Legal & compliance centre

HLD Group

Encryption policy

Requirements for encryption at rest and in transit.

Last updated: 21 May 2026

Version 1.2 · Review cycle: 365 days · View all frameworks

1. Purpose

This document establishes mandatory requirements for HLD Group personnel, contractors, and third parties with access to HLD Group systems, facilities, or data. It supports our information security management system (ISMS), regulatory obligations, and customer contractual commitments.

Compliance with this policy is a condition of access to company resources. Exceptions require documented approval from the Chief Information Security Officer (CISO) or delegate and must include compensating controls.

2. Scope

This policy applies globally to all HLD Group employees, contractors, consultants, interns, and agency staff ("Personnel"). It covers all information assets owned, leased, or processed by HLD Group, including cloud services, customer environments under our management, development systems, corporate IT, and removable media.

Where a customer contract or applicable law imposes stricter requirements, the stricter requirement prevails. Customer-specific security addenda form part of the compliance baseline for assigned personnel.

  • Corporate and production information systems
  • Endpoints, mobile devices, and removable media used for company business
  • Collaboration tools, email, and messaging platforms
  • Source code repositories, CI/CD pipelines, and artefact stores
  • Physical offices, co-working facilities, and data centre space under our control

3. Definitions

  • Information asset — any data, system, application, or service that stores, processes, or transmits information
  • Sensitive data — confidential, restricted, regulated, or customer data requiring heightened protection
  • Privileged access — administrative or elevated rights that can alter security configuration or access unrelated data
  • Security incident — a confirmed or suspected breach of policy, loss of confidentiality, integrity, or availability
  • Compensating control — alternative safeguard that achieves equivalent risk reduction when a primary control cannot be met

4. Cryptographic standards

HLD Group uses industry-accepted algorithms and configurations. Deprecated protocols (SSLv3, TLS 1.0/1.1, weak ciphers) are disabled on internet-facing and internal services unless formally excepted.

  • TLS 1.2 or higher for data in transit; TLS 1.3 preferred for public endpoints
  • AES-256 or equivalent for data at rest on servers, databases, and backups
  • RSA 2048+ or ECC P-256+ for certificates; SHA-256+ for signatures
  • Prohibition of custom or unpublished cryptography for regulated data

5. Data in transit

All administrative access, API traffic carrying sensitive data, and inter-service communication in production use encrypted channels. Email containing sensitive data uses TLS where supported; highly sensitive content uses approved secure sharing.

  • HSTS on public web properties
  • VPN or Zero Trust access for remote administration
  • Certificate inventory with automated expiry alerting 30 days in advance

6. Data at rest

Production databases, object storage, laptops, and removable media encrypt sensitive data at rest using platform-native or full-disk encryption.

Encryption keys are not stored alongside ciphertext. Cloud provider key management (KMS) or HSM-backed keys are used for production workloads.

7. Key management

Generation and storage

Keys are generated using approved libraries or cloud KMS. Private keys never leave secure stores except for documented rotation procedures.

Rotation and destruction

Data encryption keys rotate at least annually or upon personnel change with key knowledge. Keys are destroyed when data is purged per retention policy.

8. Endpoints and removable media

Company-managed laptops enable full-disk encryption. USB storage of sensitive data requires encrypted devices and explicit approval.

9. Exceptions and compensating controls

Legacy systems unable to encrypt must document risk, network isolation, and monitoring until remediated or decommissioned.

Roles and responsibilities

Executive leadership

The CEO and executive team approve this policy, allocate resources for implementation, and receive quarterly security and compliance summaries.

Chief Information Security Officer (CISO)

The CISO owns the security programme, maintains policies, approves exceptions, and reports material risk to leadership and the board where applicable.

  • Approve standards, run risk assessments, and chair the security steering group
  • Coordinate incident response and regulatory notifications
  • Maintain mappings to SOC 2, ISO 27001, and customer frameworks

IT and engineering

Implement technical controls, operate monitoring, and execute change, backup, and recovery procedures in line with approved standards.

People & culture / HR

Support background checks, onboarding acknowledgements, disciplinary process for policy violations, and offboarding coordination.

All personnel

Complete mandatory training, report suspected incidents within one hour, protect credentials, and follow classification and handling rules.

Enforcement, exceptions, and review

Violations may result in access suspension, disciplinary action up to termination, contract remedies for third parties, and referral to law enforcement where appropriate.

Exception requests must be submitted in writing, include business justification, risk assessment, expiry date, and compensating controls. Exceptions are reviewed at least quarterly.

This policy is reviewed at least annually and upon significant regulatory, organisational, or technology changes. Version history is maintained in the compliance repository.

Related frameworks

For contractual attestations or audit packs, contact [email protected].