Designed to protect your data with clear controls, strong encryption, and secure defaults.
About DoesQA
Step-by-step guides to help you build tests, understand failures, and ship with confidence.
Registered address:
Fulford House,
Newbold Terrace,
Leamington Spa,
Warwickshire,
United Kingdom,
CV32 4EA
Our team is fully remote but UK-based.
Samuel Smith, Co-Founder.
Automatic updates are enabled wherever possible.
High-risk or critical security updates are applied within 14 days.
Unsupported or end-of-life software is removed.
Certification & Assurance
Certification Held
Pending
Pending
Scheduled
Cyber Essentials: Certification Held.
Cyber Essentials Plus: Certification Pending.
SOC2: Certification Pending.
ISO 27001: Certification is scheduled for 2026.
To improve our security practices and to give customers confidence in how we handle data.
Yes, our leadership team reviews and approves security controls and documentation on an annual basis.
Devices & Software
We use a mix of Windows, macOS, iOS, and Android devices. All are vendor-supported, patched promptly, and protected by firewalls and malware protection.
No - only vendor-supported versions are used. Devices must be kept current to remain in scope.
Unnecessary software and services are removed or disabled.
Only licensed, supported applications are used.
Cloud services (e.g., Google Workspace, Slack, GitHub) are automatically kept up to date.
Windows and macOS devices use Malwarebytes Endpoint Protection.
Mobile devices are restricted to official app stores (Apple App Store, Google Play).
Browsers and anti-malware tools block access to malicious sites.
Networks & Cloud
No, we’re fully cloud-based. All infrastructure runs on AWS in the UK (eu-west-2).
Contractors’ home/remote networks: secured with WPA2/3 encryption, unique strong passwords, and software firewalls.
AWS cloud networks: managed by the provider with strict access controls.
SaaS: Google Workspace, Slack, GitHub/GitLab, Trello, HubSpot, Xero, and more.
IaaS: AWS.
PaaS: None.
Access & Accounts
All accounts are unique, not shared.
New accounts require management approval.
Accounts are disabled promptly when staff or contractors leave.
Users get standard access by default; admin rights are only granted when necessary and approved at senior level.
Yes - administrators use separate named accounts with MFA, never for day-to-day tasks like email or browsing.
MFA is enforced for Google Workspace and critical systems.
Login attempts are throttled or accounts locked after repeated failures.
Passwords & Authentication
MFA everywhere it’s supported.
Passwords must be at least 12 characters (or 8 with MFA).
Common or guessable passwords are blocked automatically.
Guidance on using long passphrases (e.g. three random words).
Use of password managers is encouraged.
No forced password expiry.
Immediate suspension and password reset.
MFA re-checked.
Logs reviewed for suspicious activity.
Firewalls
All devices use built-in software firewalls (Windows, macOS, iOS, Android).
AWS security groups act as cloud firewalls, blocking inbound traffic by default.
Yes, at least annually or whenever infrastructure changes.
Data & Services
All external services require authentication, with MFA enforced.
Only essential inbound connections (e.g., HTTPS/TLS) are allowed.
Business cases for any inbound rules are documented and approved at board level.
Brute-force protections (throttling and account lockouts) are applied by default via vendor systems.