest
  • SHA-256 cryptographic hashing of signed compliance documents and audit packs, so any tamper is detectable
  • Encryption keys managed through our AWS infrastructure
  • Regular review of cryptographic standards

5.3 Physical security

  • Cloud infrastructure hosted in AWS data centres with SOC 2 Type II certification
  • No on-premises servers containing customer data
  • Secure disposal of any physical media containing sensitive information

5.4 Operations security

  • Version-controlled code and a documented deploy process
  • A production environment kept separate from development
  • Endpoint protection on development machines
  • Automated database backups with point-in-time recovery
  • Application and security-event logging

5.5 Communications security

  • Network segregation and firewalls
  • Secure configuration of all network services
  • Encrypted communications for all sensitive data

5.6 Supplier relationships

  • Security requirements in supplier contracts
  • Regular review of supplier security practices
  • Data processing agreements with all sub-processors

6. Asset management

We maintain an inventory of information assets including:

  • Data assets and their classification
  • Software and hardware assets
  • Cloud services and subscriptions

All assets are assigned owners responsible for their security throughout their lifecycle.

7. Human resource security

As a small team, we apply personnel security proportionately. Where we engage staff or contractors with access to sensitive data, we:

  • Put confidentiality obligations in place
  • Set clear security responsibilities
  • Grant access on a least-privilege basis and remove it promptly when no longer needed
  • Carry out background checks where appropriate to the role

8. Incident management

Our incident management process includes:

  • Clear incident reporting channels
  • Defined incident response procedures
  • Incident classification and prioritisation
  • Root cause analysis and lessons learned
  • Communication protocols for stakeholder notification

Security incidents are triaged and escalated promptly on detection. Data breaches are handled in accordance with UK GDPR notification requirements, including the 72-hour ICO notification rule where it applies.

9. Business continuity

  • Automated daily database backups with point-in-time recovery (AWS RDS)
  • Documented recovery procedures for critical systems
  • Public Trust pages and WordPress-plugin Trust packs are cached, so subscriber-facing pages remain available during a brief backend outage

10. Compliance

Our ISMS supports compliance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Money Laundering Regulations 2017 (MLR 2017) record-keeping rules
  • Proceeds of Crime Act 2002 confidentiality requirements

11. Cloud security (AWS)

Our infrastructure is hosted on Amazon Web Services (AWS) in the London region (eu-west-2). AWS maintains numerous certifications and attestations including:

  • ISO 27001, 27017, 27018
  • SOC 1, 2, and 3
  • PCI DSS Level 1
  • Cyber Essentials Plus

We implement AWS security best practices including:

  • AWS Identity and Access Management (IAM) with least privilege
  • VPC configuration with private subnets for sensitive resources
  • AWS CloudTrail for audit logging
  • Encryption of data at rest using AWS-managed encryption

12. Continuous improvement

We are committed to continually improving our ISMS through:

  • Regular internal audits and security assessments
  • Management reviews
  • Monitoring of security metrics
  • Keeping abreast of emerging threats and best practices
  • Feedback from security incidents and near-misses

13. Contact

For questions about our information security practices, please contact:

Security contact
Email: legal@everyguard.uk

Friam Limited
Company No. 14219476 · VAT No. GB419765755
164–170 High Street, Crowthorne, England, RG45 7AT
Questions? Contact us

This document is subject to change. Always refer to the current version.

Contains public sector information licensed under the Open Government Licence v3.0. Friam Limited is registered with the Information Commissioner’s Office (ICO · ZC088528).